Lesson 1: Start with the Basics, Not the Buzzwords

Attend any cybersecurity conference and you'll hear about AI, Zero Trust, threat intelligence, and advanced monitoring platforms. While these technologies have value, they often distract organisations from what truly reduces cyber risk.

The best OT cybersecurity programs start with strong operational discipline — not expensive technology.

Before investing in new tools, ask yourself:

  • Do we have an accurate asset inventory?
  • Can we restore our backups?
  • Is USB usage controlled?
  • Are user accounts regularly reviewed?
  • Is there a patch management process?
  • Do employees understand basic cyber hygiene?

If the answer is "not consistently," you've found your starting point.

Cybersecurity is not a product. It is a process supported by people and technology. Get the fundamentals right first, and every future investment becomes more effective.

Lessons from the Floor: Master the basics before chasing the buzzwords.

Lesson 2: You Can't Protect What You Don't Know Exists

Ask ten plants how many OT assets they have, and many won't know the exact number.

Without visibility, there is no security.

A complete asset inventory should include controllers, HMIs, engineering workstations, historians, servers, switches, firewalls, network appliances, remote access devices, and even unmanaged equipment.

But don't stop at counting devices. Record operating systems, firmware versions, software, network addresses, owners, criticality, and backup status.

Every cybersecurity decision — from vulnerability management to disaster recovery — depends on knowing what exists.

An outdated spreadsheet is better than no inventory. An automated inventory is even better.

Lessons from the Floor: Asset inventory isn't documentation — it's the foundation of OT cybersecurity.

Lesson 3: Backups Are Only Useful If You Can Restore Them

Every plant says they perform backups. Far fewer know whether those backups actually work.

During a system failure or ransomware incident, discovering that backups are incomplete or corrupted is far too late.

An effective backup strategy should answer four questions:

  1. What is backed up?
  2. Where is it stored?
  3. How often is it tested?
  4. How quickly can it be restored?

Remember to include controller configurations, HMI projects, engineering software, historian databases, network device configurations, and licence files.

A backup that has never been restored is simply an assumption.

Lessons from the Floor: Recovery — not backup — is the real measure of resilience.

Lesson 4: USB Drives — The Smallest Device with the Biggest Risk

Walk into almost any plant, and you'll find USB drives being used for firmware updates, logic downloads, configuration files, vendor diagnostics, and data transfers. They're also one of the easiest ways for malware to enter an OT network.

Completely banning USB devices is rarely practical. Instead, make them manageable.

Simple controls to implement:

  • Scan every device before use
  • Use dedicated engineering USB drives
  • Restrict unauthorised removable media
  • Maintain usage logs
  • Train personnel on safe practices

The objective isn't to stop maintenance — it's to make maintenance secure.

Lessons from the Floor: Practical controls outperform unrealistic policies.

Lesson 5: The Most Important Security Device Is the Person Using the Keyboard

Technology cannot compensate for poor security habits.

Operators, technicians, engineers, contractors, and vendors interact with control systems every day. Their decisions directly affect cybersecurity.

Regular awareness sessions should cover:

  • Phishing
  • Password hygiene
  • USB security
  • Remote access
  • Social engineering
  • Incident reporting

Keep training practical and relevant. Engineers don't need generic office cybersecurity — they need industrial examples they recognise.

A strong security culture develops through consistent conversations, not annual presentations.

Lessons from the Floor: Every employee is part of the plant's cybersecurity architecture.

Lesson 6: Implement ISA/IEC 62443 One Step at a Time

Many organisations view ISA/IEC 62443 — the internationally recognised standard for industrial automation and control system security — as too large, too technical, or too difficult to implement. It doesn't have to be.

Don't begin with compliance. Begin with improvement.

Start by:

  • Building an asset inventory
  • Defining cybersecurity policies
  • Establishing backup procedures
  • Managing user accounts
  • Controlling removable media
  • Segmenting networks where practical
  • Introducing change management

Each completed step strengthens your security posture while naturally aligning with ISA/IEC 62443 principles.

Progress is far more valuable than perfection. OT cybersecurity is a journey of continuous improvement — not a project with a finish line.

Lessons from the Floor: Don't implement the entire standard at once. Implement the next practical improvement.