Rising adoption of 5G, edge computing, and IoT technologies across operational technology (OT) environments is driving organizations to rethink how they protect interconnected machines and critical processes, as cyber-physical security becomes increasingly intertwined. Such integration creates a two-pronged challenge, which includes how to keep operational safety in real-time and contend with policy timelines that are measured in years to secure legacy systems never designed with today’s threat landscape.
A single software flaw, such as the June 2024 CrowdStrike update and the SolarWinds cybersecurity breach, demonstrated how such incidents can create a domino-like effect through often-interconnected systems, with effects rippling to the point where critical functions could go beyond the organization’s perimeters, such as operational disruptions, loss of product quality or integrity, and supply chain breakdowns. These risks need to be quantified quickly so that they become a prerequisite for prioritizing cyber defenses and strategic investment decisions. Simultaneously, the space for cyber-physical security regulation and standards is being slow to adapt as adversaries find ways around them. There is a desire for governance models that can co-evolve with the threat landscape.
In OT environments, however, the need for continuous operations and machine-to-machine trust prevents the straightforward adoption of zero trust principles, necessitating unique tweaks that can still ensure safety while keeping up robust defense mechanisms. AI and autonomous security systems interventions are on the ground to take a role in delivering cyber-physical security with additional detection and response capabilities. In a hyperconnected world, however, real resilience requires reimagining trust boundaries and making every level of industrial operations more secure.
Balancing real-time safety with securing legacy systems
Industrial Cyber consulted industrial cybersecurity experts to explore how cyber defenders can reconcile the tension between maintaining real-time operational safety and the extended timelines needed to deliver legacy cyber-physical security.
Paul Shaver, global practice leader at Mandiant’s Industrial Control Systems/ Operational Technology Security Consulting practice, told Industrial Cyber that ensuring operational safety is a core component of secure and resilient industrial processes. “That includes protecting modern and legacy systems alike. However, legacy systems come with some challenges, such as the inability to rip and replace or patch them in most cases.”
He added that defenders should lean into compensating controls, such as network and physical segmentation, maintaining and testing backups, access management, detection engineering, and active threat hunting to protect critical functions immediately. “Risk-based assessments guide which vulnerabilities require urgent attention versus those managed with strategic, longer-term remediation plans, ensuring operational continuity while enhancing security.”
Some technologies can significantly simplify this challenge, Agustín Valencia Gil-Ortega, OT security business development lead for Spain and Portugal at Fortinet, told Industrial Cyber, before illustrating the point with two examples. “First, modern next-generation firewalls equipped with deep packet inspection for industrial protocols can apply intrusion prevention system (IPS) signatures based on OEM security advisories without disrupting ongoing operations. This approach, commonly known as virtual patching, allows these protections to be deployed directly on the firewall while machines remain fully operational.”
Secondly, Valencia pointed to network microsegmentation, “where modern switches can get governed by modern firewalls in a way that, without meaning re-engineer production networks -the biggest fear in many environments-, they substitute original switches -many manageable but not managed- and provide segmentation along a plane network allowing communications to SCADA, MES or BMS but blocking potential malware willing to move laterally.”
John Cusimano, chief strategy officer (CSO) and vice president for GRC and training services at Armexa, told Industrial Cyber that safety and security must be co-engineered, and not treated as separate disciplines. “Legacy CPS often lack modern security controls, yet they perform safety-critical functions that cannot be interrupted. The solution lies in adopting a cyber-safety engineering approach that integrates safety and cybersecurity risk assessments.”
He added that methodologies like Cyber PHA or Cyber HAZOP, based on ISA/IEC 62443-3-2, enable cross-functional teams to collaboratively identify and mitigate cyber risks that could impact safety. “This structured, consequence-based process allows defenders to prioritize mitigations that preserve operational integrity while incrementally improving security posture. Collaboration between safety and cybersecurity professionals is essential to balance real-time safety demands with long-term security goals.”
Marty Edwards, president and CEO of SiriusPPT, told Industrial Cyber he does not see much ‘tension’ in this issue, noting that defenders have plenty of options to secure systems, modern and legacy alike. “Proper planning, implementation, and especially testing of security-related hardware and software will help ensure a safe and secure environment with minimal downtime requirements.”
Measuring domino effect of software vulnerabilities
The executives went on to discuss how software vulnerabilities can cascade through interconnected supply chains, creating systemic risks for critical processes, and how such risks can be meaningfully quantified.
“A single vulnerability in a widely used component can replicate across countless deployed systems, creating widespread attack surfaces,” Shaver observed. “Supply chain compromises can inject malicious code or backdoors, leading to systemic disruption of critical processes. Risk can be quantified via software bill of materials (SBOMs), threat modeling, impact assessments, and simulation exercises, calculating potential downtime and financial losses.”
He added that flat networks are commonly seen in OT, and an exploitable vulnerability in a system can allow the attacker to gain access to other elements of the process. “Segmentation is a good proactive control to limit blast radius in case of software vulnerability and zero-day exploits.”
Valencia identified that vulnerability and risk quantification means going from the component level to the system and ecosystem level. He also cited the ‘ICS Advisory Project,’ which shows the same vulnerabilities per operating system and industrial manufacturer. “The former will tell data about the CVSS (analysts) and EPSS (exploit predictability), but the latter will tell industrial owners about the process impact and even the suppliers involved.”
He noted that to bridge these perspectives, methodologies like SSVC (Stakeholder-Specific Vulnerability Categorization) should be promoted, as they help align technical risk assessments with stakeholder-specific priorities and operational realities.
“Software vulnerabilities can propagate across interconnected systems, especially when third-party components are embedded deep within industrial supply chains,” Cusimano identified. “A flaw in a single library or protocol stack can ripple through OEMs, integrators, and operators, compromising critical processes.”
He added that quantifying this risk depends on context, as threat modeling is effective for assessing risk in individual products, while Cyber HAZOP or Cyber Bowtie techniques are better suited for modeling risk across interconnected systems. “These methods help visualize how vulnerabilities can lead to cascading failures and allow defenders to prioritize mitigations based on safety, availability, and regulatory impact.”
“I see this especially in vendor-supplied control systems in skid-type machine applications,” according to Edwards. “The end user may have little knowledge or influence over what kind of PLC or controls are used and may not be able to upgrade or patch the system directly due to warranty concerns. It is absolutely essential that buyers insert the correct security-related language in their procurement and purchasing documents to make sure they get the security that they desire delivered to them from all of their vendors.”
Rethinking governance to close gap between regulation and threat reality
The executives examine whether the current regulatory and standards ecosystem for cyber-physical security can truly keep pace with adversaries, or if a new governance model is needed.
Shaver highlighted that the current ecosystem struggles to keep pace due to rapid technological evolution and adversarial agility. “Additionally, while a ‘one size fits most’ approach to standards and frameworks is effective, it is extremely difficult to find commonalities across sectors to implement uniform regulation. What may be more crucial in collaboratively protecting critical infrastructure is real-time threat intelligence sharing, public-private partnerships, and potentially a global framework to foster continuous security improvements against evolving threats.”
He noted that because threats and technologies evolve faster than standards, “our recommendation is to take a threat-based approach to security that includes meeting compliance or using a generic standard as a ‘check the box’ exercise.”
“The answer is no—not because we need yet another regulation, but because of the fragmentation that exists across regions,” Valencia said. “This fragmentation forces both suppliers and asset owners with global operations to multiply their compliance efforts and navigate diverging product management requirements for similar systems in different regions.”
He pointed out that the World Economic Forum has extensively addressed this issue, emphasizing that the real need lies in enhancing interoperability among regulatory frameworks.
Cusimano mentioned that the current regulatory and standards ecosystem, particularly ISA/IEC 62443, provides a robust and adaptable foundation for providing cyber-physical security. Rather than requiring a new governance model, the focus should be on rigorous application and contextual adaptation of existing standards.
“The LOGIIC Study 01 IIoT Risk Assessment demonstrated how applying ISA/IEC 62443-3-2 through Cyber PHA workshops enabled stakeholders to identify and mitigate risks across a range of IIoT architectures,” Cusimano added. “The study found that many risks—such as insecure edge gateways, cloud misconfigurations, and unclear system ownership—can be effectively addressed using existing best practices and standards when applied with discipline and cross-functional collaboration. The key is not to replace the standards, but to ensure they are implemented with the depth and agility required to address evolving threats.”
Marking that the term ‘adversary’ is a little overused these days, Edwards said that system owners must evaluate their unique risks against all kinds of threats, ranging from human error or insider threat to ransomware or malicious code, all the way up to advanced, persistent nation-state actors if they are in certain sectors or industries.
“They don’t necessarily need to use methods recommended by standards if they feel they are inadequate, nor do they need to only implement the ‘bare minimum’ required by regulation (in some sectors) – but need to choose their security solutions based on their own organizations’ risk tolerance, which varies widely,” he added. “Simply put – you can implement more security than required by regulation if you think you need it to reduce your exposure to risk.”
Securing OT with zero trust for continuous operations
The executives focus on how zero trust principles can be applied to OT environments that depend on continuous data flows and machine-to-machine trust to operate safely.
Shaver said that the vast majority of OT devices that are in service were not designed to functionally support zero trust. “The best we can achieve in many cases is developing robust micro-segmentation with Access Control List (ACL) based security for all communications. OT should have separate Windows domains from IT, and there should be no trust relationship. Take a ‘trust but verify’ approach within some OT networks – instead of inherent trust, explicit policies validate data flows and interactions, even within the trusted operational zone.”
He assesses that this minimizes lateral movement for adversaries while maintaining the necessary real-time data exchange for safety and process optimization. “Technologies such as machine identity services that use short-lived certificates are being explored to facilitate zero-trust architecture in OT.”
Zero trust is essential in OT, though it requires a nuanced approach depending on the context, Valencia noted. “The most important is all that applies to privileged access so the concepts needs to be applied from the user, what he knows and has, the devices he uses to access to control it, patch it, and his privileges through application and industrial comms privileges and finally the destiny in the plant where he has right to access, and guarantee that he can access only there.”
“If communications are M2M, the first analysis according to ISA/IEC 62443 is to understand if they are part of the same security zone or not, as this will impact what controls to put in between or around both machines,” according to Valencia. “For example, in the case of smart meters or electric vehicle (EV) charging points, embedded Network Access Control (NAC) capabilities and Zero Trust Network Access (ZTNA) tunnels are necessary to ensure secure M2M communications and prevent man-in-the-middle attacks.”
Cusimano observed that zero trust in OT environments must be adapted to preserve operational continuity while enforcing strict access controls.
“NIST’s zero trust architecture (ZTA) emphasizes dynamic, per-session authentication and authorization, even for machine-to-machine communications. In OT, this translates to validating device identity, integrity, and behavior continuously—without disrupting real-time operations,” he added. “Policy Enforcement Points (PEPs) can be deployed at key junctions to monitor and control data flows, while compensating controls are used where legacy devices lack native security capabilities.”
Additionally, Cusimano said that the NIST Risk Management Framework (RMF) supports this approach by guiding the integration of zero trust into system design, implementation, and monitoring. Ultimately, zero trust in OT is not about eliminating trust; it’s about making trust earned, contextual, and continuously verified.
Edwards points out that zero trust is another set of buzzwords thrown around too much these days. “If you think about the base principles of zero trust and do your due diligence in areas such as network access and segmentation, or identity security for both people and devices, then you will be making progress towards improving your security posture. Not all things can be blindly applied to all systems, and one must take an engineering approach to make sure that the security systems design meets the needs of the end user company.”
He noted that there certainly are a multitude of solutions to protect machine-to-machine data flows and ensure that they continue to operate continuously.
Letting AI take front line in CPS defense
The executives address the role artificial intelligence and autonomous systems should play in defending infrastructure when it comes to bringing about cyber-physical security.
“AI and autonomous systems are becoming crucial for real-time anomaly detection, identifying subtle deviations indicative of attacks within complex OT networks,” Shaver said. “They can automate threat response, predict potential vulnerabilities by analyzing vast datasets, and optimize system configurations. This reduces human error and accelerates defensive actions, significantly bolstering the resilience of critical infrastructure.”
Valencia recognizes that AI is playing a role just now to defending such infrastructures in several ways. “ML/AI is being used to reduce alert fatigue: group similar events as part of the same case, acknowledge alerts similar to others previously done by analysts, and understand different aspects of alerts to warn analysts.”
He added that other applications more related to newer GenAI are for detection and orchestrated response systems, so that events and alerts can be matched with known patterns, and AI to show relationships, suggest actions, and playbooks to respond for defenders. “This represents a substantial advancement in reducing both Time to Detect (TTD) and Time to Respond (TTR) by filtering out noise and equipping analysts with enhanced situational awareness—both of the operational environment and the threat landscape—enabling them to make more informed and timely decisions.”
Cusimano details that artificial intelligence and autonomous systems are becoming essential to defending cyber-physical infrastructure. AI enhances situational awareness through real-time anomaly detection, predictive threat analytics, and automated incident response, essentially capabilities that are critical in environments where milliseconds matter.
“In industrial settings, AI-driven predictive maintenance can reduce downtime by up to 50%, while anomaly detection systems can identify subtle deviations in process behavior that may signal cyber intrusions or equipment failure,” he added. “Autonomous systems, when properly governed, can act as force multipliers—scaling defenses across complex, distributed environments. They can isolate threats, enforce policies, and initiate containment actions without waiting for human intervention. However, these systems must be explainable, testable, and aligned with operational safety constraints.”
Cusimano also mentioned that hybrid frameworks that combine AI with human oversight are emerging as best practices, ensuring that automation enhances rather than replaces human judgment. “As CPS environments grow in complexity, AI’s ability to adapt, learn, and respond dynamically will be key to maintaining resilience against evolving threats.”
“My personal opinion is that generative AI has not matured to the point yet to ‘close the loop,’” according to Edwards. “It certainly is very capable of assisting human security-related operators to sift through the mountains of data from vulnerability management and intrusion detection systems in order to assist the organization in prioritizing the highest risk issues.”
He added that he would be extremely hesitant to allow AI-based systems to autonomously make changes in systems deployed in critical infrastructure. “The time may come, but it isn’t here yet.”
When 5G, edge, IoT blur industrial security borders
As industrial systems converge with 5G, edge computing, and IoT, executives look into how security architects should rethink the boundaries of protection for connected machines and critical processes.
Shaver said that over the past few years, “we have seen a steady increase in exploited vulnerabilities in edge systems and hostile takeover of IoT devices enlisted into botnet armies. Security architects must adopt a ‘zero-perimeter’ mindset, extending protection beyond traditional network boundaries. This involves robust identity and access management, endpoint security, use of secure-by-design and secure coding principles in deployments, and continuous security monitoring.”
He added that using machine identities, especially with on-field robotics, is also an opportunity to bring security closer to the edge.
Valencia said that “We must remain consistent with the established zones and conduits strategy, but understanding that more domains are now under consideration.”
To that end, he identified several key questions, including whether applications, instances, or devices can be isolated so that each communicates only with designated security zones within the plant, with specific controls applied to any communications with external networks. He also looked at whether there is full visibility into all new conduits, along with their associated threats and vulnerabilities. He also queried whether external attack surface monitoring is being incorporated. Misconfigured or poorly managed external interfaces can expose entry points to attackers, making it essential to have capabilities that detect these exposures from the outside, ideally faster than adversaries can exploit them.
Cusimano noted that the convergence of industrial systems with 5G, edge computing, and IoT demands a shift from traditional perimeter-based security to dynamic, architecture-aware protection.
“The LOGIIC IIoT Study highlights how integration with cloud services, wireless gateways, and edge devices expands the attack surface and introduces new vectors for compromise,” he added. “Security architects must redefine boundaries based on data flows, trust relationships, and functional zones—not physical location. ISA/IEC 62443’s zone and conduit model remains highly relevant, enabling segmentation and tailored controls across heterogeneous environments.”
He added that protection strategies must account for the unique risks of IIoT architectures, including third-party cloud dependencies, edge device vulnerabilities, and real-time data integrity. “Defense-in-depth must extend from field devices to enterprise platforms, with continuous monitoring, secure provisioning, and clear ownership of cybersecurity responsibilities.”
“I really believe that when designing your control system, you need to carefully evaluate what ‘makes sense’ to have on-premise vs cloud-based as far as compute functions,” according to Edwards. “The so-called ‘perimeter’ of your plant networks will vary greatly from system to system based on how they are architected. It really doesn’t matter much if you are using a private 5G communications system or wired Ethernet; you must look closely at all of the devices and their data flows and ensure you have adequate security for your purpose at every step of the way. Can you tolerate certain functions in your plant controls to operate in a degraded state when internet connectivity is severed? These are the types of questions that must be asked during the design phase these days,” he concluded.
link