Cyber-physical resilience reshaping industrial cybersecurity beyond perimeter defense to protect core processes
Publish Date: 2026-05-03 01:15:00
Source Domain: industrialcyber.co
Using an unordered list, summarize the following article with between 4 and 8 key points.
Cyber-physical resilience is forcing a shift away from perimeter-centric security toward protecting the integrity of industrial processes themselves. Perimeter defenses were built for a world where IT and OT environments operated separately. That separation has largely disappeared. Traditional air gap is fading, and while organizations with higher OT maturity report fewer incidents and faster recovery, most operators have yet to reach that level.
Detection, as a result, must move inside operations. KPMG highlights growing role of cyber-process hazard analysis to identify risks embedded in industrial workflows, not just networks. This reflects a broader transition toward monitoring process anomalies and physics-based deviations as indicators of compromise.
Once inside, they may move laterally, manipulate control systems, and take physical actions before they are detected. More than a decade after the launch of Stuxnet, the industrial environments that power critical infrastructures such as the electrical grids and water utilities remain less secure, and still offer avenues for malicious actors to exploit.
Industry data reveals the magnitude of change required by the new situation. About 21% of companies face OT cyber attacks each year, 40% of which lead to business disruptions. In addition, more effective detection strategies have been deployed, although process visibility still leaves much to be desired. Almost half of detected threats occur within the first 24 hours; however, the problem of poor process-level visibility and exposure due to remote access still persists. Meanwhile, 78% of all industrial control devices contain vulnerabilities that cannot be fixed.
Even architecture is being reconsidered. According to a Deloitte report, traditional OT infrastructures designed for efficiency rather than security purposes are extremely exposed to risks as OT and IT continue to converge. Ensuring protection within control systems, processes, and asset management becomes a necessity.
The prevention-only approach does not suffice any longer; organizations opt for preventive and resilient measures at the same time. A reason for such developments lies in the rising number of threats. For example, according to a KPMG report, the number of attacks against industrial control infrastructure rose by 87% on a year-to-year basis.
Recovery remains a weak point. Almost 20% of companies require more than one month to bring back their activities after an incident, indicating ongoing weaknesses in the processes required for operational readiness. Therefore, cyber-physical resilience today means how fast companies are capable of identifying, mitigating, and recovering from an event without interrupting the processes.
Cybersecurity incidents today often affect operational activity and safety, as stated by Deloitte, which has observed an increase in cybersecurity events related to industrial control systems. However, asset owners and operators remain underprepared, constrained by fragmented maturity, legacy assets, and skills gaps, leaving critical infrastructure exposed to cyber-physical impact.
Cyber-physical resilience moves beyond perimeter defense
Industrial Cyber reached out to industrial cybersecurity experts to examine how cyber-physical resilience in critical infrastructure should be defined, and what fundamentally changes when the focus shifts from securing systems to defending core processes.
Connor Brown, federal OT cybersecurity lead at Booz Allen
Connor Brown, federal OT cybersecurity lead at Booz Allen Hamilton, told Industrial Cyber that cyber-physical resilience for critical infrastructure is not just about safeguarding systems; it is fundamentally about ensuring essential services continue to endure, recover, and adapt in the face of disruptions. “The shift from securing systems to defending core processes moves from a reactive focus on preventing every attack to a proactive emphasis on maintaining functionality, even when failures occur.”
He added that resilience prioritizes adaptability over perfection, requiring organizations to break down silos, leverage real-time intelligence, implement dynamic recovery strategies, and foster cross-disciplinary collaboration. By addressing the intricate links between cyber and physical systems, resilience ensures vital operations persist despite compromise or disruption.
Richard Springer, director of OT solutions marketing at Fortinet
“Cyber-physical resilience is the ability to maintain safe, reliable operations even when systems are compromised,” Richard Springer, director of OT solutions marketing at Fortinet, mentioned to Industrial Cyber. “Not too dissimilar to IT networks, it’s not just about protecting network assets as much as it is about protecting operations and production.”
He added that security decisions for OT and cyber-physical systems are driven by operational impact, meaning keeping production running, maintaining safety, and avoiding cascading disruption. “That shift forces organizations to move beyond perimeter defenses toward continuous visibility, segmentation, and response strategies that prioritize networks and systems that are critical to operations and production.”
Richard Robinson, chief executive officer at Cynalytica
“Cyber-physical resilience means maintaining complete asset visibility and situational awareness of critical processes, not just network monitoring,” Richard Robinson, chief executive officer of Cynalytica, told Industrial Cyber. “It requires real-time detection of events and anomalies, with particular additional attention to serial and analog ICS communications and signals that sit below Ethernet/IP layer monitoring. The fundamental shift occurs when organizations recognize that defending systems alone is insufficient; we must defend the physical processes those systems control.”
He added that “this distinction became tragic during the 2015 Ukraine power grid attack, where attackers manipulated ICS communications to disrupt electrical distribution, affecting 230,000 customers. The attack succeeded not because IT systems were weak, but because defenders focused narrowly on network security rather than understanding how digital commands translate into physical consequences in the grid itself.”
Holger Skurk, product manager for OT security for critical infrastructure at OMICRON
Holger Skurk, product manager for OT security for critical infrastructure at OMICRON, told Industrial Cyber that cyber-physical resilience is the ability to withstand attacks and recover from them so that operations can continue. “This means anticipating attacks and designing the system to withstand them. This can be achieved through redundancy and diversity. Intrusion detection systems help detect attacks early on.”
He added that network segmentation helps reduce the speed at which attackers can spread. “However, it is also important to be able to respond quickly and effectively to attacks through defined and rehearsed responses and emergency management processes. Appropriate employee training is also part of this.”
Detecting cyber risk inside industrial processes
As cyber threats increasingly manifest inside normal industrial operations, the executives analyze how prepared organizations are to detect and respond when digital compromise begins to trigger real-world consequences.
“One of the most common themes our cyber practitioners observe across industrial operations, especially within organizations with little to no cybersecurity governance, is the inability to detect and respond to cyber threats triggering physical consequences,” Brown said. “Many critical systems still rely on legacy technologies that lack modern security features.”
He added that while cybersecurity has historically focused on protecting IT networks, OT environments are inherently complex, making real-time anomaly detection difficult. Many organizations remain inadequately equipped to address key concepts such as IT-OT convergence and incident response due to the lack of cross-disciplinary collaboration, real-time monitoring, and adaptive recovery strategies.
Springer said that readiness is improving, but gaps remain and that’s where risk lives. “Fortinet’s 2025 OT Security Report shows many organizations still lack the visibility to detect threats early, with a significant portion continuing to experience intrusions. The core issue is that most tools are built for IT anomalies, not subtle changes in pure OT industrial processes.”
He added that when attacks blend into normal operations, they often go undetected until physical impact occurs. The difference comes down to integration: organizations with unified IT/OT visibility, segmentation, and secure remote access and more mature OT security operations (OT SecOps) powered by near real-time OT threat intelligence to make detections faster and responses sooner. It’s about correlating telemetry, baselining what normal is, and acting before a cyber event becomes a physical disruption.
Most organizations remain dangerously overconfident in both their detection capabilities and preparedness, according to Robinson. “Many operators ignore serial and analog communications, the core of physical processes, and rely exclusively on Ethernet/IP visibility. This creates blind spots where compromises unfold invisibly until physical impact becomes obvious and irreversible.”
He added that the 2021 Oldsmar Water Treatment facility incident exposed this gap, when a remote attacker gained access to operational controls and attempted to alter chemical dosing with minimal detection capability on-site. “Modern detection must extend beyond network forensics to include anomaly detection in physical process behavior, combined with human-in-the-loop validation.”
Skurk pointed to a December 2025 report by ENISA showing that 43% of surveyed companies are not adequately prepared for supply chain attacks, while 37% remain unprepared for IT or OT outages. “This, of course, increases the damage that attacks can cause. Preparing for attacks is explicitly required by current security regulations (NIS2 in Europe).”
Rethinking system architecture for process-level protection
The executives address where current approaches to architecture, visibility, and IT-OT convergence fall short in protecting core processes, and what meaningful integration looks like in practice.
Brown identified that IT–OT convergence is increasingly exposing weaknesses in architecture, visibility, and governance—challenges now amplified by recent CISA disclosures of internet-exposed Rockwell devices and the rapid vulnerability discovery enabled by platforms like the preview announcement of Mythos.
“Many organizations still emphasize connectivity and broad visibility without establishing the people, processes, and lifecycle discipline required to sustain secure designs over time,” according to Brown. “The problem is compounded by an expanding attack surface, where exposed or misconfigured OT assets can be quickly identified and exploited at scale. The combination of real-world exposures and AI-driven discovery makes clear that traditional convergence approaches are insufficient. Effective integration must assume persistent exposure, enforce strong segmentation, minimize unnecessary connectivity, and ensure critical operations can endure and recover from compromise.”
Springer said that the biggest gap is operational fragmentation. “Many organizations still operate myopically with focus on their narrow process, not understanding how it can affect a production line or critical infrastructure operations. Additionally, with siloed tools, limited OT visibility, and inconsistent policy enforcement between IT and OT, individual systems or workflows on either side of the network can cause the production line to stop. That creates blind spots attackers can exploit.”
He added, “Effective integration means a unified architecture, where network, security, and OT visibility are part of a single platform, combined with deep protocol awareness, zero-trust segmentation, and centralized analytics. It’s about turning telemetry into actionable insight that spans the entire attack surface, from enterprise IT to the OT industrial edge.”
“Current industry approaches fall short in three critical areas: most organizations lack visibility into legacy serial and analog communications; IT-OT convergence increases attack surface without adding compensating controls; and architecture decisions prioritize connectivity over segmentation,” according to Robinson. “Effective integration requires zero-trust principles applied specifically to OT environments, with rigorous monitoring of all communication layers. not just ‘modern’ protocols.”
He added that “organizations must also treat serial and analog processes as first-class security concerns, implement a deterministic baseline of normal operations, and establish secure data flow between IT and OT without creating unified attack paths. ISA ICS4ICS training initiatives are helping advance this understanding.”
Skurk mentioned that in many sectors, particularly the energy sector, older systems are in use that do not meet modern security requirements. “The OT equipment inventory has grown over time, and so has the asset management system. As a result, it is often unclear what configuration the devices are currently in. The resulting attack surface would need to be reduced again through additional measures and mature security processes. For example, through optimized vulnerability management. Effective attack detection then prevents attackers from spreading if they do manage to penetrate the OT network. This is entirely in the spirit of resilience.”
Why prevention-first security is falling short
The executives addressed a core concern that, amid legacy systems, expanding connectivity, and persistent threats, the industry remains overly focused on prevention rather than building the resilience needed to withstand and recover from attacks.
“Critical infrastructure operators can no longer rely primarily on prevention—blocking attacks, patching, and hardening individual assets—as the cornerstone of OT security,” Brown said. “The accelerating pace and sophistication of AI-driven threats, including capabilities that surface vulnerabilities faster than defenders can remediate them, make disruption increasingly inevitable. As a result, OT environments must pivot toward resilience: designing systems and organizations to sustain and recover critical operations under adverse conditions. This means adopting an assumed-breach mindset and prioritizing mission continuity through engineered redundancies, fail-safe mechanisms, and segmented architectures that limit cascading impacts.”
He added that investments should shift toward capabilities that enable real-time visibility, rapid detection of process disruption, and coordinated response across cyber and physical domains. Ultimately, resilience in OT is defined not by preventing every incident, but by ensuring critical functions endure and recover quickly when incidents occur.
“Prevention alone isn’t enough in environments where uptime and safety are paramount,” Springer said. “With the increase in ransom events, uptick in geo-political attacks on critical infrastructure, and acceleration via AI, resilience means assuming compromise and designing systems that can absorb and recover from it. That includes segmentation to contain impact, automated response to isolate threats quickly, and operational playbooks that prioritize safety and continuity.”
He added that given how quickly the threat landscape is evolving, and the velocity of targeted threats today, the organizations that will lead are the ones building for continuity of operations, not just trying to keep attackers out.
Robinson said that the industry remains excessively focused on prevention, which is impractical given the inevitability of zero-days, exploits, credentialed misuse, and operational errors. “We cannot prevent all attacks. Instead, organizations must assume compromise and build resilience. the ability to detect attacks in progress and respond before physical consequences escalate.”
He noted that “Legacy systems, expanding connectivity, and persistent adversaries make prevention-only strategies obsolete. The question is no longer ‘How do we stop all attacks?’ but ‘How quickly can we detect events and anomalies and respond to protect human safety and critical functions?’ Technology now provides us with a way to teach our systems to do this.”
Appropriate risk management is essential, Skurk said, adding that failing to implement ‘state-of-the-art’ security measures is not a viable option, either from a business or a compliance perspective. “We must prepare for the possibility that attacks will succeed. Incidentally, this preparation is also a key component of security standards. However, incident management and business continuity management in particular still have significant room for improvement.”
Restoring operations after cyber-physical impact
When a cyber incident escalates into a physical impact, the executives assess what an effective response and recovery entail and whether the organization is equipped to restore safe, reliable operations.
“In an effective incident response, safety is paramount; response and recovery involve rapid, coordinated actions that mitigate damage and immediately contain threats to prevent cascading impacts,” Brown said. “Critical operations should be restored through clear communication across teams, while any degraded or partial functionality should be maintained through the use of manual overrides and redundancies.”
Overall, he noted that many organizations are underprepared due to reliance on legacy systems, insufficient training, and/or lack of incident management plans. “In addition to shifting from a reactive to a proactive cyber-physical defense strategy, organizations must invest in resilient architectures and cross-functional collaboration to ensure effective response and recovery.”
Springer detailed that operators know how to take a system offline and to restore it. “What is unique is they now rely on security teams to ensure the network is ‘safe’ and won’t be re-infected. Effective response starts with visibility and coordination, understanding what’s happening across both IT and OT in real time. From there, it’s about safely isolating affected systems, maintaining control of critical processes, and restoring operations in a controlled, validated way.”
He added that the challenge is that many organizations lack integrated response capabilities across IT, OT, and engineering teams. “Recovery isn’t just about bringing systems back online, but ensuring the process and network are safe, stable, and trusted before resuming full operations.”
Robinson said that when cyber incidents drive physical consequences, response and recovery must prioritize human safety as the core principle. “Every organization operates at different response maturity levels, but all must establish clear escalation procedures, define safe states for critical processes, and practice recovery scenarios involving both technical teams and operators.”
He added that recovery effectiveness depends on pre-incident planning: documented safe shutdown procedures, tested communication protocols during incidents, and training through organizations like ISA ICS4ICS. Recovery is not purely technical; it requires coordinated decision-making between security, operations, and management to restore safe and reliable operations.
“It is important to have a plan in place for such situations. Of course, this plan will look different for every company. And it is essential to actually create and test this plan before an incident occurs,” Skurk said. “The first step in the event of an attack is damage containment, followed by securing evidence. The aim is to determine what the attackers did and how they were able to gain access to the system. Network monitoring systems and IDS, for example, can help with this.”
Critical infrastructure caught unprepared for cyber-physical impact
The executives analyze what uncomfortable truths the Iran conflict has exposed about the extent to which critical infrastructure operators remain unprepared when cyber operations directly shape physical outcomes.
Global conflicts in recent years have exposed vulnerabilities in the readiness of critical infrastructure operators to address the convergence of cyber activity and physical outcomes, Brown said. “In a world with ever-evolving nation-state threats to critical infrastructure, operators can’t afford to find themselves flat-footed when an inevitable cyber incident occurs, especially with the rapid evolution of AI.”
“Organizations should also have a robust Disaster Recovery Plan (DRP) and Continuity-of-Operations (COOP) plan in place – but having those practices in place is only half the battle,” he added. “Operators need to leverage preparatory activities such as Tabletop Exercises (TTX); organization-wide training and alignment of cybersecurity values in practice; and the testing and validation of the efficacy of their response plans. Organizations should never assume true readiness; maintaining an agile and dynamic approach is paramount to securing critical infrastructure.”
“The ongoing conflict has revealed Iranian APT capabilities, yet critically, few documented attacks have achieved significant operational impact on U.S. critical infrastructure,” according to Robinson. “This absence creates dangerous complacency. Industry has not treated Iranian cyber capabilities as a serious threat despite their demonstrated sophistication and intent. I believe the industry is fundamentally unprepared for an escalation in sophisticated attacks targeting critical infrastructure with explicit focus on physical outcomes.”
He added that as the conflict evolves, critical operators must abandon the assumption that Iranian threats remain theoretical. Adversaries have shown capability and intent; only opportunity and defensive maturity stand between current conditions and potential crisis.
Skurk said that at the very least, it shows that further action is needed to deal with hostile activities in cyberspace. “CISA has listed several so-called APT actors that are attributed to various states. These attackers have virtually unlimited capabilities to target critical infrastructure operators. Early detection of attacks, rapid analysis, and containment are essential for these companies and for the national economy,” he concluded.
