The Accountability Map: Who Really Owns OT Risk?

In May 2021, attackers compromised a single legacy VPN account at Colonial Pipeline. No multi-factor authentication. Likely unmonitored. Possibly unknown to the security team.

What followed: 5,500 miles of pipeline shut down for nearly a week, fuel shortages across the U.S. East Coast, a $4.4 million ransom payment and a national emergency declaration.

What gets less attention is why. Colonial's operational technology systems were never directly compromised. The attackers touched IT. But Colonial still shut down its entire pipeline, because nobody could quickly answer one question: Is our OT safe to keep running?

That question requires documented ownership of OT risk, clear boundaries between IT and OT, and defined decision authority. Colonial didn't have those things. After the incident, TSA's initial security directive prioritized accountability over technical controls, requiring operators to designate a Cybersecurity Coordinator with defined responsibilities and 24/7 availability, well before mandating specific technical remediation.

More than half of organizations now say the CISO is responsible for OT security, according to Fortinet's 2025 State of Operational Technology and Cybersecurity Report. 95% report C-suite responsibility for OT security. The numbers suggest the governance problem is largely solved.

Only 35% of those organizations, however, report having a mature, fully integrated IT/OT security operations model. As PwC's 2025 OT security research notes, accountability for OT risk "typically spans security, operations, engineering and compliance," with no one coordinating it, resulting in "funding gaps, decision-making paralysis and disorganized incident response."

A title change is not an accountability map. The gap between nominal ownership and functional ownership is exactly where the risk lives.

The accountability gap is not a coordination failure. It's a design consequence.

IT security follows the CIA triad: confidentiality, integrity, availability, in that order. OT engineering inverts those priorities: availability first, then integrity, then confidentiality. Production uptime and physical safety are paramount. A control system taken offline to prevent a breach hasn't protected the organization. It may have created a different crisis.

The equipment lifecycles compound the divide. IT infrastructure refreshes every three to five years. OT environments run equipment for 15 to 20 years or more, where even applying a patch qualifies as a high-risk operation that may require a planned production stoppage. Neither approach is wrong. They were designed for different operational realities.

The reporting lines rarely converge below the C-suite. IT security reports to the CISO or CIO. OT engineering reports to the plant manager or VP of operations. Coordination must happen laterally, without structural authority, between teams that don't share vocabulary, tooling or metrics. A survey cited in ISACA Journal found that 68% of senior managers admitted miscommunication involving IT or security teams contributed to at least one cybersecurity incident in their organizations.

Remote access is the most consistently unowned gap. Many organizations have no uniform solution and no documented owner for who approves, manages and monitors external connections to industrial systems. SANS' 2025 State of ICS/OT Security found that despite MFA improvements, gaps persist in remote access segmentation and vendor-managed access controls.

Vendor and third-party access is where the gap becomes invisible. Third-party integrators and maintenance providers routinely access OT networks without a named owner restricting or vetting that access. IT may set policies it lacks OT context to enforce. OT manages the relationships without applying security controls. Nobody owns the boundary.

OT incident response is where unclear accountability becomes dangerous. According to SANS 2024, 28% of organizations still lack an ICS/OT-specific incident response plan. Applying IT-centric tactics — aggressive containment, automated shutdowns, indiscriminate isolation — in an OT environment can halt production, damage equipment or create unsafe conditions. The question that consistently has no documented answer: who makes the call to isolate a production system?

Identity and access is where the patterns become striking. In approximately 60% of adversary simulations across multiple industries between 2022 and 2025, access to OT was achieved via legitimate pathways, not exploits. Credential reuse, non-rotated passwords, oversized administrative groups, missing MFA. These weren't sophisticated attacks. They were accountability failures.

OT environments have their own capital budgets controlled by operations and engineering. IT security has separate budgets controlled by the CISO and CIO. When nobody controls a shared OT security budget, investments fall into the gap. SANS 2024 found that 38% of organizations have a shared IT-OT budget, rising to 48% when the CISO formally leads OT security. Budget clarity follows ownership clarity.

The talent gap reinforces it. SANS 2024 found that 51% of the ICS/OT security workforce lacks ICS/OT-specific certifications. IT professionals are trained for TCP/IP networks. OT engineers are trained for industrial protocols and process control. Without someone who speaks both languages, accountability stays incomplete: IT owns the firewall, OT owns the PLC, nobody owns the boundary.

The accountability mapping exercise answers seven questions most industrial organizations have never formally resolved: Who owns remote access security? Who vets vendor access? Who makes isolation decisions during an incident? Who owns compensating controls for legacy systems that can't be patched? Who controls the OT security budget? Who owns IT-OT boundary decisions? Who coordinates response across both teams?

Those seven questions produce documented ownership, defined handoffs, escalation paths and governance that bridges both worlds.

The impact data is consistent. SANS 2025 found that regulated sites experience roughly the same number of cyber incidents as their peers but suffer approximately 50% fewer financial and safety impacts. Same attack surface. Half the damage. SANS 2024 adds specifics: when a CISO formally leads ICS/OT security, 82% of those programs are mapped to standards; without centralized governance, that number falls to 42%. Ownership alone, before any tool is deployed, nearly doubles standards alignment.

The OT vCISO brings accountability assignments that are operationally realistic, not just organizational chart entries. That distinction — between a theoretical statement and a policy that actually works in an industrial environment — is domain knowledge. It's what makes the map functional.