In a world of advancing technological progress, the role of cybersecurity governance across OT (operational technology) and ICS (industrial control systems) environments has emerged as imperative. Industrial organizations are required to cover the gap between governance and dynamically changing regulatory standards, keeping up with an ever-changing environment of standards. An important challenge lies in being at the forefront of emerging regulations, which involves encouraging a culture of ongoing learning through periodic training sessions and workshops for employees to educate and equip them.
Standards such as ISA/IEC 62443 cybersecurity standards and the NIST cybersecurity framework offer a platform for best practices, allowing organizations to maximize resilience against cyberattacks while protecting operations. Finding the right balance between cybersecurity and operational effectiveness is essential for organizations while adopting security procedures that need to be integrated into daily work processes in such a manner as not to hamper productivity.
Leadership has a central role in reinforcing cybersecurity governance. Executives should lead initiatives to foster watchfulness and anticipatory risk management, instilling awareness and readiness within the organizational culture. The growth of industrial IoT (Internet of Things) brings new risks, requiring methods like robust authentication, encryption, and ongoing security audits to defend against vulnerabilities.
To counter rising threats in OT and ICS environments, organizations need to increasingly invest in sophisticated detection and response tools. Partnering with cybersecurity professionals can assist in creating customized strategies to remain ahead of emerging threats. By embracing proactive approaches, utilizing industry standards, and cultivating effective leadership, industrial organizations can establish robust cybersecurity frameworks that secure critical infrastructure while maintaining operational excellence and resilience.
Bridging gap between cybersecurity governance and regulatory changes
Industrial Cyber reached out to industrial cybersecurity experts to explore how organizations can effectively keep pace with evolving regulatory requirements and emerging standards in cybersecurity governance.
“Industrial organizations stay up to date with evolving cybersecurity regulations by leveraging compliance management tools, regulatory tracking services, and industry consortia,” Harshal Haridas, chief architect for Honeywell OT Cybersecurity, told Industrial Cyber. “Participation in groups such as the International Society of Automation (ISA), National Institute of Standards and Technology (NIST), and Industrial Control Systems Joint Working Group (ICSJWG) helps organizations align with best practices.”
Additionally, he noted that regular third-party audits and legal consultations ensure compliance with frameworks like NERC CIP, NIST 800-82, GDPR, and ISA/IEC 62443.
Sheila Casserly, director of digital policy at Schneider Electric, identified that tracking a constantly changing regulatory and standards landscape is a daunting task. “The best—and most enjoyable—way to manage is to not do it alone. Thankfully there are many channels available to organizations of all sizes to connect with industry peers and stay on top of policy.”
“Industry-specific and geography-specific trade associations are one valuable option. Trade associations support their member companies to not only follow policy and standards topics that matter most to them but also to advocate for more favorable policies on behalf of their member companies,” Casserly told Industrial Cyber. “In the United States, organizations like the Sector Coordinating Councils, which are fee-free, industry-led groups aligned with each of the country’s sixteen designated critical infrastructure sectors, are also an option for companies who want to play an active and collaborative role in coordinating with the government on critical infrastructure security and resilience policies for their sector.”
Ann Montaniel Al-Oteiby, director of security compliance at Dragos, told Industrial Cyber that there are multiple ways to stay up to date with changing regulatory requirements and emerging standards. “Sign up for notices; Dragos utilizes a shared inbox so that the team has visibility to review as updates are sent. Join industry-focused groups, user industry groups, and regulatory/compliance user groups: this is a great way to share and socialize the latest changes, discuss challenges, and network recommendations,” she added.
“At first glance, it really looks challenging. Service security has evolved and will evolve in the future. Regulations are obliged to follow these developments,” Alexander Koehler, a developer of industrial security technologies, standards, and regulations, told Industrial Cyber. “An industrial organization follows procedures and objectives other than the fulfillment of fancy and appealing cyber security technologies.”
However, Kohler noted that a brief look at those cybersecurity technologies could be surprising. “Cyber security technologies, or security controls, have not changed so much in the past 20 years. Everybody knows about authentication encryption for data at rest or data in transit, digital signatures, and so forth. If we direct our attention on the purpose of implementation of any kind of cyber security controls towards creating resilient systems and installations for an industrial organization, we can work with a pretty limited number of technologies, or controls.”
“Industrial organizations must continuously monitor evolving regulations and standards through participation in industry associations, government advisory groups, and regulatory bodies,” Marcus Scharra, co-CEO and co-founder of senhasegura, told Industrial Cyber. “Engaging with organizations like ISA, NIST, and IEC ensures early insights into changes. Additionally, implementing cybersecurity solutions like IAM and PAM helps maintain alignment with emerging requirements.”
Brandon Workentin, a cybersecurity consultant, told Industrial Cyber that in an era of digital transformation, industrial organizations face increasing pressure to enhance their cybersecurity governance. “As OT environments and ICS become more interconnected, and as organizations seek to leverage operational data, cyber risks are escalating. The challenge lies in balancing robust cybersecurity with operational efficiency while navigating a complex regulatory landscape and preparing for emerging threats,” he added.
Impact of standards on cybersecurity governance in industrial sectors
The executives analyze the role played by industry-specific standards and guidelines such as the ISA/IEC 62443 standards in shaping cybersecurity governance in industrial organizations.
Haridas said that the ISA/IEC 62443 standards play a crucial role in shaping cybersecurity governance in industrial organizations by providing a structured approach to securing industrial automation and control systems (IACS). “It defines security lifecycle phases, risk-based segmentation strategies, and security levels tailored specifically for OT environments. By following ISA/IEC 62443, organizations can implement defense-in-depth strategies, establish secure supply chain requirements, and certify products that meet stringent cybersecurity benchmarks.”
“Industry-specific standards and guidelines illustrate the continuity of governance roles and responsibilities across industrial value chain stakeholders,” Casserly evaluated. “For example, the ISA/IEC 62443 series includes guidance for the secure development of components by manufacturers, the secure installation of products by integrators, and the definition of risk context and risk tolerance by the asset owner. Adherence to this common framework provides a common language for cybersecurity governance.”
“Businesses with manufacturing/OT environments will focus on their specific industry best practices,” Al-Oteiby identified. “Industry-specific standards and guidelines, best practice frameworks, and regulatory requirements are key when industrial organizations set the foundation for the controls they implement and maintain. Many standards and frameworks overlap so maintaining a map of your controls to the various frameworks in scope will reduce complexity and streamline the efforts.”
Scharra observed that ISA/IEC 62443 standards provide a framework for securing IACS. “These standards establish best practices for risk assessment, network segmentation, access control, and incident response. Compliance with ISA/IEC 62443 strengthens an organization’s cybersecurity posture and shows due diligence to regulators and stakeholders,” he added.
“An organization can go start or continue to implement those controls by using a selection of those controls, most often driven by risk assessment,” Koehler pointed out. “Those risks are the consequence of threats from the outside world with threat actors around the globe. It should be mentioned that those controls can be technical ones, products made of hardware and software, as well as organizational controls.”
Doing so, Koehler added that industrial organizations have laid the foundation to comply with so many regulations as those are most often a subset of security controls needed for a certain application segment. “Compliance with related regulations can be achieved with minor modifications, if at all, of what has been implemented as a described foundation.”
Workentin said that robust cybersecurity doesn’t happen by chance; it requires a clear, structured roadmap to guide organizations in building and maintaining effective defenses. “Industry standards, such as ISA/IEC 62443, provide this essential roadmap, offering a systematic approach to securing industrial environments. These standards outline best practices for cybersecurity governance, ensuring security measures are comprehensive and tailored to OT/ICS environments.
He added that by adhering to these frameworks, organizations can establish a strong foundation for cybersecurity governance, minimizing risks while ensuring that security initiatives are well-coordinated and scalable for future challenges. “A well-defined roadmap enables organizations to move beyond reactive fixes toward proactive, strategic security management.”
Balancing cybersecurity and operational efficiency in industrial sectors
The executives examined how industrial organizations can balance operational efficiency with the implementation of robust cybersecurity measures, especially in high-productivity environments where performance and security are critical priorities.
“Whether you are a textile factory seeking to strengthen your cyber posture or a policymaker crafting cybersecurity policy, a risk-based approach is the name of the game,” Casserly said. “This approach means identifying, assessing, and prioritizing cybersecurity risks based on their potential impact on operations and the business. Only through assessing risk and agreeing on risk tolerance can organizations create an appropriate risk mitigation plan that addresses the need for robust cybersecurity practices while meeting operational and business demands.”
Al-Oteiby said that industrial organizations can utilize operational project management and Management of Change (MOC) processes to support operational efficiency and cybersecurity together. “Activities that support cybersecurity requirements should be planned as part of the Standard Operating Procedures (SOPs). Once implemented, cybersecurity measures can streamline workflows, increase security, and reduce service interruptions.”
Given the nature of industrial environments, Al-Oteiby added that teams will need to enable these capabilities with minimal impact on operations and should be prepared for challenges. For example, understanding acceptable windows during which to make changes will help them manage potential outages. Additionally, planning password requirements around shift changes can minimize disruptions. Formally define the review, testing, and approvals to be implemented as well as the acceptance testing and reviews. Build scorecards to track the progress and success of the cyber controls to measure the implementation and operationalization of cybersecurity measures.
“The cybersecurity area is usually seen as a business disruptor, where productivity and security are often perceived as conflicting priorities,” Scharra said. “However, industrial organizations can integrate both by incorporating security by default into operational processes. This includes deploying zero-trust architectures, enforcing least privilege access, and leveraging automation for security monitoring without disrupting workflows. Cybersecurity must be designed as an enabler rather than an obstacle to efficiency.”
Workentin said that developing a roadmap is only the first step – effective implementation without compromising operational efficiency is equally critical. “Industrial organizations often worry that robust cybersecurity measures might hinder productivity. High productivity demands and tight operational deadlines can make some security teams hesitant to introduce new controls.”
To address these concerns, Workentin added that organizations must ensure cybersecurity measures integrate seamlessly into workflows without disrupting productivity or compromising safety. “This requires careful planning and collaboration between IT, OT, and engineering teams to align security controls with operational needs. Strategies such as embedding security into system designs and leveraging automation for threat detection can help maintain efficiency while enhancing protection. Governance frameworks that emphasize operational safety, reliability, and performance—the SRP triad—allow organizations to enhance security without sacrificing efficiency,” he added.
Role of leadership in strengthening cybersecurity governance and awareness
The executives discuss the importance of organizational leadership in cultivating a strong culture of cybersecurity governance and address ways to enhance employee awareness and training programs to effectively support this culture.
Casserly said that organizational leadership sets the tone for culture by leading from the top and communicating what matters. “Leaders foster a strong security culture by emphasizing security as a business imperative with direct implications on the bottom line through operational resilience, customer trust, and brand reputation. Employees are an attractive target for malicious actors to gain entry to an organization’s systems.”
She added rather than allowing them to fend for themselves against persistent and motivated threat actors, leaders must equip employees with proper training and education in cyber and physical security and empower them as strong first line of defense.
Al-Oteiby said that in general, leadership should be involved in identifying priorities, defining measures, communicating expectations, and tracking progress. “The most successful cybersecurity programs are supported from the top down and the bottom up. Leadership priorities can be reinforced in all hands, team, and shift meetings, as well as through practices like score carding especially if bonuses are tied to the scorecards. One of the ways to make this real is by tying topics to campaigns, shutdowns, blogs, and employee communication.”
For example, she suggested focusing on real-life topics such as the risk of connecting personal technology gifts received over the holidays to work systems, and then sharing best practices that users can take home to protect their devices as well. Repeating processes and activities will make them behaviors and part of the culture.
“It’s impossible to succeed in cybersecurity without executive support,” according to Scharra. “Leadership must support cybersecurity initiatives by integrating them into corporate strategy and risk management. Effective training programs should emphasize real-world OT cybersecurity risks. Simulation-based training and phishing tests enhance employee awareness, ensuring security becomes a shared responsibility across the organization.”
Workentin said that strong leadership is crucial for embedding cybersecurity governance into an organization’s core operations and navigating the complex regulatory landscape many industries face. “Executives play a pivotal role by prioritizing cybersecurity as a business-critical function and treating it as an integral element of risk management rather than solely an IT concern. This involves allocating adequate resources and fostering cross-departmental collaboration between IT and OT teams, especially as more ‘things’ become connected as the Internet of Things (IoT) spreads,” he added.
Unpacking IoT risks and strategies for strengthening cybersecurity governance
The executives look into how the convergence of IoT and connected technologies affect cybersecurity governance and identify strategies for organizations to minimize related risks.
“The integration can significantly expand the attack surface, requiring organizations to strengthen security through device authentication, encryption, and endpoint protection,” Haridas said. “Secure remote access mechanisms, such as VPNs, software-defined perimeters (SDP), and multi-factor authentication (MFA), can help safeguard connected devices and prevent unauthorized access. To mitigate IoT-related risks, industrial organizations must implement secure firmware update policies, establish robust patch management procedures, and maintain comprehensive asset inventories for continuous monitoring of connected systems.”
Casserly said that the integration of more connected technologies in industrial environments necessitates new levels of collaboration across the industrial value chain and a clear understanding of roles and responsibilities. “Using common industry standards like ISA/IEC 62443 facilitates this collaboration and understanding. Forging connections across the industrial ecosystem and sharing experiences and challenges upstream, downstream, and with policymakers to advance and elevate collective understanding is also indispensable.”
“IoT and other connected technologies can be challenging. A first step is to set the requirements and define acceptable use and risks,” Al-Oteiby said. “For example, does the technology need to support encryption in motion and at rest, not use default accounts, and support the principle of least functionality and least privilege. Predefine the show stoppers: if they can’t do or support XYZ, the technology is not acceptable for use. Additionally, make sure your contracts protect your company’s interests and priorities.”
She added that once the requirements are set, ensure ongoing compliance and security. “Any new technology or changes in technology, including assets and software, need to be managed. This includes confirming the use case continues to add value, makes sense, and aligns with the requirements. Managing the risk means ensuring that the technology lifecycle is planned, at a minimum including cataloging the technology, patching, upgrading, updating, and periodically testing to ensure that configurations stay in parameters and risks are managed.”
Scharra said that the expansion of IoT in industrial settings introduces new attack vectors, increasing the risk of lateral movement in networks. “Governance strategies must include continuous asset discovery, security baselines for IoT devices, and segmentation to isolate critical systems. Adopting AI-driven anomaly detection and threat intelligence feeds strengthens monitoring, allowing for rapid incident response. Organizations should also enforce strict authentication controls, including certificate-based identity management for connected devices.”
“The threat landscape changes; countermeasures need to be continuously evaluated and updated. As the number of attacks and their complexity is constantly increasing, countermeasures and controls need to cope with it,” Koehler said. “In our networked world, it is not sufficient anymore to know about an attack on a single industrial operation; it is needed to monitor many more detection points around the world to understand what’s going on to be able to stop an attack when it comes to this one industrial organization.”
Using cybersecurity governance to boost OT/ICS cybersecurity against new threats
The executives focus on how industrial organizations assess the effectiveness of their cybersecurity governance efforts. They explore strategies that industrial organizations can implement to stay ahead of emerging threats and trends in cybersecurity, especially concerning OT and ICS environments, while also preparing for future advancements in cybersecurity governance.
Haridas said that industrial organizations can measure the effectiveness of their cybersecurity governance through key performance indicators (KPIs) such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) for cyber incidents. “Essential metrics may include compliance scores based on adherence to industry standards and the number of security incidents versus successful mitigations. Security audits, penetration testing, and incident response tabletop drills can help organizations assess and improve their cybersecurity posture.”
He added that industrial organizations should actively participate in threat intelligence and information-sharing networks, such as E-ISAC (Electricity ISAC) and MS-ISAC (Multi-State ISAC), leverage MITRE ATT&CK for ICS and subscribe to advanced threat intelligence feeds to proactively identify and mitigate risks. The adoption of AI-driven behavioral analytics and automated response systems can enhance threat detection and response capabilities.
“Cybersecurity governance efforts should be aligned with key industry standards such as IEC 62443 and the NIST Cybersecurity Framework,” Casserly said. “With these common foundations, organizations can measure the robustness of their cybersecurity posture through internal and external assessments, such as internal audits or external certifications. Again, the use of these common frameworks also allows organizations to exchange with their industry peers and policymakers on best practices and lessons learned using a common language.”
“Leverage preferred or required frameworks and identify priorities that can be targeted for focus. OT is never funded to address everything always so prioritize, roadmap, and execute,” according to Al-Oteiby. “For example, establish metrics around the threat landscape, time-to-evaluate, and awareness training. Scorecards for manufacturing/OT teams will help demonstrate alignment of priorities with the company mission, strategy, and overall governance. Engage with the OT team members to understand the risks they see. There is often great insight from those closest to the details.”
“KPIs for cybersecurity governance include mean time to detect (MTTD) and respond (MTTR) to incidents, compliance audit results, and penetration test findings,” Scharra said. “Identity-related KPIs can be the frequency of identity-based attacks or the number of access violations and orphaned accounts. Organizations should adopt a cybersecurity maturity model, such as CMMI or C2M2, to assess progress. Proactive threat hunting, red teaming exercises, and collaboration with Information Sharing and Analysis Centers help industrial organizations stay ahead of emerging threats.”
He added that industrial organizations should adopt a threat intelligence-driven approach, leverage AI/ML for predictive analytics, including Identity Threat Detection and Response (ITDR), and integrate cybersecurity into their digital transformation strategies. “Strengthening vendor risk management, enforcing software bill of materials transparency, and investing in cyber-resilient architectures will be crucial for the next generation of industrial cybersecurity governance. By incorporating cybersecurity into operational frameworks, industrial organizations can protect their assets while maintaining compliance, resilience, and efficiency in an increasingly connected world.”
To prepare for emerging threats, Workentin said that industrial organizations must prioritize effective cybersecurity governance. “By leveraging robust standards like ISA/IEC 62443, fostering strong leadership, and aligning security efforts with operational efficiency, organizations can build resilient frameworks that adapt to evolving risks. Cybersecurity is not a one-time effort but an ongoing commitment to safeguarding systems, data, and people. With a proactive approach and a focus on continuous improvement, industrial organizations can secure their future while maintaining safety, reliability, and performance,” he added.
Kohler detailed that threat detection systems with global coverage are today the name of the game for everybody who has valuable assets to protect. “Those services are important and do represent an answer in the stiff race against attacks in recent years. However, those systems will be used in the format of services and work complementarily to those systems installed in the industrial organization’s site, such as an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS). For instance, for grid operators in Germany, IPS became a regulatory requirement,” he concluded.
The post Prioritizing organizational cybersecurity governance, boosting operational resilience across OT, ICS environments appeared first on Industrial Cyber.
