Second, determine the 2 or three OT cyber eventualities that will most impression continuity, key operations and exterior defensibility. Situations ought to be concrete sufficient to information priorities, funds and disaster preparation. Generic statements about defending vital infrastructure are usually not sufficient.
Third, require assurance. Boards ought to ask whether or not a baseline exists and whether or not it has been independently examined for effectiveness. Governance and assurance ought to sit above the technical baseline and working mannequin. In OT, web site assessments, adversarial simulations, tabletop workout routines and validation of distant entry controls present extra perception than maturity scoring.
Fourth, deal with innovation. AI and cloud are altering operational environments, even when adoption begins on the bodily layer. The management agenda is transferring towards governance, resilience and management of more and more advanced digital dependencies. For OT, boards ought to deal with these shifts as working mannequin and assurance questions, not simply know-how questions.
