ARTICLE
Jeremy Hulse
3 min read
Last month, SAGE Group and Claroty brought together a group of operational technology practitioners, engineers and critical infrastructure leaders in Melbourne for an evening of candid discussion on one of the sector’s most pressing challenges: OT cybersecurity in practice.
Rather than focusing on tools or products, the session was deliberately designed to encourage open conversation about real-world challenges - what’s working, what isn’t, and where organisations are struggling to translate cyber theory into operational reality.
What followed was a thoughtful, practical discussion grounded firmly in experience from the field. Below are the key themes and takeaways from the evening.
From Cybersecurity to Operational Resilience
One of the strongest messages to emerge from the discussion was the need to reframe how we think about OT cybersecurity.
In operational environments, the goal is not simply to be “secure” in an IT sense. The real objective is operational resilience - the ability to operate safely and reliably in the presence of risk. Unlike IT systems, OT environments must balance cybersecurity with safety, uptime and production realities. Risk decisions can’t be lifted directly from IT playbooks; they must be made in context.
As several participants noted, the more useful question isn’t “Are we secure?” but “Can we continue to operate safely within the risks that exist today?”
Asset Visibility Is Still the Biggest Gap
Across organisations and sectors represented in the room, one issue was raised repeatedly: asset visibility.
Many organisations still cannot confidently identify every device connected to their OT networks. Without a complete and accurate asset inventory, risk assessments, assurance activities and incident response planning are built on shaky foundations.
Importantly, asset visibility was not framed as a technology shortfall. It is first and foremost a governance and process challenge - clarity around ownership, accountability and ongoing maintenance. Technology can help, but only once organisations are aligned on the outcome they are trying to achieve.
Strategy Before Technology - Every Time
Another clear theme was the cost of starting in the wrong place.
Too often, organisations invest in security tools before defining their OT security strategy. The result is technology that OT teams didn’t help select, don’t trust, and ultimately don’t use. Participants agreed that people and process drive the majority of OT security outcomes, with technology playing a supporting role - not the lead.
An effective OT cyber strategy doesn’t need to be complex. It does need to be explicit: what you are protecting, what risks exist, what level of risk is acceptable, and what controls are proportionate to that risk.
The Hidden Risk in the Supply Chain
Supply chain risk emerged as one of the most underestimated and persistent challenges in OT environments.
Many incidents don’t result from direct cyberattacks, but from contractor access, unmanaged remote connections, residual devices left behind after projects, or default credentials that were never removed at handover. While engineering projects typically have structured assurance processes, cybersecurity assurance across the project lifecycle is still inconsistent in many organisations.
The consensus was clear: supply chain assurance must extend across design, build, deploy and handover phases - and ultimately remain the responsibility of the asset owner.
Collaboration Is a Security Control
A recurring insight from the evening was that effective OT security is fundamentally collaborative.
Strong outcomes require IT, OT, engineering, safety and leadership teams to work from a shared understanding of risk and shared governance structures. When these groups operate in silos, gaps appear - and those gaps become vulnerabilities.
Participants also highlighted the importance of working with partners who truly understand operational environments. A simple test was offered more than once: if a partner hasn’t walked your site and engaged with your people, they are unlikely to provide advice that works in practice.
Practical Starting Points
While the conversation covered a wide range of issues, the session closed with a focus on action. Regardless of maturity level, organisations can make meaningful progress by starting with a small number of practical steps:
- Establish and maintain a verified OT asset inventory, including ownership and criticality
- Review remote access pathways and eliminate default credentials or unmanaged access
- Clarify OT governance, roles and risk decision rights across IT, OT and leadership
- Select a single framework - such as IEC 62443 or NIST - and tailor it into a realistic roadmap
- Strengthen supply chain assurance across project delivery and handover
- Embed cyber requirements early in project and procurement processes
The message was simple but consistent: start with your assets, and build from there.
Continuing the Conversation
The Melbourne session reinforced what many in the room already knew - OT cybersecurity is not a checkbox exercise. It is an ongoing discipline grounded in operational realities, clear governance and collaboration across traditional boundaries.
SAGE Group is proud to support forums like this that prioritise learning, shared experience and practical outcomes. If the themes above resonate with your organisation, we’d welcome the opportunity to continue the conversation.