1. Intro2. Key Insight3. Section 14. Section 25. Section 36. Challenges7. Section 48. Analysis9. Roadmap10. Closing Thoughts
Home / CyberCuriosity / 5 Questions Every OT Security Practitioner Must Ask
READ:
OT/ICS Fundamentals 22-MAY-2026 · 9 min read

5 Questions Every OT Security Practitioner Must Ask

Industrial security practitioners are pulled in dozens of directions simultaneously. These five foundational questions cut through the noise, exposing the gaps that matter most and anchoring every conversation with leadership, engineering, and vendors to what actually reduces operational risk.

OT Security ProgrammeRisk AssessmentPractitioner FundamentalsICS GovernanceSecurity Posture
NE
NEXUS Engineering
ICS-Industrial Cybersecurity Experts
Article Details
CategoryOT/ICS Fundamentals
Published22-MAY-2026
Read Time9 min read
AuthorNEXUS Engineering
Industrial Cybersecurity Blog — 2026

5 QUESTIONS EVERY OT SECURITY PRACTITIONER MUST ASK
The right question exposes more risk than the best tool.

Industrial security practitioners operate under pressure to deploy tools, satisfy compliance requirements, and respond to incidents — all while trying to understand an environment that engineering teams have built over decades. These five questions cut through the complexity and anchor your programme to what genuinely matters.

Why Questions Matter

The Practitioner's Real Problem Is Not Tools — It's Framing

A security programme built around the wrong questions will produce the right answers to problems nobody has.

Industrial security practitioners are not short of frameworks, tools, or threat intelligence. What they are frequently short of is the right framing — a set of foundational questions that force clarity about what the environment actually looks like, what the realistic threats are, and what a successful attack would mean for the organisation.

Without this framing, security investment clusters around compliance checkboxes and tool deployments that look good in board reports but leave core operational risk untouched. Firewalls get installed between IT and OT while the OT network itself remains flat. Asset discovery tools get deployed but nobody acts on what they find. Incident response plans get written for IT environments and fail at the first real OT event.

The five questions that follow are not a methodology or a maturity model. They are the questions that, if asked honestly and answered with operational specificity, will tell a practitioner more about their real security posture than any audit checklist.

🎯

Consequence-based security starts with a single question: what is the worst thing that could happen to this facility, and could a cyber event cause it? If you cannot answer that question, your risk programme is built on assumptions, not facts.

Question 1

Do We Know What Is Connected to Our OT Network Right Now?

Asset visibility is the foundational prerequisite for every other security control. You cannot segment what you have not mapped, cannot patch what you have not inventoried, and cannot detect anomalies without a baseline of normal. Yet complete, current OT asset inventories remain rare. Devices are added during capital projects, vendor engagements, and emergency maintenance without ever being formally registered.

This question must be asked with operational specificity — not 'do we have an asset register' but 'when was it last verified against what is actually on the wire, and who owns keeping it current.' The answer will almost always reveal a gap between what the documentation says and what passive network discovery finds.

Practitioners should push for passive, continuous asset discovery using OT-safe tooling rather than active scanning, which risks disrupting sensitive process communications. The inventory must capture not just IP addresses but firmware versions, open ports, communication protocols, and physical location — because patching and segmentation decisions depend on all of these.

Question 2

What Is the Worst Consequence a Cyber Event Could Cause Here?

Consequence analysis is the engine of consequence-based security, the approach advocated by Idaho National Laboratory and increasingly adopted by critical infrastructure owners globally. It asks: given the systems we operate and the processes they control, what is the maximum credible harm a cyber-enabled event could produce — and which assets, if compromised, would make that harm possible?

The answer to this question determines where security investment should be concentrated. A facility where a cyber event could cause an uncontrolled chemical release, a high-voltage electrical fault, or a loss of safe shutdown capability has a fundamentally different risk profile than one where the worst outcome is production loss and delayed shipping. Both matter — but they do not warrant identical controls.

Practitioners should facilitate consequence analysis workshops with process engineers, safety officers, and operations leadership. Security teams alone cannot answer this question — they lack the process domain knowledge. The output should be a ranked list of consequence scenarios tied to specific control system assets, which becomes the prioritisation backbone for the entire security programme.

Question 3

Who Has Remote Access to Our OT Environment, and Can We Prove It?

Remote access is the most consistently underestimated attack surface in OT. The formal answer — a named VPN with named users — rarely matches the operational reality discovered during assessment. Vendor-installed remote support tools, residual TeamViewer or AnyDesk instances, jump connections established during an emergency that were never decommissioned, and shared credentials distributed across dozens of contractors accumulate over years.

The question must be answered with evidence, not policy. Not 'our policy requires all remote access to use the corporate VPN' but 'here is the firewall log showing every outbound and inbound connection made to OT systems in the past 30 days, and here is how each one maps to an authorised user and a valid business purpose.' If that evidence cannot be produced, the remote access surface is unknown.

Remediation starts with a network-level audit of all connections crossing the IT/OT boundary, followed by a vendor access register, a decommissioning process for all unauthorised tools, and a formal access review cycle that runs at least quarterly.

Barriers to Honest Answers

Why These Questions Are Hard to Ask — and Harder to Answer

Each of the five questions touches organisational, contractual, or cultural pressure points that make honest answers uncomfortable. Understanding the barriers is necessary for a practitioner who wants to build the credibility to actually close the gaps.

critical

Engineering Teams Own the Answers, Not Security

Practitioners often lack the authority or trust relationships to get accurate information from OT engineering teams. Asset inventories, network diagrams, and vendor lists are held by engineers who may view security questions as intrusive or operationally irrelevant.

critical

Honest Answers Expose Uncomfortable Gaps

When a consequence analysis confirms that a cyber event could trigger a safety incident, that finding creates liability and requires executive action. Some organisations unconsciously resist asking the question to avoid the obligation to answer it.

high

Vendor Contracts Obstruct Visibility

Third-party vendors frequently resist disclosure of their remote access methods, installed software, or system configurations, citing intellectual property protections. This leaves practitioners blind to access paths they are contractually unable to investigate.

high

Compliance Frameworks Substitute for Risk Questions

Organisations with active compliance programmes often conflate regulatory conformance with genuine risk understanding. Passing an IEC 62443 audit does not answer whether your specific consequence scenarios are addressed by your specific controls.

medium

Budget Cycles Reward Tools Over Thinking

Capital budget processes are easier to navigate with a specific technology purchase than with a request for practitioner time to conduct consequence analysis and ask hard questions. The result is a tool-heavy programme built on an unclear risk foundation.

Questions 4 & 5

Can We Detect an Attack in Progress, and Do We Know How to Respond?

Detection and response are the questions most organisations defer until after they have addressed asset visibility, segmentation, and access hardening. That sequencing is defensible. What is not defensible is an indefinite deferral that leaves the organisation flying blind if an incident occurs despite the controls in place.

Question four — can we detect an attack in progress — requires honest assessment of whether OT-specific monitoring is in place, whether alerts are being tuned to reduce noise without eliminating signal, and whether the SOC receiving those alerts has the process domain knowledge to distinguish a malicious command from a valid engineering action. Network-level detection alone is insufficient; practitioners should push for visibility at the protocol level, including industrial protocol command monitoring.

Question five — do we know how to respond — requires a tested incident response plan that covers OT-specific scenarios: loss of HMI visibility, unexpected PLC behaviour, isolation of a compromised engineering workstation without losing process control, and engagement of ICS-specialised incident response support. A plan that has never been exercised is a document, not a capability. Tabletop exercises and regular drills are the only way to convert it into something the organisation can actually execute under pressure.

What Good Looks Like vs. Where Most Programmes Are

Mature Programme

  • Continuous passive asset discovery with a maintained, verified inventory
  • Consequence-based prioritisation with engineering and safety input
  • Evidence-based remote access visibility with quarterly access reviews
  • OT-specific detection tuned to industrial protocol anomalies
  • Tested OT incident response plan with defined escalation to ICS specialists

Typical Programme

  • Asset register last updated during the most recent capital project
  • Risk prioritisation driven by compliance framework control lists
  • Remote access policy documented but not verified against actual network traffic
  • IT SIEM receiving OT logs with no OT-specific tuning or triage capability
  • Generic IT incident response plan with no OT annexe or tested OT scenario
Practical Path Forward

Turning Questions Into a Programme

These questions are not a one-time exercise. Build them into recurring governance rhythms — quarterly leadership reviews, annual consequence analysis refresh, and every new capital project scoping conversation.

Phase 1
Month 1–2

Answer the Questions with Evidence

Run structured workshops and network audits to produce evidence-based answers to all five questions. Document gaps explicitly — the gap list becomes the programme backlog.

Passive network discovery and asset inventory reconciliationConsequence analysis workshop with engineering and safetyRemote access audit and connection log reviewDetection coverage gap assessmentIR plan review against OT-specific scenarios
Phase 2
Month 3–5

Close the Highest-Consequence Gaps

Prioritise remediation by consequence scenario — address gaps that could enable the worst-case outcomes first, regardless of how technically complex or operationally disruptive the fix may be.

High-consequence asset hardeningUnauthorised remote access decommissioningOT detection tuning for priority assetsVendor access register and review processExecutive briefing on consequence findings and programme priorities
Phase 3
Month 6+

Sustain and Govern

Embed the five questions into ongoing governance so that the programme adapts as the environment changes — new assets, new vendors, new consequence scenarios introduced by operational changes.

Quarterly asset inventory verificationAnnual consequence analysis refreshBiannual remote access reviewOT-specific tabletop exerciseProgramme metrics tied to gap closure rather than tool deployment
Closing Thoughts

Questions Worth Sitting With

Before your next programme review, leadership briefing, or vendor conversation, consider these.

01

If you had to brief your CISO on the worst thing a cyber attack could do to your facility, would you be speaking from consequence analysis or from assumption?

02

Could you produce, within 24 hours, a verified list of every system with remote access to your OT environment — including vendor-installed tools?

03

When did you last test whether your SOC could distinguish a real OT attack from a normal engineering action in your environment?

04

Are the five questions above embedded in your governance calendar, or are they asked only when something goes wrong?

05

If an OT incident began at 2am tonight, who would your team call first — and does that person have OT-specific response experience?

The practitioner who asks better questions will always outperform the one who deploys more tools.
← Back to CyberCuriosity Let's Talk
Comments & Suggestions
Thoughts on this article? Corrections, questions, or additions — all welcome.
Optional — tap to rate
GDPR: Your data is processed solely to respond to your enquiry and is never shared with third parties. By submitting you consent to NEXUS Cybersecurity storing your details for this purpose only.
Sent privately — never published publicly