Episode 32 — Build a Cybersecurity Program in OT: Risk Levels, Registry, and Maturity Assessment
In this episode, we’re going to step back from individual controls and talk about something bigger and more practical: how to build an O T cybersecurity program that can actually be operated over time. Beginners often imagine security as a collection of tools, like firewalls and monitoring systems, but in real operational environments tools only work when people know why they exist, how they fit together, and how to keep them healthy through constant change. A program is the way an organization turns security from a set of good intentions into a repeatable practice that survives turnover, vendor changes, new equipment, and shifting business priorities. In O T, that program must be built around risk levels that make sense for industrial processes, a registry that tracks what matters and why, and a maturity assessment approach that measures progress without forcing unrealistic speed. The key is to build something that supports operations, because if a program constantly disrupts production or creates unpredictable rules, it will be resisted or bypassed. By the end, you should understand what a cybersecurity program is in the O T context, how risk levels help prioritize, what a registry is and why it matters, and how maturity assessment turns security into continuous improvement instead of one-time projects.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
A cybersecurity program in O T can be defined as the set of governance, processes, roles, and technical practices that manage cyber risk in operational environments in a consistent way. It includes policies and standards, but it also includes how those policies are implemented, who approves changes, how incidents are handled, and how improvements are prioritized. In O T, a program must respect operational constraints like limited maintenance windows, safety requirements, long equipment lifecycles, and heavy reliance on vendors and specialized engineering teams. A common beginner misunderstanding is to think a program is mainly paperwork, but the real value is coordination. A program creates a shared way of working so that security decisions do not depend on who happens to be on shift, which vendor is present, or which manager is currently loudest. It also creates accountability, meaning there are clear owners for tasks like asset inventory, access management, patch planning, and incident response. Without accountability, programs drift into vague statements that do not change reality. With accountability, security becomes part of the operating model, which is what makes it sustainable.
Risk levels are one of the first building blocks because they help an organization decide how to apply limited resources to the most important parts of the environment. A risk level is a way to categorize systems, processes, or scenarios based on the severity of potential impact and sometimes the likelihood of certain threats. In O T, risk levels should be closely tied to safety, reliability, and operational criticality, because the impact of failure can be physical and immediate. For example, a system that influences critical process control might be assigned a higher risk level than a system used for periodic reporting, even if both are technically connected to the network. Risk levels help prioritize stronger controls for higher-risk areas, such as tighter access restrictions, more rigorous change control, deeper monitoring, and stronger recovery planning. They also help avoid wasting effort by applying the most expensive controls everywhere, which can be unrealistic and can cause operational friction. Beginners should understand that risk levels are not labels meant to shame teams; they are planning tools meant to align effort with consequence.
To make risk levels useful, they must be based on criteria that people can understand and apply consistently. In O T, those criteria often include safety impact, environmental impact, production impact, and the role of the system in maintaining stable operations. They also include dependency impact, meaning whether many other systems rely on this component, because shared infrastructure failures can create widespread disruption. Another factor is exposure, meaning how reachable the system is from other networks or remote access pathways, because exposure affects how likely it is that a weakness could be exploited. The most effective risk level models are simple enough to be used across sites but detailed enough to distinguish truly critical systems from less critical ones. If the model is too complex, people will not use it consistently, and inconsistency defeats the purpose. If it is too simplistic, everything becomes high risk, and then prioritization collapses. Beginners should learn that risk levels are a balancing act: they must be grounded in operational reality and designed to produce clear, actionable differences in how systems are managed.
The registry is the second major building block, and it is best understood as the program’s memory. In plain language, a registry is a structured record of important items and their associated information, kept so that decisions can be made based on facts instead of guesses. In O T cybersecurity, you often hear about asset inventory, but a registry is broader than a list of devices. It can include assets, networks, data flows, criticality ratings, ownership, known risks, exceptions, and planned mitigations. It can also include information about vendor support, maintenance windows, dependencies, and recovery requirements. The goal is not to create a perfect database overnight, because in many industrial environments that is unrealistic. The goal is to create a living source of truth that becomes more accurate over time and that supports day-to-day decisions. When the registry is weak or absent, teams struggle to answer basic questions during incidents, like which systems are affected, who owns them, and what normal behavior looks like. Beginners should see the registry as a safety tool for decision-making, because it reduces uncertainty when time and pressure are high.
A particularly important part of an O T registry is capturing ownership and responsibility, because technical details without owners do not lead to action. In many facilities, systems exist that everyone uses but no one feels responsible for maintaining, such as shared servers, legacy monitoring tools, or network segments that evolved over time. These become risk hotspots because issues go unresolved and changes happen without coordination. A registry can help by recording who is accountable for each system, who has authority to approve changes, and who must be involved when incidents affect that system. Ownership also matters for vendor-managed components, where the organization must still track what the vendor controls and what the organization controls. Beginners should understand that ownership is not only a management concept; it is a security control. When ownership is clear, patch decisions, access reviews, and incident response actions become possible. When ownership is unclear, risk becomes permanent because no one is empowered to fix it.
Registries also support risk management through the idea of a risk register, which is a structured list of identified risks and how they are being handled. A risk register typically records what the risk is, what systems or processes it affects, what the potential impact is, what controls exist, and what the plan is to reduce or accept the risk. In O T, this can include risks like unpatchable legacy systems, unavoidable remote access needs, fragile network dependencies, or limited monitoring in certain zones. The value of a risk register is that it prevents risks from being forgotten, and it prevents risk acceptance from becoming accidental. If a system cannot be patched, that fact should not live only in someone’s memory; it should be recorded with a plan for compensating controls, like segmentation, restricted access, and monitoring. The register also supports accountability by assigning an owner and a review schedule so that temporary acceptance does not become permanent neglect. Beginners should see the risk register as a way to keep the program honest, because it forces the organization to look at its weak points regularly and to prioritize improvements where they matter.
Maturity assessment is the third major building block, and it is how a program measures progress without relying on vague feelings. Maturity is not about being perfect; it is about how consistent, repeatable, and effective your practices are. In a low maturity environment, security may be reactive, undocumented, and dependent on individual heroes. In a higher maturity environment, security practices are routine, measured, and integrated into operations. Maturity assessment helps an organization understand where it is starting, what improvements are realistic, and what to do next. It also helps leadership see progress over time, which can support continued investment and patience, especially because O T improvements often take longer than I T improvements due to operational constraints. For beginners, a key point is that maturity assessment is not the same as compliance. Compliance asks whether you meet certain requirements, while maturity asks how well you can consistently meet those requirements and whether your practices actually reduce risk. A program can be compliant but fragile, and maturity assessment helps reveal that fragility.
When done well, maturity assessment in O T focuses on capabilities that support safe operations, not on flashy technology. It looks at whether the organization can identify and classify assets, manage access reliably, control changes safely, detect abnormal conditions, respond to incidents with clear authority, and recover systems with confidence. It also considers whether documentation is accurate, whether practices are consistent across sites, and whether exceptions are tracked and reviewed. A maturity assessment can reveal gaps like having good policies but poor enforcement, or having strong tools but weak processes for using them. It can also reveal operational realities, like maintenance windows that limit patching, which should lead to alternative strategies rather than unrealistic demands. For beginners, the takeaway is that maturity assessment is a planning tool. It helps the program choose improvements that build on each other, such as improving asset visibility before expecting advanced analytics, or strengthening change control before attempting aggressive automation. The goal is not to score points, but to build a stable foundation that supports reliable security outcomes.
An important tradeoff in building an O T cybersecurity program is the pace of improvement, because operations cannot always tolerate rapid change. A program that tries to do everything immediately may cause disruption, fatigue, and resistance, which can backfire. A program that moves too slowly may leave serious risks exposed and may lose credibility after incidents. Risk levels help set pace by highlighting where urgent improvements are needed and where slower improvement is acceptable. The registry helps set pace by revealing what is known and unknown, which prevents teams from making decisions in the dark. Maturity assessment helps set pace by showing what practices can realistically be strengthened next, given staffing, budgets, and operational constraints. Beginners should understand that program building is like building reliability into a process: you want steady improvement that is sustainable. In O T, sustainability matters because systems last a long time, and the program must be able to operate for years, not just pass an audit this quarter.
Another crucial aspect is that a program must integrate with operational routines rather than competing with them. That means aligning with maintenance planning, engineering change processes, safety review practices, and vendor management. For example, if a facility has established processes for approving equipment changes, the cybersecurity program should plug into those processes so that security review becomes part of normal change, not an extra surprise. If a facility has regular maintenance windows, the program should plan security updates and validation in those windows rather than demanding constant disruption. If vendors provide remote support, the program should define how remote access is granted, logged, and reviewed in a way that supports rapid troubleshooting while maintaining accountability. Beginners should see integration as a major success factor, because a program that lives in a separate world will eventually be ignored. A program that lives inside existing operational rhythms becomes natural, and natural practices are the ones that persist under pressure.
As we wrap up, building a cybersecurity program in O T means creating a sustainable system of governance, records, and continuous improvement that supports operations while reducing risk. Risk levels help prioritize effort based on safety and operational criticality, preventing both overreaction and neglect. A registry provides the program’s memory, capturing assets, ownership, dependencies, and known risks so decisions can be made based on reality instead of assumptions. A risk register keeps risk acceptance explicit and accountable, ensuring that exceptions are tracked and revisited rather than forgotten. Maturity assessment measures how repeatable and effective practices are, helping the organization choose practical next steps that build a strong foundation over time. When these pieces work together, security stops being a collection of disconnected projects and becomes a program that can adapt as the environment evolves. If you can explain how risk levels guide priorities, how registries make response and planning possible, and how maturity assessment drives steady improvement without disrupting production, you will understand the program-building mindset that O T security requires.