The Knowledge Your OT Security Program Is Ignoring

Jeff Rotberg
January 6, 2026

We Spend Millions on Tools, and Miss the Most Powerful Signal

In the pursuit of OT resilience, we’ve become obsessed with the "digital twin:" the dashboards, packet captures, and automated asset inventories that attempt to mirror our physical processes in a digital space. We invest millions to see what our devices are doing, yet we consistently ignore the most sophisticated sensors in the plant: the people who operate them.

We assume that if a dashboard is green, the system is secure. But tools have a fundamental blind spot. They can tell you a heartbeat is present, but they can’t tell you the patient is holding their breath. To find the real risks, you have to move past the screen and talk to the people who carry decades of institutional knowledge in their hands.

Beyond the Dashboard: The Reality of the Floor

When you sit down with an operator or a maintenance lead, you aren't just "chatting." You are performing a high-fidelity audit of reality. These conversations reveal the informal architecture that keeps the plant running, details that no vulnerability scanner will ever pick up:

  • The "Limp-Home" Modes: Operators know which PLC is "touchy" and requires a specific, undocumented sequence to restart safely. If security wipes that logic or locks that access, the process doesn't just stop; it breaks.
  • The Necessary Workarounds: You may see a "secure" network on paper, but a conversation reveals the 50-foot serial cable kept in a drawer because the official remote access tool lags too much to allow for precision tuning.
  • The Weight of Pressure: Tools can't feel the stress of a 2:00 AM outage. Conversation reveals how teams prioritize, and which security steps are the first to be sacrificed when system downtime occurs.

These aren't signs of a "bad" culture; they are signs of operational survival. When we ignore these stories, we aren't just missing data, we are building security models based on a version of the plant that doesn't actually exist.

Security is Already Happening (You Just Don't Call It That)

The irony of OT security is that your frontline teams are likely already performing critical security functions; they just use the language of Safety and Availability. A technician who refuses to let a vendor connect a laptop because "last time it crashed the HMI" is performing unauthorized device control. An engineer who double-checks a set-point change against a paper log is performing integrity verification.

When we fail to engage in conversation, we fail to validate these existing strengths. We end up "importing" security frameworks that feel like foreign languages, rather than "exporting" the organic security behaviors that are already keeping the plant safe.

Listening as a Tool for Alignment

Traditional security asks: "Do you have the control?"

Conversational security asks: "How does this control fail when things go wrong?"

By inviting the plant floor into the security discussion, the dynamic shifts. Security stops being an IT-imposed tax and starts being a shared defense. When an operator sees their "workaround" addressed not with a reprimand, but with a more usable, secure alternative, you gain something more valuable than a firewall: agency.

If You’re Not Talking, You’re Guessing

OT security is not a static technical problem; it is a human, adaptive challenge. Your tools can give you the what, but only your people can give you the why.

If you want to move beyond compliance and toward true resilience, stop staring at the glass and start talking to the experts in the high-vis vests.

The most powerful security signal in your facility isn't a packet, it's a conversation.

Join our Email List

Be the first to know about upcoming news