From-Reflection-to-Action-Blog

What Does a Realistic OT Cybersecurity Baseline Actually Look Like?
From Reflection to Action by an OT Cybersecurity Practitioner

Across the previous series (Part 1, Part 2, Part 3 & Part 4), I reflected on governance behaviour, visibility gaps, incentives, and the tendency to wait for perfection.

A consistent theme emerged: maturity stalls not because organisations do not care, but because progress feels complex, constrained, or politically difficult. The natural follow-on question is simple:

If perfection is unrealistic, what does a sensible starting point actually look like?

In practice, a realistic OT cybersecurity baseline is rarely about advanced tooling or architectural transformation. It is about clarity, visibility, and control over the fundamentals.

A baseline should answer a few straightforward questions:

  • Do we know what we have?
  • Do we understand how it is connected?
  • Do we know where the highest operational risks sit?
  • Are basic access controls enforced consistently?
  • Are there clear owners for remediation decisions?

This sounds simple, but in many environments, these foundations are incomplete, fragmented, or undocumented.

A realistic baseline does not require a perfect asset inventory. It requires a usable one. It does not demand ideal network segmentation. It requires reducing unnecessary exposure where it is practical and safe to do so. It does not mean eliminating all legacy risk. It means identifying the risk that genuinely matters to operations and making deliberate decisions about it.

In OT environments, cybersecurity cannot be separated from safety, uptime, and operational continuity. A baseline must therefore be operationally grounded. Controls that disrupt maintenance cycles, create engineering friction, or introduce untested change will struggle to survive.

More mature organisations treat the baseline as a living reference point rather than a static milestone. It is something to stabilise first, then improve incrementally. Each step should be deliberate, sequenced, and aligned with operational windows rather than imposed artificially.

Importantly, a baseline also includes governance clarity. Who owns decisions? Who accepts residual risk? How are exceptions tracked? Without this structure, technical improvements often lose momentum.

None of this is particularly sophisticated. That is the point.

OT cybersecurity maturity rarely accelerates because of complexity. It accelerates because organisations stabilise the fundamentals and build from there.

In my experience, the organisations that progress most effectively are not those with the most ambitious roadmaps. They are those that establish a pragmatic baseline early, make risk visible in operational terms, and improve steadily rather than sporadically.

Perfection is not the objective. Control is. Establish a baseline you can operate from, and progress becomes deliberate rather than accidental.

By Serkan Yusuf (February 2026)

Featured articles
What Does a Realistic OT Cybersecurity Baseline Actually Look Like?
Progress Beats Perfection in OT Cybersecurity
Actions Follow Incentives, Not Policies.
OT cybersecurity strategy decisions are made far from where operational reality lives.
Operational risk doesn’t live where decisions are most comfortable.
ICS Patching
When Should We Patch ICS Assets?
Premium online guides

Related articles

All articles