You’re Not Closing the IT/OT Gap, You’re Moving It
April 29, 2026emPOWERUP Virtual: Driving Productivity with Alarm Data & Management
May 22, 2026You’re Not Closing the IT/OT Gap, You’re Moving It
April 29, 2026emPOWERUP Virtual: Driving Productivity with Alarm Data & Management
May 22, 2026GRAYMATTER - CYBER INSIDE
OT Defense-in-Depth: 5 Takeaways from Our OT Cyber Strategy Virtual Event
What does a real OT cyber program look like — one that goes beyond checking compliance boxes and actually closes risk? GrayMatter brought together experts from Tenable, BlastWave and AMDT to find out.
In operational technology, the instinct is to find the one tool that fixes everything. One firewall. One monitoring platform. One magic bullet. The problem is that that instinct is wrong — and getting more dangerous every year.
Enter defense-in-depth cybersecurity. “Defense-in-depth is a concept that goes back all the way to Roman military times,” said Scott Christensen, cyber practice director at GrayMatter. “The idea behind it is you don’t want to rely on a single technology, a single protection capability to protect your most valuable assets. When they would build forts, they wouldn’t simply have a drawbridge or moat or guard dogs or sentries — each of those are layers of defense that really help us protect the most critical things."
Defense-in-depth cybersecurity means combining visibility, protection and recovery into a sustained program, not a one-time project you check off and move on from.
An OT cybersecurity strategy has never been more essential. According to Christensen, over the last five years, manufacturing has actually surpassed finance and healthcare in terms of number of cyberattacks and downtime incidents.
GrayMatter hosted a webinarwith three of our closest partners to dig into exactly how defense-in-depth cybersecurity works. James O’Neill from Tenable, Joseph Baxter from BlastWave, and Zachary Vera and Dan Topley from AMDT joined Christensen to talk through the gaps they see, the tools they’ve built and what’s coming with AI.
Here are the five things that stuck with us.
1 | There’s no magic bullet in OT security.
“The idea that any individual product can work on its own and provide comprehensive security is so outdated, it’s unreal,” O’Neill stated. But “proactive isn’t the only kind of defense you need. You still have to have reactive security and the ability to recover in the event that things go wrong.”
Baxter framed it through his background as a grid reliability auditor: Detective controls, protective controls and corrective controls all have to work together. Remove any one leg, and the stool falls.
The three participating partners were a deliberate illustration of this: Tenable tells you what’s happening on your network; BlastWave controls what can happen; AMDT’s Octoplant tells you what should be happening — and gets you back there when something goes wrong. None of them replaces the others.
2 | The biggest underinvestment is in integration, not tools.
When asked where OT organizations over- and underinvest, the panel’s answer was consistent: Too many companies buy point solutions, deploy them in silos and never get them working together.
“By having IT and OT security solutions planned around each other, you can help control how one side of the house is going to affect the other,” O’Neill said. “Because the entry point to so many of these attacks involves both.”
But the fix isn’t more spending. It’s thinking about IT and OT security together from the start — and choosing tools that cooperate instead of compete.
3 | Compliance isn’t the same as security.
Checking a box and closing a risk aren’t the same thing. But in OT, they get confused constantly.
“When compliance overrides security, I can be absolutely compliant but not more secure,” Christensen explained.
He pointed to the early days of auditors asking, “Do you have a firewall?” without verifying whether it had any policy on it. Organizations would install a firewall with no rules, check the box and move on. Technically compliant. Not remotely protected.
Baxter saw the same pattern. Someone would pick up a magazine and say, “Look, it’s the most expensive firewall I can buy. We need 10 of those.” Then “they plunk all their money down in this one very narrow notch when they needed a broad perspective,” he said.
Compliance tells you the minimum. Operational technology security asks what it actually takes to protect production.
4 | The human element is the most overlooked OT risk.
Network-layer threats get most of the attention, but some of the costliest OT incidents have nothing to do with a bad actor. People make mistakes. On a production line, a worker might program a machine’s left arm to do what the right arm is supposed to do — a seemingly simple mix-up that leads to big problems.
The risk isn’t always an outsider, Vera agreed. It could be the contractor who was on-site last Tuesday, the OEM who remoted in to make an adjustment, the technician who made a change and didn’t document it.
“It’s not always the validated or verified badged employee that’s interacting with your shop floor at any given time,” Vera said. “We do pay a lot of money to contractors to maintain our production.”
The question isn’t whether human error will happen. It’s whether you’ll know about it when it does — and how quickly you can trace what changed and get back to normal.
5 | AI is changing both sides of OT security — and the defense is behind.
Mapping every possible way an attacker could move through an OT network is no longer a human-scale problem. “If you ever try building the logic diagram for that, you get lost in squares and diamonds,” O'Neill said. “You’re going to need processing power to understand … where the individual toxic combinations are coming from so that you can prioritize your workload. And you need be able to understand the things you can’t fix so you can put mitigating factors in-between.”
That’s where AI comes in. And it’s coming in on both sides.
Baxter described what modern AI-assisted reconnaissance looks like: “You can run an AI script, create an entire agent to run through Shodan, find juicy targets, look at the CVEs that are exposed, go get a bunch of information and build a pinpoint attack at exactly that device.”
Once they’re in, attackers often stay hidden, Christensen said. Malware in a control system can live for roughly nine months before anything overtly malicious occurs — maximizing how many systems get infected, and therefore how much ransom can be demanded.
AI is already helping operational technology security teams tackle something more immediate: figuring out what to do after a common vulnerabilities and exposures (CVE) report lands across hundreds of devices, Vera added. Patching in OT is a coordinated process involving multiple parties and often scheduled downtime. “Utilizing AI right there for that recommendation at least to quickly direct you to come up with a path is what we’re doing today,” he said.
Because the consequences are severe. “Once they get in, if you have no protection other than just a hard, crunchy exterior, and you’ve got a soft, gooey inside, they’re going to run rampant, and there’s going to be no stopping it,” Baxter warned.
OT Cybersecurity Moves from a Project to a Program
Christensen’s advice: Stop thinking about your OT cybersecurity strategy as a series of projects — remote access, version control, segmentation — and start thinking about it as a program. What are the gaps? How do you close them cost-effectively, without getting in the way of the people who are actually running production?
The tools are out there. The expertise is out there. What’s missing, more often than not, is the strategic connective tissue that turns point solutions into a real defense.
Register to view the full webinar here: https://streamyard.com/watch/pcfybjSJSP82