From a CISO standpoint, uncontrolled connectivity equals uncontrolled risk.
The NCSC guidance is explicit: every OT connection must be justified by a documented business case . This requirement establishes governance discipline and audit ability .
What CISOs Should Demand
Each connectivity request should define:
- Operational necessity
- Business value
- Acceptable cyber and safety risk
- Impact of compromise
- External dependencies introduced
- A named senior risk owner
This shifts accountability away from engineering teams and squarely into risk ownership structures.
The Legacy Asset Problem
Obsolete OT assets amplify risk because they:
- Cannot be patched
- Lack authentication or encryption
- Require compensating controls that rarely scale
From a risk perspective, legacy systems must be treated as untrusted by default.
Executive Insight
If leadership cannot articulate:
- Why a connection exists
- What happens when it fails
- Who owns the risk
Then the connection represents unmanaged enterprise exposure.
No comments:
Post a Comment