Where OT cybersecurity breaks down in critical infrastructure

https://economymiddleeast.com/news/where-ot-cybersecurity-breaks-down-in-critical-infrastructure/

Publish Date: 2026-06-09 05:10:00

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. The difference between organizations that are genuinely resilient and those that only appear to be those who move from reactive protection to structured, risk-based resilienceThe systems that keep power flowing and water running have always been critical. What has changed is the environment around them. Cyber threats are no longer isolated or purely technical—they are shaped by increasingly automated and often aimed at the infrastructure that underpins daily life.At the same time, the way utilities operate is evolving. As automation platforms become more connected and software-driven, cybersecurity is no longer something layered on after the fact—it is becoming part of how these systems are designed and managed. Yet despite increased investment and attention, many organizations continue to face familiar challenges.Not because the risks are unknown, but because the way cybersecurity is approached often doesn’t align with how operational environments actually function.Leadership gap and operational risk multipliesAcross many utilities, cybersecurity still begins on the plant floor, handled by engineering teams juggling limited resources and competing priorities. The result is uneven. Some sites are tightly managed; others are left more exposed than anyone would like to admit. This fragmented approach becomes especially risky in operational environments where a single vulnerable facility can disrupt power distribution, water treatment, or wastewater management.What’s often missing is clear ownership at the top. When cybersecurity sits outside the boardroom, it stays incomplete. Priorities get set by whoever has bandwidth rather than by what actually matters most. The organizations that get this right have made one fundamental shift — they stopped asking engineering teams to own a business risk and brought it upstairs. That means making hard choices about which sites carry the greatest exposure, getting IT and OT speaking the same language, and committing real investment to incident response, secure remote access, and continuous visibility. The difference between organizations that are genuinely resilient and those that only appear to be those who move from reactive protection to structured, risk-based resilience.Visibility gap and when asset visibility is incompleteFor many water and wastewater utilities, the problem starts more simply: incomplete visibility into assets across IT and OT environments. Most utilities don’t have a complete picture of what’s running across their environments — and many don’t realize how incomplete that picture is. Devices get added, remote connections get established, legacy systems stay in place long past their intended lifespan. Nobody decided to make the environment opaque. It just became that way. The risk sharpens at the points where IT and OT touch, because those intersections are exactly where adversaries look for a way in. The organizations making real progress are those who have live asset inventories, assessments on a cadence that reflects how fast environments change, and network monitoring to catch drift before it becomes exposure. That foundation doesn’t just improve security — it makes compliance more manageable and incident response faster when it counts.Engineering gap and when cybersecurity isn’t built into operationsIn critical infrastructure, cybersecurity doesn’t stop at data. It extends to the systems that move water, generate power, and keep operations running. Power generation, water treatment, and wastewater systems operate in environments where a cyber incident can translate directly into safety risks, service disruptions, or equipment damage. And yet many cybersecurity strategies still focus heavily on IT controls, overlooking how systems behave in the real world if those controls fail.That’s where engineering starts to play a different role. Instead of relying only on prevention, teams begin to design systems that can absorb failure—limiting what an attacker can actually do. For example, introducing physical or operational safeguards—such as delays, fail-safes, or process constraints—can prevent malicious commands from causing immediate harm. It’s a subtle shift, moving from trying to prevent every breach to managing what happens when prevention isn’t enough. Because in operational environments, resilience isn’t just about keeping attackers out. It’s about making sure systems remain stable when something goes wrong.Read: How the data center construction boom is shifting from hype to executionOrganizational gap, siloed and breaking downMany organizations still treat cybersecurity as something to install—another system to configure and maintain. But even well-designed systems don’t go very far on their own. People need to use them, trust them, and understand why they matter.Good systems, poorly adopted — that’s the failure pattern most consistently seen. Technology doesn’t secure an environment; people operating it with confidence do. And in operational settings, that human layer is complicated. You’re working across internal OT engineers, IT colleagues with different risk mindsets, third-party vendors, and often public institutions with their own governance constraints. Getting security to work across that web requires genuine alignment — on system design, on processes that don’t create friction people work around, and on building enough trust that concerns get raised rather than quietly bypassed. In the end, cybersecurity in critical infrastructure is less about a single solution and more about how well people and organizations work together.Capability gap, stretched teams and difficult to sustainUnderneath most OT cybersecurity gaps is something straightforward: teams that are already fully committed, handed a responsibility that keeps expanding. OT teams run lean by design. Their job is uptime, safety, and continuity — and they do it well. Cybersecurity layered on top is a discipline that demands sustained attention as threats keep evolving. Programs that launch well can quietly degrade without ongoing expertise behind them. What works is a different model — not outsourcing security, but genuinely extending capability. Working with automation providers and specialists who understand OT environments and stay engaged across a system’s lifecycle. Regular testing, not just initial hardening. Response plans the team has actually practiced, not just filed. The goal is not to shift responsibility, but to extend capability—ensuring that cybersecurity is not a one-time effort, but a sustained and manageable part of operations.Liam Hurley is President for the Middle East and Africa at Emerson.