Industry views
17 Sep 2025
by Gary Fildes

Operational Technology Security 2025–2026: From Compliance to Consequence Management

Guest blog by Gary Fildes, Senior Consultant at CGI

A Shifting OT Security Landscape

Operational Technology (OT) security is entering a decisive period. The release of the NCSC Cyber Assessment Framework (CAF) version 4.0 sets sharper, outcome-based expectations for resilience. Soon, the UK Cyber Security and Resilience Bill (CSRB) will introduce 24-hour incident reporting, extend regulatory oversight, and enable regulators to directly challenge senior leadership. Across Europe, NIS2 widens the definition of critical infrastructure, embedding OT security obligations into sectors from energy and transport to space and food production.

These converging frameworks make clear that assurance is twofold: evidence to regulators that statutory obligations are met, and evidence to boards that essential services can withstand disruption.

Strengths, Weaknesses, Opportunities, Threats

The landscape is best understood through a SWOT lens.

Strengths lie in CAF 4.0’s clarity across governance, segregation, and resilience, reinforced by initiatives such as the UK’s Cyber Governance Code of Practice and the Product Security and Telecommunications Infrastructure (PSTI) Act.

Weaknesses remain entrenched in legacy OT environments. Asset visibility, segmentation, and patching all lag behind while skills shortages in OT detection and response undermine CAF outcomes C1/C2 (detect) and D1/D2 (respond).

Opportunities come from regulatory convergence. CAF 4.0, NIS2, and standards such as IEC 62443, ISO 27001, and NIST SP 800-82 can be harmonised into a unified governance stack. Assurance methods technical testing via the NCSC Cyber Adversary Simulation (CyAS) scenario-based exercising, and independent audits through the NCSC Cyber Risk Assessment (CRA) scheme provide a richer resilience picture. Emerging technologies, from AI-driven monitoring to post-quantum cryptography, allow resilience to be embedded into refresh cycles.

Threats are intensifying. The Dragos 2025 OT Cybersecurity Report highlights a rise in state-linked adversaries probing critical national infrastructure, while organised ransomware groups increasingly exploit vendor and managed service provider pathways. Even lifecycle management can be a threat: Microsoft Windows 11’s end-of-support for devices without TPM 2.0 underscores how obsolescence itself weakens resilience.

Governance: Uniting IT and OT

Perhaps the most significant shift is governance. For too long, IT has been managed under ISO 27001 and OT under IEC 62443 with little integration. CAF 4.0 objectives A1 and A2 expect boards to govern both domains holistically. Essential functions span IT and OT; consequence-of-loss scenarios must be captured across both.

This means unifying ISMS and CSMS within a single governance model, embedding assurance through testing, audit, and exercising, and ensuring governance frameworks move beyond compliance into strategic consequence management.

Linking Assurance to Today’s OT Priorities

Several themes crystallise for organisations in 2025–2026:

  • Supply Chain Automation: CAF B4.a demands observable data flows and supplier access control, requiring continuous assurance.
  • Resilience in Industrial Environments: CAF D1/D2 outcomes call for tested backups, playbooks, and multi-scenario exercising.
  • Emerging Technologies: AI enhances monitoring, while hardware refresh cycles and post-quantum crypto planning improve lifecycle resilience.
  • Standards and Policy Convergence: CAF 4.0, NIS2, ISO 27001, and IEC 62443 form the engineering grammar of OT security, enabling procurement and assurance.
  • Closing the Skills Gap: Initiatives such as the forthcoming CompTIA SecOT+ certification and the UK Cyber Security Council’s professional pathways leading to Chartership will be critical to sustaining CAF outcomes.

What Good Looks Like by End-2026

By 2026, “good” will mean boards adopting CAF-aligned governance strategies, tested through continuous assurance. IT/OT boundaries will be reinforced with strong zoning and controlled vendor access. SOCs will be ingesting OT telemetry, consequence-driven playbooks will be tested, and incident reporting will align to CSRB’s 24h incident reporting regime. Resilience will be practical, with tested, offline backups and safety-centric recovery runbooks.

Closing Thoughts

OT (and IT) security is no longer about ticking compliance boxes. With CAF 4.0, CSRB, and NIS2 converging, assurance is both a regulatory and a strategic necessity. Regulators demand proof of compliance, but boards require confidence in continuity. That dual responsibility means moving from compliance to consequence management engineering resilience as a lived capability, not an aspiration.

Operational Technology Security Conference

Join us for techUK's inaugural Operational Technology Security Conference on Wednesday 17 September, where we will shine a spotlight on strengthening the resilience of sectors using operational technology.

Book now!

 

Authors

Gary Fildes

Gary Fildes

Senior Consultant, CGI

Return to listing