OT security in practice: How management works with the scenarios that can hit operations the hardest
When a control system becomes unavailable, vendor access fails, or a plant cannot be controlled as expected, OT security quickly becomes a matter of operations, responsibility and decision-making power.
For energy and utility companies, OT security is therefore not only about protecting systems. It is about ensuring that the most important functions can continue when something goes wrong. That is why management should start with the scenarios that can hit operations the hardest.
This is the third post in our series on OT security in the energy and utilities sector. In the first two posts, we focused on why OT security has become a management concern, and why OT cannot be handled with the same logic as classic IT security.
If you have not read them yet, they are a good place to start:
When IT and OT meet: 3 classic mistakes management should avoid
New risks, new requirements: 5 OT security tips for management
With that as our starting point, we now move from recognition to practice. Because once management has understood why OT security requires a different approach, the key question becomes:
How do you work with OT risk in practice?
The perspectives in this post are based on experience and recommendations from Mjølner’s domain experts in the energy and utilities sector, Jakob Hviid and André Bryde Alnor, as well as our partner Jørgen Hartig from SecuriOT. They work with security, operations and digitalisation in environments where resilience, uptime and responsible decision-making are critical.
Many organisations start with what is easiest to identify: physical security, access control, network segmentation or individual technical controls. All of these are relevant. But they are not necessarily where the risk is greatest.
For OT security to create real value, management should start with a different question:
What could, in practice, stop or seriously affect our ability to deliver?
That question moves the work from general security measures to concrete scenarios that management can prioritise, test and act on.
Start with what absolutely needs to work
A good starting point for OT security is not a long list of technical measures. It is a more fundamental management question:
Which functions absolutely need to work for us to deliver our core service?
Because OT security is not first and foremost about protecting technology. It is about protecting the organisation’s ability to function. About ensuring that electricity, heat, water or production can be maintained – even when something goes wrong.
”The essential function in our supply or production is supported by a number of sub-functions that need to be in place for everything to work optimally. These sub-functions are always supported by systems such as servers, networks and applications. If these systems fail, we come to a standstill. That is why clarifying what is acceptable, what is most critical, and how we get back up and running should be central focus points in this process.”
This is a crucial distinction. While IT security often starts from access, data and system protection, OT security is largely based on the ability of operations to continue – even when something fails.
Jakob Hviid, Senior Solution Architect at Mjølner, points to the same fundamental difference between the two worlds. While IT can often respond to an incident by shutting down, isolating or quickly changing systems, the premise is different in OT:
“In the OT world, it is about how you maintain the highest possible uptime. Security has a different perspective. It is also about physical infrastructure, spare parts, redundancy and contingency plans.”
Shift the focus from assets to consequences
Many organisations are used to thinking in terms of assets:
- Which plants or systems are the most expensive?
- Which components are the most difficult to replace?
- What is technically the most complex?
These are relevant questions. But they are not enough. A more mature approach is to shift the focus from plants and components to consequences:
- What happens if an essential function fails?
- What happens if a central system is unavailable for several days?
- What happens if a supplier connection disappears at the wrong time?
- What happens if a failure in one system spreads to other parts of operations?
For management, this provides a stronger basis for decision-making. When the consequence is clear, it becomes easier to prioritise the initiatives that actually reduce risk the most.
The consequences do not stop at the OT environment
An OT incident rarely affects only one system or one plant. It can impact the entire value chain around operations, production, troubleshooting and recovery.
“You may have secured your OT network as well as possible. But if operations depend on systems, processes or suppliers outside OT, you may still be vulnerable — both to attacks and in terms of getting production back up and running after an outage.”
We often see this in practice. Many organisations have a good overview of their physical assets, but less insight into the dependencies surrounding them.
These may include order flows, supplier access, support processes, data exchange, internal workflows or key personnel who turn out to be critical when something goes wrong.
That is why it is not enough to ask whether the OT environment is protected. Management must also ask:
Which parts of the value chain do operations depend on — and how quickly can we return to stable operations if they fail?
Build a few scenarios that really hurt
One of the most useful approaches is also one of the simplest: Do not start with everything. Start with a few scenarios that would have serious consequences if they became reality.
”Try to define 5-6 scenarios where you can say: If this happened, it would really hurt operations.”
It is good advice because it forces the organisation to prioritise. Instead of trying to map every conceivable risk, management can begin with a limited number of incidents that would have serious consequences for operations, supply, safety or reputation.
These could, for example, be scenarios such as:
- A central control system is unavailable for several days
- An external supplier loses access to a critical environment
- A plant cannot be controlled as expected
- An incident in one system affects other parts of operations
- A key person or critical support function is unavailable during an incident
The scenarios do not have to be perfect from the start. What matters is that they are concrete enough for the organisation to begin asking the right questions.
Make time part of the risk
A scenario becomes far more useful when you add time.
It is one thing to say that a system can go down. It is another to ask what it means if it is down for 24, 48 or 72 hours. Then the risk becomes concrete: How long can the function be affected before it impacts supply, safety or operations? Which emergency processes can keep operations running in the meantime? And which suppliers, spare parts or key people are critical to returning to stable operations?
Scenario thinking connects security with contingency planning, recovery and concrete courses of action.
Use the scenarios to prioritise correctly
When the most important scenarios are clear, it becomes easier to determine which investments actually reduce risk the most.
This could be technical controls, better visibility into the OT landscape, tighter management of supplier access, contingency plans, testing, spare parts or clear decision paths during an incident.
What matters is that prioritisation is based on the consequence for operations and supply – not only on what is easiest to implement.
Jakob puts the difference like this:
“On the IT side, it is often about protecting data from unauthorised access. In OT, maintaining the value chain plays a much larger role.”
In OT, it is precisely the ability to maintain the value chain that must guide the work.
OT risk requires several perspectives
Scenario work cannot be handled by one function alone.
There must be clear ownership, but the work only becomes strong when several relevant perspectives are brought into play. OT risk rarely arises in one place. It arises in the interaction between plant operations, IT, suppliers, contingency planning and the business.
That is why the scenarios should not only be assessed by OT specialists. They should be reviewed together with the functions that need to act if the scenario becomes reality.
For management, the task is to establish a structure where the relevant disciplines work together to assess risk, consequence and possible actions. Otherwise, OT security risks becoming either an isolated specialist project or a risk register with no real impact on operations.
From concern to decision
OT security only becomes truly valuable when it moves from being a diffuse concern to becoming a way to make better decisions.
That is exactly what scenario thinking can do.
It helps the organisation focus on what matters most. It makes risk concrete. It creates a shared language between management, operations and specialists. And it makes it easier to prioritise both investments and initiatives.
Management can start with four questions:
- Which functions absolutely need to work for us to deliver our core service?
- Which 5-6 scenarios would hit operations the hardest?
- How long can we tolerate central systems or supplier connections being unavailable?
- Who owns the responsibility for testing, prioritising and following up?
The most important thing is not to find all the answers at once.
The most important thing is to get started with the few scenarios that really matter. Because once they are clear, it also becomes clearer which systems, processes, suppliers and decisions are truly critical.
At Mjølner, we help energy and utility companies translate OT risk into concrete scenarios, priorities and decision-making foundations that management, operations and specialists can act on.
Do you want to strengthen OT security without obstructing operations?
When IT and OT converge, there is rarely one standard solution. Have an informal conversation with André about how you can strengthen OT security without compromising operations, uptime and safety.