Mind The Gap: Who Owns What in OT Security?

The IT security team stops at the IT boundary. The OT engineering team doesn't think in security terms. The incident clock runs while everyone looks at each other.

Industrial Cyber describes this as "more of an organizational structural problem, not only a technical one, which is costing organizations the time they cannot afford to waste."

The Cyber Fusion Center doesn't begin by deploying a monitoring tool. It begins by building a map. And that mapping only starts once an executive sponsor exists. Without an owner who commissions the work, accountability gaps stay invisible indefinitely.

OT networks typically report to the Chief Operating Officer. IT networks report to the Chief Information Officer. These organizations were built for different missions and measure success differently. Fortinet's 2025 State of OT Cybersecurity report captures the result: 95% of organizations have C-suite ownership assigned for OT security, but only 49% have reached Level 3 or 4 solution maturity. Title-based assignment and operational accountability are two very different things.

According to Waterfall Security and ICS STRIVE's 2025 OT Cyber Threat Report, only 13% of OT attacks in 2024 directly touched OT systems. Nearly 90% caused physical impact indirectly through compromised IT systems. Attack paths flow through the IT-OT boundary precisely because it's an organizational seam, not a technical one. This article is the operational response: mapping and closing those gaps before attackers reach them.

Remote access ownership. In 2025, 46% of manufacturing companies identified remote access as their weakest security link. Shared logins, default credentials and missing per-user traceability mean organizations can't answer a basic question: who made that change?

Vendor access governance. In 2025, 42% of manufacturing companies reported a breach related to vendor access. ProArch practitioners documented a representative example: a vendor added a remote access rule granting full access from the business network into the OT environment without alerts, approvals or oversight. Nobody owned vendor access governance, so nobody caught it.

OT incident response authority. SANS Institute's 2024 ICS/OT Cybersecurity Survey found only 56% of organizations had an ICS/OT-specific incident response plan. Applying IT-centric response actions in OT environments — aggressive containment, indiscriminate isolation, automated shutdowns — can halt production or create unsafe conditions. Without a defined owner who understands both domains, response decisions get made by whoever is in the room.

Legacy system risk ownership. OT systems routinely operate for 15 to 20 years. Everyone knows the system is a risk, but nobody is willing to touch it as long as it still works. That's not negligence — it's an organizational vacuum. No one has the authority to weigh production risk against security risk and make the call.

Change window coordination. IT teams prioritize rapid patching. OT operations resist downtime. Without a defined owner to break ties, changes either don't happen, or they happen unsecured while someone accepts undocumented risk.

These five gaps carry their highest cost during active incidents. The incident response authority structure established through this mapping is the foundation for the OT-specific IR governance the CFC builds next.

The instinct is to deploy a tool. Better monitoring. Enhanced access controls. An OT-specific EDR platform. These are valid capabilities — and they fail without governance beneath them.

NIST's Cybersecurity Framework 2.0 made "Govern" its first function for a reason: governance defines roles, risk appetite and policy. Without it, technical efforts drift, duplicate or conflict. CISA's OT Asset Inventory Guidance is direct: before any inventory technology, the first step is defining governance authority. Technology without an owner defaults to misconfiguration over time.

SANS 2024 found more than 70% of organizations had conducted OT security assessments. Findings went unacted on — not because they were wrong, but because no one had authority to act. In approximately 60% of adversarial simulations, Sygnia found that OT access came via legitimate pathways: credential reuse, non-rotated passwords, oversized administrative groups. Not sophisticated attacks. Accountability failures.

The CFC accountability mapping engagement starts with stakeholder interviews across IT, OT, operations, engineering and vendor management — mapping actual ownership, not org chart ownership, against every security-relevant function.

The vCISO leads the accountability mapping from the governance side, establishing ownership frameworks and making structural decisions about who is accountable for what. The CFC operationalizes from that foundation: defined roles, documented handoffs and the ongoing ownership model that keeps accountability current.

IEC 62443-2-1 provides the role architecture: an OT Security Lead, Site OT Security Representatives and a vendor oversight function. NIST SP 800-82 specifies the minimum cross-functional team: IT staff, control engineer, control system operator, network security expert and management representation. The ICS4ICS framework defines the Incident Commander — a designated person with authority to declare an incident and the financial authority to act.

For each OT zone, the map documents trigger conditions for isolation, named authorizing persons and reconnection procedures. The CFC maintains it as a living record, updated after any significant change and validated at minimum annually.

The impact is measurable. SANS 2025 data shows regulated sites — where accountability structures are mandated — suffer approximately 50% fewer financial and safety impacts than unregulated peers despite similar incident rates. Same attack surface. Half the damage.

SANS 2024 adds the budget dimension: organizations with formal CISO ownership of ICS security are 10 percentage points more likely to have a shared IT-OT security budget, and 82% map their programs to established frameworks versus only 42% without that ownership. Accountability alone, before any tool is deployed, nearly doubles standards alignment.

Colonial Pipeline, Norsk Hydro and JBS share a common thread: attackers never touched OT systems in any of them. The operational shutdown in each case was triggered by the inability to answer one question: is our OT safe to keep running? Norsk Hydro had defined leadership accountability and made three swift decisions in minutes. Colonial had none and stumbled for days. The difference wasn't the attack. It was the map.

Building the map is the CFC's first operational work. Testing whether it holds is the Red Team's. Structured tabletop exercises apply realistic pressure to simulated IT-OT incidents, surfacing exactly where the ownership structure breaks down in practice. The CFC map is what those exercises are designed to validate.

With ownership mapped, the CFC has the organizational foundation it needs. The next question is: what does the security program built on that foundation actually look like? The honest answer, revealed through a structured maturity assessment, is almost always different from what internal teams expect.