OT Security for Boards: The Questions Directors Should Ask

OT used to be operationally important but governance-quiet. The kit was air-gapped, the protocols were proprietary, and the IT team's domain ended at the wall of the plant. Few directors needed to know what an HMI was, let alone how it was patched.

Three changes broke that arrangement.

First, IT/OT convergence. Almost every plant now shares networking with corporate IT, often by accident — an integrator added a maintenance VPN, a vendor needed remote access, an ERP system pulled production telemetry. The air gap, where it ever existed, has been quietly demolished by operational necessity.

Second, threat actor capability. Nation-state and organised criminal groups now treat OT as an attractive target, particularly in critical sectors. The 2021 Colonial Pipeline incident demonstrated that OT compromise can produce national-scale consequences within hours. Continued investment in OT-specific malware (Industroyer2, FrostyGoop) shows the trend is structural, not anomalous. Treating these as headline events that won't happen here is a poor risk model.

Third, regulation. NIS2 is now law in the EU and operationalised across member states. US sector regulators (TSA, NERC, FDA, EPA) are issuing OT-specific cyber requirements. The SEC's 2024 incident disclosure rule applies to material OT incidents the same way it applies to data breaches. Material OT incidents are now public-disclosure events.

Boards that don't have OT on quarterly agendas are running a regulatory and reputational exposure that D&O insurance increasingly doesn't fully cover. Putting it on the agenda is the easy part. Knowing what to ask once it's there is the harder one.

These are in priority order. If you only have time for one, ask the first.

1. What do we own, and how do we know? Asset inventory is the foundation of everything else. The question to listen for: can your CISO produce, on the call, a count of OT-connected assets within 5% accuracy? If they can't, every subsequent answer about segmentation, monitoring, and patch state is operating on guesswork. The follow-up to ask: how was that inventory built — from vendor lists, from passive network discovery, from active scanning, or from manual walkdowns? Each method has a known accuracy ceiling. Vendor lists overstate by ~30%; passive discovery understates by ~20%; only manual walkdowns combined with passive monitoring approach the truth.

2. Who has remote access to OT, and how often does that list change? Third-party access is the single most common entry point in OT incidents. Ask how many third-party integrators, vendors, and contractors currently have credentialed access to OT environments, and what the access-recertification cadence is. You want to hear quarterly recertification, named individuals (not shared credentials), and time-bound access (revoked at engagement end). What you'll often hear is "we use a privileged access management solution" — necessary but not sufficient. PAM doesn't tell you whether the access list reflects current need.

3. How segmented are our OT networks from corporate IT? Segmentation is the difference between a contained incident and one that turns the next quarter into a crisis. Ask for the number of network zones, the number of crossing points, and the controls at each crossing point. The right answer references a published framework — Purdue or IEC 62443 is fine. The wrong answer references "our firewall." Boards don't need to understand the technical detail; they need to hear that the architecture has been thought through against an established model.

4. What do we monitor, and how do we know if something's wrong? Detection in OT is harder than in IT because operational engineers are trained to ignore anomalies that a security team would flag. Ask: do we have an OT-specific monitoring capability, or are we extending IT tooling? What's the ratio of alerts investigated to alerts generated? When was the last suspected OT incident, even if it turned out benign? The right answer is "we have OT-specific monitoring, we tune the alert volume to manageable, and the last false-positive investigation was within the last quarter." The wrong answer is "we haven't had any incidents." That answer means the monitoring isn't working.

5. If something happens, what's the first hour look like? Incident response in OT is a different problem than in IT. The right answer references a playbook that has been tabletop-exercised in the last 12 months, includes the operations leader in the call tree (not just IT), and has pre-agreed criteria for when to take production offline. The wrong answer is "we'd call our cyber insurer." That's necessary; it's not sufficient.

In my experience, CISOs over-report on activity (tools deployed, controls implemented, training completed) and under-report on residual risk (what's still exposed and why). Boards are typically polite about this and accept the activity report.

Don't. The question to ask after any activity report: "What's our residual risk position now versus six months ago, and what's the trajectory?" If the CISO can't answer in plain language with quantified change, the activity report is theatre.

The information that should be in board packs — and rarely is, in the businesses I review:

A live residual-risk register, scored consistently quarter-on-quarter, with the top five items called out by name and owner.

Year-on-year trend on time-to-detect and time-to-recover for the most recent simulated OT incident. Trend matters more than absolute numbers; a programme that's getting worse is a different story than one improving slowly.

Third-party access count and change versus last quarter. The direction of change is the signal. Growing third-party access without explicit business justification is a governance gap.

Asset inventory accuracy — and how it was measured. "100%" without a method statement is a red flag, not a reassurance.

A plain-English summary of the top three regulatory questions the board should be aware of in the next 12 months, with a position on whether the current programme is ahead or behind on each.

If the board pack you're getting on OT doesn't have these, you're getting a vendor's cover sheet, not a CISO's report.

The regulatory landscape is moving faster than most boards' refresh cycles. Three frameworks deserve specific attention in the next year.

NIS2 (EU). Operationalised in 2024, applies to most sectors with critical infrastructure exposure. Personal liability for senior management is a notable feature — director-level governance failures can attract individual accountability, not just corporate fines. If your business operates in EU member states and hasn't done a NIS2 readiness review, that's the gap. The first regulator to bring an enforcement action against a director personally will reframe the board conversation industry-wide.

TSA pipeline / sector-specific (US). Pipeline operators have specific cybersecurity directives with audit teeth. Other US sectors are following the same pattern at varying speeds — chemical, water, healthcare, transportation. The SEC's 2024 incident disclosure rule overlays the whole landscape: material incidents (and OT incidents are usually material) require timely public disclosure. "Material" determination is the board's call, and getting that wrong has begun to attract its own enforcement attention.

EU AI Act and sector AI guidance. This isn't OT-specific yet, but the trajectory matters: OT increasingly includes AI-driven control systems, predictive maintenance, and autonomous decision systems. Boards should be asking how the AI Act and sector AI guidance will intersect with their OT environment over the next 24 months. The answer is rarely yet rehearsed.

Compliance with all three is necessary. Compliance with all three is not the same as security. The two overlap in mature sectors (energy, finance) more than they do in less mature ones (manufacturing, water, regional logistics). Don't confuse a clean audit with a sound risk position.

The patterns I see most often in boards that get caught flat-footed:

The single-vendor failure. The OT security programme is run by one outsourced vendor with no independent oversight. Vendors aren't malicious, but they have an obvious conflict: their job is to keep the contract. Independent annual review is governance hygiene that boards take for granted in financial audit and consistently skip in cyber. The cost of an independent annual review is typically 10–15% of the total programme spend; the cost of not having one is the residual confidence interval on every assurance the incumbent vendor provides.

The compliance-ceiling failure. The programme is calibrated to pass the audit, not to defend the business. This produces predictable output: clean reports, weak detection, and the kind of incident that becomes a public learning moment. Audit and security are different problems with overlapping tooling. A programme that has stopped finding issues isn't necessarily mature; it may be looking in places it knows are clean.

The centralised-IT failure. Cyber reporting is owned by the CIO, who has organisational incentive to underreport OT issues that look like IT failures. Separate the OT cyber risk reporting line — at minimum a dotted line to the audit committee — and you de-risk this in a single board cycle. Boards that try to fix it through the CIO's existing reporting are usually fixing the wrong thing.

OT security at the board level is best handled as a quarterly fixture, not a special-topic deep dive. A suggested rhythm:

Q1: Asset inventory and access management review. The "what do we own" question.

Q2: Segmentation and architecture review. The "how is it isolated" question.

Q3: Detection and monitoring review. The "would we know" question.

Q4: Incident response and tabletop exercise. The "what happens" question.

This rotation keeps OT in the agenda continuously, builds director familiarity over time, and ensures all five priority questions are revisited annually. Add an annual external review across all four — done by someone who is not your incumbent vendor — and you have a defensible governance posture. "Defensible" is the right word: the regulator, the litigator, and the insurer all asks variants of the same question after an incident, which is whether the board exercised reasonable oversight. A documented quarterly cadence with documented external review is what reasonable oversight looks like in 2026.

Not every OT cyber question needs an external advisor. The patterns where one is genuinely useful:

The board has materially diverging views on OT risk and needs an independent third party to surface the actual position. Internal disagreement that has gone two cycles without resolution is the signal — by cycle three, positions harden and the conversation becomes political.

There's been an incident, even a minor one, and the post-mortem feels too internal. Internal post-mortems systematically underweight the failures everyone present is implicated in. An external review either confirms the internal narrative (which strengthens it) or surfaces what the internal team can't see.

Regulatory pressure is intensifying and the existing programme was built for a quieter era. Programmes designed pre-NIS2 frequently miss the personal-liability dimension — they were built to satisfy audit, not to protect the directors signing off on it.

M&A activity makes the OT environment heterogeneous overnight. This is the most under-resourced governance gap in PE-owned operating companies, where post-acquisition cyber due diligence is typically a checkbox and the integrated environment becomes a unique risk surface that nobody has independently assessed.

A new senior leader (CEO, CFO, board chair) needs an independent baseline before signing off on the programme they inherited. Inheriting an unassessed programme is a personal liability question more often than incoming executives realise.