OT cybersecurity: A governance failure masquerading as a vocabulary issue

The operational technology (OT) cybersecurity community was created and serves its mission to focus on OT network cyberattacks. However, this charter does not extend to malicious and unintentional control system cyber incidents involving process sensors, actuators, motors, turbines, transformers, etc. As such, industry and government OT cybersecurity experts continue to downplay the threat of control system cyberattacks and ignore actual control system incidents that do not originate from OT networks by not calling them cyber-related.

This indicates that control system cyber incidents that are not classified as internet protocol network-enabled need their own classification as issues to be addressed by cybersecurity policy, especially for critical infrastructure whose accidental and malicious cyber failures could result in widespread death and destruction. Given that the current world situation has motivated nation-states to assess their own capacity for delivering widespread damage on their adversaries, ignoring control system cyber incidents simply because they do not originate in internet protocol access is very dangerous. Our adversaries focus on compromising critical infrastructures and their control systems, not just OT networks.

ERPI focus

The European Risk Policy Institute (ERPI) was founded by the Australian Risk Policy Institute as part of the Global Risk Policy Network. Ivan Savov, Chairman of the European Risk Policy Institute, wrote the following blog:

“From our ERPI / 3°C World SRP perspective, Weiss is pointing at a governance failure masquerading as a vocabulary issue: if you define “cyber incident” through an IT breach lens, you will miss (or dismiss) the incidents that actually move risk in a 3°C world—those that degrade continuity lifelines by disrupting physical processes. He makes the case that control-system cyber incidents include electronic/automation failures across sensor signals, control logic, firmware and field device communications, and that many are non-malicious yet still produce loss of view, loss of control, equipment damage, and safety/environmental consequences.

“What matters strategically is the reporting and response architecture. Breach-centric metrics (and the cultural reflex that “no attack = no incident”) bias organizations toward under-detection, weak root-cause discipline, and false trend comparisons—exactly when coupled infrastructures are most fragile and repair cycles are tight. Weiss’s bridge condition is practical: align engineering and security on a shared incident definition, and train both communities in control-system incident reality so that operational anomalies are treated as cyber-relevant signals, not “maintenance noise.” If you’re responsible for critical infrastructure, this is a reminder to recalibrate your incident taxonomy and your board narrative: the control-room outcome is the headline, and the network story is only one possible path to it.”

OTI Impact Score

The Operations Technology Incident (OTI) Impact Score for measuring real-world consequences of industrial cyberattacks was unveiled at the S4x26 Conference Feb. 23-26, 2026. The purpose of this approach is to provide a standardized way for the public and policymakers to understand cyber incident severity. The initiative is meant to address a growing problem where minor incidents are often over-sensationalized, leading to unnecessary hysteria and misallocation of critical security resources. 

Get your subscription to Control's tri-weekly newsletter.

However, this approach requires that control system incidents be identifiable as cyber-related, and this is not happening. There have been more than one million control system cyber incidents in 2025, including deaths, equipment damage, and environmental impacts. Yet the only control system cyber incident identified by the OTI and the Dragos 2025 report was the December 2025 Russian cyberattack on the Polish grid. It was stated this was the first cyberattack targeting renewable resources.

Yet, Feb. 24, 2022, the day Russia invaded Ukraine, thousands of Viasat modems went offline caused the malfunction in the remote control of 5,800 Enercon wind turbines in Germany and disruptions to thousands of organizations across Europe yet there were OT cybersecurity experts that would not call this a cyberattack because power wasn’t lost. Moreover, continuing to erroneously include the 2021 Oldsmar event as a cyberattack doesn’t help either.

Summary

Network cybersecurity (IT and OT) and control system organizations have fundamentally different objectives and criteria when it comes to identifying and addressing cyber incidents. The Verizon Data Breach report, the Dragos 2025 Report and the OTI Impact Score are typical of OT cyber incident reporting that equate data breaches and ransomware with cyber incidents. Industry and government network security organizations cannot continue to ignore control system cyber incidents because the incidents don’t meet their narrow definition - this is a governance failure masquerading as a vocabulary issue.

Network and engineering organizations need to accept the same cyber incident definition, and both network security and engineering organizations receive appropriate control system cyber incident training. Otherwise, comparing numbers and impacts from network versus control system cyber incidents will continue not only to be an exercise in comparing apples to oranges, but will also leave our critical infrastructures dangerously cyber vulnerable.