As IT and OT systems continue to converge and redefine industrial strategy, outdated OT cybersecurity training is falling behind the pace and complexity of modern threats. Operators were once trained to optimize uptime above all, but are now positioned at the front lines of a cyber battlefield, a place where attacks look like equipment failure and where process safety measures are taken away without any notice. However, too often, cybersecurity training is reduced to a compliance or box-ticking exercise, far removed from the real-world pressure and complexity of industrial environments.
Adversaries are increasingly becoming more focused on targeting OT environments with cyber threats against ICS (industrial control systems) becoming more bespoke, precise, and continuous, largely driven by the capabilities of ransomware groups, nation-states, and other highly capable threat actors. These campaigns are neither broad nor opportunistic; they are built to target the specific structure, legacy software or priority of the ICS environment. As a result, the stakes are consequential, the warnings are hidden, and the margin for error is negligible.
In contrast, for responding to these threats and attacks, most organizations are opting for IT solutions that simply do not meet the critical need of process control and SCADA (supervisory control and data acquisition) systems. This represents a significant gap in understanding of critical infrastructure and OT environments, particularly in an environment where operators may lack situational awareness and experience.
OT cybersecurity training can no longer be about sharing information. Training needs to prepare front-line personnel to respond under real-world stress using real-life, consequence-driven situational simulations. When it is uncertain if the disruption is a mechanical problem or a cyber-attack and there is growing pressure from outside forces, these teams need to have the instincts to make the right decision. They should distinguish between a routine operational issue and deliberate action from an adversary.
Cyber hygiene has to be extended beyond internal staff. Contractors, vendors, and third-party technicians also typically have privileged access but operate in a world of ‘little-to-no’ cybersecurity awareness. Leaving these supply chain operators out of training creates a major blind spot for asset owners and operators, and this is being increasingly exploited by threat actors. Third-party service suppliers or vendors often have elevated or unrestricted access and often have far less cybersecurity awareness compared to the cyber professionals in-house with the organization. Without training, these third parties can be easily exploited by attackers moving laterally on the industrial networks.
How OT training aligns safety culture with cyber realities
Industrial Cyber reached out to experts to address how OT cybersecurity training bridges the gap between a safety-first mindset and the realities of modern cyber threats, particularly among asset owners and operators trained to prioritize uptime above all else.
Since the inception of OSHA (Occupational Safety and Health Administration) in 1971, Paul Shaver, global practice leader at Mandiant’s Industrial Control Systems/ Operational Technology Security Consulting practice, told Industrial Cyber that “we have seen a significant reduction in workplace injuries, illnesses, and fatalities. Similarly, by incorporating cyber security into our daily conversations within operational technology environments, we can have a similar impact by creating a culture where the effects and impact are evaluated in operational interactions with technology.”
“Currently, many OT cybersecurity training programs attempt to distinguish cybersecurity incidents from other incidents within an operational facility,” Steve Mustard, an independent automation consultant and ISA Fellow, told Industrial Cyber. “Doing this causes operators and others to delegate responsibility for cybersecurity to ‘someone else.’ We must educate operators, engineers, and managers that a cybersecurity incident is one more cause contributing to a process upset or accident.”
With this in place, Mustard added that personnel will be able to deploy existing proven tools and techniques to manage cybersecurity risk within a larger safety and availability context.
Highlighting that the primary goal of OT cybersecurity is to defend against adversarial threats to cyber-physical systems, Mike Hoffman, technical leader at Dragos, told Industrial Cyber that these systems, which people interact with daily, carry significant Health, Safety, Security, and Environmental (HSSE) implications and are often included in existing organizational awareness programs. “Integrating OT cybersecurity into HSSE initiatives is an effective way to educate operators, engineers, maintenance staff, and support teams on cybersecurity policies, their responsibilities, and real-world risks, reinforced by examples of past industry attacks.”
David Formby, co-founder and CEO/CTO of Fortiphyd Logic identified that effective OT security training helps participants understand how those goals are aligned, which makes it easier for them to collaborate.
“It helps operators see how their uptime and plant safety are attractive targets for ransomware gangs and nation-states, respectively,” Formby told Industrial Cyber. “And in the other direction, it helps security understand what is the most critical for the plant, so they can focus on things that empower the operators to keep some level of safe uptime in the face of modern threats.”
Marcel Rick-Cen, an OT and IIoT security consultant, said that “it starts with why we protect OT. These systems run critical or day-to-day operations — if they fail, whole lines stop and supply chains suffer. OT devices are more vulnerable than their IT counterparts and less protected, so they need special care — think of them like our elderly citizens. Cyber training must root itself in operational awareness and show that safety and security go hand in hand.”
“OT cybersecurity training must show, through real-world examples, that cyber threats today are just as critical as physical or fire hazards,” Zakhar Bernhardt, an OT/ICS cybersecurity consultant at German automation company anapur AG, told Industrial Cyber. “A malware infection can stop production the same way a broken sensor can. Operators need to see cybersecurity as a core part of keeping systems safe and running.”
Bridging culture gap in IT-OT cyber training
As IT and OT systems grow more interconnected, the executives examine whether current training programs can realistically keep pace or if they are overlooking the depth of the cultural and technical shift underway.
“I would argue that we don’t really have a choice, much like the adoption of the personal computer in the workplace, and the current-day adoption of AI; if we fail to adopt, we risk becoming obsolete,” Shaver said. “Organizations that adopt technology first also lower costs, reduce production times, improve quality, and enhance resilience – in order to make those adoptions work, our training practices have to evolve as well.”
Mustard noted that the growing interconnections and complexities of technology affect the threat, likelihood, and vulnerability elements of the risk equation. “They do not, however, change the consequence element.”
He added that the ISA/IEC 62443-3-2 risk assessment process defines how asset owners must assess their risk from a consequence-based perspective and continually assess this risk as threats, vulnerabilities, and other external factors change. “Conversely, without implementing a comprehensive risk assessment as defined in ISA/IEC 62443-3-2, asset owners will be unable to quantify their risk posture or have confidence that this risk is being managed to a level that is as low as reasonably practicable.”
Hoffman said that the interconnectivity between IT and OT has been increasing for quite some time. “In some verticals, such as manufacturing, there is already a very tight integration between the ERP and MES systems down to the controllers on the factory floor. Nevertheless, training programs must be refreshed to account for significant technology changes, such as cloud adoption, AI usage, and beyond. As technology use cases change, awareness and technical training content must follow.”
“It definitely needs a transformation from what it is now,” Formby recognized. “If a would-be OT security professional sees their only options for hands-on training as either something that costs as much as the down payment on their house or getting on a waitlist to travel to Idaho for a week, we will continue to gatekeep and we won’t get enough people with OT security awareness to start shifting the culture inside vendors, plants, and consultants.”
Most programs underestimate the cultural and technical gap between IT and OT, Rick-Cen said. “Many ignore the physical process entirely and fail to address the mindset. Operators think differently — they’re uptime-focused, risk-averse, and trained for predictability. If you can’t speak their language, your message won’t land. Bridging that gap requires technical know-how and soft skills.”
“Training programs must keep up with or stay ahead of changes in technology and architecture,” Bernhardt said. “One priority is teaching how to design secure IT/OT environments. Staff should not just learn how to use tools but also understand why things are done a certain way. Use real examples to explain architecture and security principles.”
Training OT personnel for a new age of cyber warfare
With critical infrastructure increasingly targeted by nation-states, the executives inspect how OT cybersecurity training should evolve to reflect the ethical, strategic, and operational responsibilities now placed on frontline personnel.
Shaver said that robust training courses and practices have always been a critical component of ensuring employees have to the tools they need to do their jobs safely and effectively – OT cybersecurity is just the next set of challenges that require end to end training – starting with fundamental understanding of how OT systems work for non-OT practitioners and more robust courses that inform on how to leverage threat intelligence to better protect OT environments by understanding the current threat landscape and the tactics, techniques, and procedures of threat actors.
“The increased awareness of the dependency on OT has indeed created growing opportunities for nation-states to disrupt others,” Mustard said. “However, while nation-state incidents create high-profile news, most cybersecurity incidents today—according to most surveys, upwards of 80%—are caused by non-malicious or malicious authorized individuals. We should not, therefore, over-emphasize OT cybersecurity training on dealing with nation-state incidents at the expense of authorized individuals, malicious or non-malicious.”
Mustard added that the primary reason for this is that the efficacy of cybersecurity controls varies between nation-states and non-malicious actors. “For example, physical and electronic access control is effective in preventing unauthorized access, but it is less effective when it comes to authorized users. This does not mean that asset owners should dismiss the threat of nation-state attacks; however, if they implement their security controls correctly, with a focus on consequences, they will effectively address both nation-state and non-malicious actors. ISA/IEC 62443 provides the framework for asset owners to achieve this.”
Hoffman identified that the training program content needs to be refreshed to follow the adversarial threat groups and known/documented attacks targeting where an owner/operator operates worldwide. “Suppose an operator has locations across the EU and the Middle East and in oil and gas, for example. In that case, they should track adversarial groups targeting those regions and their verticals. Weaving threat intelligence into technical and awareness training is key to bringing awareness and context to why plant personnel and OT cybersecurity individuals need to be diligent in protecting critical infrastructure.”
“Training should break down information silos by helping both frontline operators and security personnel develop a more ‘T-shaped’ skillset. We can’t expect operators to become security experts, but they need to be aware of the nation-state threat and to be able to communicate clearly with the security team,” Formby said.
Likewise, he added that the security team doesn’t need to be control experts, but they need to understand enough to collaborate with the operators and know what matters most to the plant. “There’s a heavy burden on the operators since they are potentially the last line of defense against catastrophic consequences, so they deserve to be supported by people who understand them.
Rick-Cen said that training should raise basic awareness among frontline staff. “They should understand where systems are vulnerable, how attackers think, and why these systems are easy targets. It’s not just about avoiding USBs — it’s about understanding the ‘why’ behind cybersecurity. That’s how we build buy-in from those closest to the process.”
“Cybersecurity training must be mandatory for all OT staff, from operators to engineers,” according to Bernhardt. “These programs should clearly show the actual threats they may face and how to handle them. Everyone in the plant should know what to do when something goes wrong, not just the cybersecurity team.”
OT exercises confront grey zone between outage and attack
The executives focus on the role of live, consequence-driven simulation exercises in preparing OT teams for incidents where reliability failures and cyberattacks are difficult to distinguish.
“Organizations must be prepared for potential cyber impacts in operational environments, which have tremendous potential to harm human life and the environment,” Shaver said. “This preparation includes incorporating cyber cause and effect into Process Hazard Analysis (PHA) and Hazard and Operability Study (HAZOP) processes. Additionally, it is critical to run cyber ranges dedicated to OT environments and practice incident response scenarios through technical and executive-level tabletop exercises.”
Mustard detailed that one of the most frequently identified gaps for asset owners is the lack of incident response planning. “Either no incident response plan exists, or if one does, there are no exercises to verify its effectiveness. Tabletop exercises are commonly used in exercises.”
He pointed out that this is certainly better than nothing, but they have limited benefit due to the script and injects are limited and lack unanticipated developments; creating new scenarios takes significant time and effort; the tabletop format fails to replicate the high-pressure, fast-moving nature of real cybersecurity incidents; and the format lacks the practical elements of a response.
“Live, consequence-driven exercises are significantly more effective,” according to Mustard. “Take fire drills, for example: although employees may view them as inconvenient interruptions, regular practice that involves mustering ensures a faster, more coordinated response in the event of an actual fire.”
He added that live exercises are challenging. They may require process outages to be conducted safely, and can be expensive and complex to coordinate in a 24/7/365 environment.
“Technology can help here,” Mustard mentioned. “Generative AI can be used to generate exercise scenarios based on real asset owner policies, procedures, architectures, and inventories. Immersive technologies, such as VR glasses or immersive rooms, can be used to provide personnel with a realistic environment that changes in real-time as the scenario progresses. The use of technology enables exercises to be conducted more frequently from various physical locations, and personnel can have their performance continually evaluated as situations change.”
Hoffman said from experience in running tabletop exercises (TTXs) around the globe, “focusing on consequence simulation and role-play, these exercises can significantly benefit team members who may play a part in detecting or responding to a cyber event. Operations and technical folks have been trained to think and react with instrumentation and automation system component failure in mind.”
He added that times have changed, and the consideration of an OT cyber incident should now be embedded into operational procedures and in the minds of automation technicians, engineers, and leadership.
“Live exercises that factor in the impact to the process are critical for reducing that ‘time to diagnosis,’” according to Formby. “It forces you to take stock of all the possible data sources at your disposal that could confirm the incident, either as an attack or a normal failure. Through practice, you not only find that information faster, but often identify additional sources you could collect in the future to make it even faster.”
“Simulations matter, but OT needs its own flavor,” according to Rick-Cen. “Going full red team with exploits can be dangerous — some systems won’t recover. In OT, it’s enough to prove exposure through reconnaissance or basic interaction. That alone can be a wake-up call. And since endpoint hardening isn’t always possible, simulations should highlight the importance of upstream protection.”
Bernhardt said that just like fire drills or physical safety drills, OT cyber training must include live, realistic simulations. “People need to feel the stress and react in real time. That’s how they remember, learn, and improve. Paper exercises are not enough. Realistic pressure improves response and builds confidence.”
Beyond the checkbox: Evaluating OT cyber training effectiveness
The executives look into whether organizations are evaluating OT cybersecurity training by real-world impact, such as improved incident response and operator behavior, or merely by checking compliance boxes.
Shaver assessed that the most successful organizations train with a clear focus on potential impact. “Unfortunately, there are organizations that have neither the technical capability nor the training programs in place that will give them advantages in their ability to detect, respond, remediate, and recover from a cyber attack.”
Mustard said it is hard to generalize, adding that “no doubt, some organizations are doing better than others in training their personnel, and some treat it as a box-ticking exercise.”
In general, he added that publicly available cybersecurity training lacks many essential aspects that OT professionals should know the importance of conducting a consequence-based risk assessment and implementing controls to manage the risk that this process identifies; understand the distinction between risk assessment and vulnerability assessment; understand that the most common cause of a cybersecurity incident is a non-malicious authorized user; understand that everyone has a part to play in managing cybersecurity risk; and the importance of conducting realistic incident response exercises and maintaining incident response plans.
“Thanks to the messaging and widespread adoption of the SANS Five ICS/OT Cybersecurity Critical Controls, organizations are maturing in their OT cybersecurity programs and incident response (IR) capabilities,” Hoffman assessed. “Still, other organizations are performing TTX and other drills to meet compliance requirements. A compliance-driven cybersecurity culture can lead to ‘ticking-the-box’ mindsets, and I have witnessed those behaviors in many organizations. However, more organizations understand they lack IR capability and are genuinely trying to test their people’s and environments’ detection, response, and recovery capabilities and look for improvement.”
Formby assessed that the more mature organizations are going beyond box-ticking, but to be fair, it can be hard to measure response improvements since incidents are still (thankfully) somewhat rare. “That’s why the live exercises are so important; they are the main way you can measure your improvement.”
“In OT, the impact of training isn’t measured in click-through rates — it’s cultural,” Rick-Cen said. “Cybersecurity should be embedded into existing safety programs. Yearly safety training is already mandatory — just piggyback cybersecurity awareness onto them. That’s how you normalize it without creating fatigue.”
Bernhardt pointed out that most current training ends with a checklist or quiz, but that’s not enough. “Real impact comes from live drills and measurable results. Teams should train together: operators, engineers, red teams, blue teams, and managers. Cybersecurity is teamwork, and training must reflect that.”
Extending OT cyber training to third-party risk zone
The executives explore how organizations can extend OT cybersecurity training beyond engineers and operators to include contractors, vendors, and other third parties, many of whom have privileged access but limited cybersecurity awareness.
Shaver identified that organizations must implement role-based training programs that address their specific needs in operational environments, potential safety and environmental impacts, and regulatory requirements, similar to those found in enterprise IT.
Noting that several options are available, Mustard said that most asset owners already have some form of cybersecurity training. They should review it to ensure it truly addresses the knowledge required to manage cybersecurity risk.
He added that asset owners can follow the example from safety training and ensure site induction training incorporates cybersecurity awareness; safety management is expanded to include cybersecurity; for example, safety observations and near-misses include cybersecurity incidents; and prevent physical and electronic access to OT environments until personnel complete training and continue to maintain this training.
“ISA/IEC 62443-2-4 (Security program requirements for IACS service providers) includes requirements (under SP.01 – Solution Staffing) for training of personnel involved in service provision,” Mustard said. “ISA/IEC 62443-4-1 (Product security development life-cycle requirements) includes training requirements (under SM-4 – Security expertise) for personnel involved in product development.”
He added that asset owners can require that their personnel, contractors, vendors, and other third parties meet these requirements and/or have these certificates.
Hoffman said that “by introducing policy and administrative procedures, companies can ensure that everyone who touches their critical infrastructure undergoes awareness training and acknowledgement of the ICS/OT acceptable use policy. This can be performed before allowing logical or physical access to ICS/OT systems.”
“One way is to treat it like safety training, how you require any guests or contractors to watch a video on your plant’s safety policies before they are allowed to step foot on your plant floor,” Formby said. “You can also develop your own security training, or use a third party that you require of anybody before they ‘digitally’ step foot in your plant network. No access is granted until the training is completed and they agree to follow your policies.”
Bernhardt concluded that “anyone with access to the OT environment, on-site or remote, should go through the same training as operators. Like electrical or fire safety, they must understand the basics: don’t plug in USBs, don’t connect personal devices, and know how to act in a cyber incident. Vendors, contractors, and third parties must not be the weakest link.”
