Risk Management for Operational Technology (OT) Systems highlights the importance of applying risk assessments specifically tailored to OT environments, rather than relying solely on traditional IT-focused approaches.
Conventional IT and enterprise risk management methods often fail to adequately address OT systems―despite their critical role in sustaining and maintaining the operational status of essential infrastructure. As such, OT environments demand greater attention and specialized frameworks.
Historically, industries such as petrochemical refining and nuclear power generation have implemented comprehensive safety and risk assessments, covering every aspect of operations. These rigorous processes, refined over decades, have proven highly effective in ensuring safe, stable, and optimized production. OT computing systems within these facilities were traditionally isolated from corporate IT networks, making their performance and risk profile well-understood and reliably managed through engineered specifications.
However, the situation has changed. Modern requirements for integration, interoperability, and remote accessibility mean that formerly isolated OT systems are now increasingly interconnected with IT networks and, in many cases, the wider Internet. This connectivity introduces new vulnerabilities, exposing once-secure operational systems to external threats and sophisticated adversaries.
The authors propose a modern approach to risk management in OT, one that recognizes these new realities. This approach emphasizes proactive measures to operationally protect legacy and modern OT systems alike from tampering, intrusion, and cyberattack―ensuring that critical infrastructure can remain resilient, safe, and reliable in a connected world.
Robert Radvanovsky is an active professional in the United States with over 50 years of knowledge in security, engineering, risk management, business continuity, and disaster recovery planning and remediation. He has numerous degrees in business administration, engineering, and computer science. He has significantly contributed to establishing several certification programs, specifically in the areas of critical infrastructure protection (utilizing a holistic/all-hazards approach to CIP, rather than NERC CIP), cyber forensics, cybersecurity (encompassing IT, OT, and control systems), and incident response management. Bob has a special interest and knowledge in matters of critical infrastructure and has published numerous articles and research papers, and is considered a World-renowned expert regarding this topic. Although he has been significantly involved in establishing security training and awareness programs through his company, Infracritical, his extracurricular activities include working with several professional accreditation and educational institutions on topics such as homeland security, critical infrastructure, and cybersecurity. He is the owner of the SCADASEC mailing list for SCADA and control systems security discussion forums, while working as an active participant with several industry-related as well as U.S. government-related special interest groups pertaining to critical infrastructure protection, cybersecurity (specifically OT and control systems) and incident response management. Additionally, he has written numerous books pertaining to critical infrastructure protection and assurance, homeland security, policy management, information security and privacy, infrastructure protection law, regulatory and compliance standards for cybersecurity (specifically OT and control systems), cybercrime, transportation systems security, and more. He has authored Critical Infrastructure: Homeland Security and Emergency Preparedness (First Edition), co-authored with Allan McDougall on the Critical Infrastructure: Homeland Security and Emergency Preparedness (Second, Third, Fourth and Fifth Editions) and the Transportation Systems Security books, as well as co-authored/co-edited with Jacob Brodsky on the Handbook of SCADA / Control Systems Security (First and Second Editions) books; and, has written several chapters in numerous books pertinent to cybercrime, cyber forensics, cyber e-discovery, cybersecurity law, international cybersecurity law, international cybersecurity policy (both NATO and private-sectored), risk and governance management, and incident response management.
Steve Mustard is an industrial automation consultant with extensive technical and management experience across multiple sectors. He is a licensed Professional Engineer (PE) in Texas and Kansas, ISA Certified Automation Professional® (CAP®), UK registered Chartered Engineer (CEng), European registered Engineer (Eur Ing), GIAC Global Industrial Cyber Security Professional (GICSP), and Certified Mission Critical Professional (CMCP). Backed by more than 35 years of engineering experience, Mustard specializes in the development and management of real-time embedded equipment and automation systems and cybersecurity risk management related to those systems. He serves as president of National Automation, Inc. Mustard is a member of the Water Environment Federation (WEF) Safety and Security Committee. He was the 2021 President of the International Society of Automation (ISA) and is a Liveryman of the Worshipful Company of Engineers. Mustard writes and presents on a wide array of technical topics and is the author of Industrial Cybersecurity, Case Studies and Best Practices and Mission Critical Operations Primer, both published by ISA, and A Guide to Cybersecurity for Water and Wastewater Utilities, published by WEF. He has also contributed to other technical books, including WEF’s Design of Water Resource Recovery Facilities, Manual of Practice No.8, Sixth Edition and The Digital Twin book, published by Springer. Mustard’s previous and current client list includes: the UK Ministry of Defense; NATO; major utilities, such as Anglian Water Services and Sydney Water Corporation; major oil and gas companies, such as bp, BG Group, and Shell; Fortune 500 companies, such as Quintiles Laboratories; and other leading organizations.
