By Chuck Brooks, president of Brooks Consulting International and one of Executive Mosaic’s GovCon Experts
The National Institute of Standards and Technology and its National Cybersecurity Center of Excellence have quietly launched a new operational technology, or OT, cybersecurity project. This is more than just another government initiative; it is an acknowledgment that one of the most dangerous vulnerabilities in contemporary businesses is what they cannot see.
The integration of IT and OT has greatly increased the attack surface for operators of vital infrastructure, such as transportation systems and energy grids. However, visibility into OT environments—which are frequently made up of embedded devices, industrial control systems and legacy systems—remains dangerously constrained. This imbalance is becoming a problem for national security.
By concentrating on enhancing OT visibility, Cherilyn Pascoe and her team at NCCoE are tackling a fundamental vulnerability that attackers, ranging from nation-states to ransomware gangs, have frequently exploited.
OT’s Visibility Issue: A Strategic Risk
I have stressed that cybersecurity is now an operational and geopolitical danger rather than only an IT problem in my earlier analysis published on sites like Forbes, Homeland Security Today, and, of course, GovConWire.
OT settings are the best places to see that. OT infrastructures, in contrast to typical IT systems, were built for dependability and safety rather than security. Many are based on antiquated protocols that have little real-time monitoring capability, low logging and little authentication. Due to this:
Businesses frequently don’t have a comprehensive inventory of related OT assets.
Inconsistent or porous network segmentation exists between IT and OT.
In industrial systems, anomalous activity may remain undiscovered for a long time.
As a result, there are what I’ve called “digital blind spots” places where hackers can continue to operate covertly while mapping systems, gaining more rights and setting themselves up for disruption.
In keeping with its goal of providing real-world, standards-based solutions for industry, the NCCoE’s new project directly addresses this problem by attempting to offer workable, scalable methods for obtaining visibility into OT settings.
From Sector-Specific Initiatives to Systemic Risk Mitigation
A broader change in cybersecurity thinking is reflected in the progress of NCCoE’s activities.
In the past, initiatives have been sector-specific—healthcare, transportation and water systems. For instance, NCCoE has already created guidelines for transit agencies using the NIST Cybersecurity Framework and water and wastewater systems.
These programs were important, but they didn’t address the fundamental systemic problem—a lack of unified awareness across OT ecosystems—rather than the symptoms within sectors.
This new effort represents a shift in strategy from segmented defenses to cross-sector resilience.
That change is consistent with a notion I have emphasized in my book Inside Cyber: proactive, intelligence-driven risk management must replace reactive controls in cybersecurity. The first stage of that change is visibility.
Why OT Visibility Is Currently a Board-Level Concern
Critical infrastructure cyberattacks are no longer just theoretical. They are more sophisticated, persistent and focused.
The operational repercussions are immediate and noticeable, ranging from ransomware interfering with pipelines to state-sponsored attackers investigating electrical infrastructures. These are disturbances to the physical systems that support economies and society, not merely data breaches.
This presents three pressing realities for C-suites and boards:
1. Operational Risk equals Cyber Risk
The consequences of compromised OT systems go beyond IT outages to include physical interruption, including production halts, safety risks and cascading supply chain effects.
2. Cybersecurity Includes Geopolitical Risks
Infrastructure is being deliberately targeted by nation-state actors as part of a larger geopolitical rivalry. OT environments may be pre-positioned for future conflict by cyber incursions.
3. Growing Expectations Regarding Regulation
Cybersecurity standards for critical infrastructure are becoming more and more mandated by governments; many of these standards are based on NIST frameworks. Lack of visibility will eventually result in a danger of noncompliance.
NIST and NCCoE’s Function: Connecting Policy & Practice
The capacity of NIST and NCCoE to convert high-level concepts into practical implementation assistance is one of their enduring strengths.
As a cooperative center, the NCCoE brings together business, government and academia to create workable cybersecurity solutions that businesses can use. This paradigm is especially crucial for OT settings, where:
Standardization is hampered by vendor diversity and proprietary systems.
Security upgrade downtime is frequently intolerable.
Lack of skills restricts internal capabilities.
NCCoE makes it easier for businesses to deploy efficient security controls, including enhanced visibility, by creating reference architectures and practice guidelines.
Implications for Strategy: From Identification to Forecasting
Enabling predictive security is more important for increasing visibility in OT environments than simply identifying threats.
Improved network monitoring, behavioral analytics and asset discovery allow businesses to:
Find irregularities before they become incidents.
Link the behavior of physical systems to internet activity.
Include OT data in risk management systems for the entire company.
This is where cutting-edge technologies like artificial intelligence, machine learning and advanced analytics will be revolutionary. The combination of these technologies with cybersecurity will completely change how businesses anticipate and reduce risk, as I have mentioned in my articles.
An Appeal for Leaders in Critical Infrastructure
The new OT cybersecurity project from the NCCoE should be seen as a catalyst rather than a standalone remedy.
Now is the time for organizations to:
Perform thorough inventory of OT assets.
Put anomaly detection and ongoing monitoring into practice
Comply with the NIST Cybersecurity Framework while developing OT security plans.
Encourage cooperation between the security, OT and IT departments
To speed up acceptance, participate in public-private projects like NCCoE.
It is no longer a speculative cost of inaction. It involves financial loss, operational interruption and occasionally exposure to national security risks.
Final Thoughts: Removing the Unknown
In cybersecurity, you can be harmed by something you cannot see. One of the most important gaps in contemporary risk management is addressed by the NCCoE’s emphasis on OT visibility. It represents a wider understanding that awareness is the first step toward resilience and that protecting vital infrastructure calls for both improved defenses and improved comprehension.
The foundation of cybersecurity strategy will be insight into operational environments as the digital and physical worlds continue to converge.
Organizations that succeed will not only lower risk but also acquire a significant edge in long-term sustainability, trust and resilience.
