Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
From paper to practice: how to build an effective OT cybersecurity roadmap
This article is part of the series "Evolving OT Cyber Security: from diagnostics to risk anticipation", where we explore how to turn assessments and evaluations into concrete actions.
In the previous article, we discussed the importance of a thorough assessment of the current OT cyber security landscape before defining a strategic roadmap aligned with the organisation's actual business risks. In this new article, we focus on how to turn recommendations and findings into a realistic and effective action plan, outlining the steps to design and deploy an OT cyber security roadmap that addresses the real-world challenges of industrial environments.
______
Industrial environments are becoming increasingly connected to external networks, making OT (Operational Technology) cyber security a strategic priority. As systems become more interconnected, threats evolve and risks multiply.
This is why organisations must tackle the challenge of moving from paper to practice, translating recommendations from reports, diagnostics and evaluations into actionable plans.
Through Telefónica Tech’s services, we help clients define a cyber security roadmap for industrial environments that aligns with frameworks such as ISA/IEC 62443 and NIST CSF, while remaining realistic about the time and cost required to implement each action.
Why build a roadmap?
A roadmap should not be seen as a simple to-do list, but as a strategic tool with actionable plans aligned with the organisation’s actual business risks. Based on our experience with dozens of clients, a well-structured roadmap serves as the bridge between technical analysis and real transformation, leading to a stronger OT cyber security posture.
Before creating the roadmap, a cyber security assessment of the industrial environment is required, covering at least the following key areas:
- Inventory of industrial assets, including detailed information (firmware, patches, EoL/EoS).
- OT traffic analysis to identify vulnerabilities, insecure protocols, attack vectors and connectivity issues.
- Assessment of existing controls, including authentication, usage control, system integrity, communication flows and availability.
Based on this data, a draft roadmap can be created, prioritising corrective and preventive actions based on criteria such as impact, cost, implementation time and cost-benefit ratio. This enables measurable milestones to be set and solutions to be adapted to the specific operational context of each facility.
Ultimately, a roadmap must not be a generic document, but one that is clear, measurable and tailored to the needs of each industrial environment. That is key to improving OT cyber security.
Photo by AbsolutVision / Unsplash.
Key phases for designing an OT roadmap
Step 1: Technical assessment as a starting point
It all starts with a rigorous evaluation of the current situation at the facility. This involves reviewing all available documentation on network architecture (Purdue model), inventories of network equipment and OT devices, physical layouts, policies and operational procedures; conducting meetings and technical interviews with the teams operating industrial systems to understand processes and specific configurations; and assessing the security controls already in place.
It is also highly recommended to capture network traffic at multiple points across the industrial environment to identify critical assets and existing gaps.
Step 2: Using regulatory frameworks as guidance
To build a meaningful OT roadmap, it must be based on regulatory frameworks that act as a compass. We rely on the following, which complement each other:
- ISA/IEC 62443 helps define security levels (SL), network segmentation, protection of industrial devices like PLCs, and specific controls by zone and asset type.
- NIST CSF structures the entire risk management lifecycle (identify, protect, detect, respond and recover), supporting the creation of policies, procedures, exercises and continuity plans.
- NIS2 adds the EU legal layer for incident reporting, executive involvement, supplier security control and governance.
Step 3: Risk-based action prioritisation
Actions must be prioritised based on the business risk associated with each industrial asset. Not all vulnerabilities carry the same impact depending on the function of the affected asset.
In addition, quick wins are identified — quick and easy actions that deliver a high return on investment in OT cyber security.
Step 4: Building the roadmap
The roadmap can be structured into two major categories, each with examples of potential actions:
- Technical initiatives: network segmentation, deployment of industrial firewalls, OT probes for monitoring, industrial endpoint protection, vulnerability management, regular scanning, remote access control, backup and restoration processes, etc.
- Organisational initiatives: policy and procedure development, training and awareness programmes, role and responsibility definition, incident response exercises, internal audits, and more.
Each initiative must be assigned an owner, a deadline, a related regulatory framework (ISA/IEC 62443, NIST or NIS2), and of course, KPIs to track progress.
Ideally, collaborative tools should be used to build the roadmap and facilitate coordination across all involved departments. It should be a joint effort between OT, IT, security, operations, maintenance and management. Without alignment, the plan will remain just another document.
Step 5: Validation and ongoing monitoring
A roadmap should not be static. It must be dynamic and subject to periodic validation to reflect newly identified risks, implemented corrective actions, or changes to industrial systems.
Progress should be monitored through metrics that clearly show how each action is evolving. This allows for the early detection of deviations and helps reprioritise actions in response to changes in the industrial environment and emerging cyber threats.
Photo by Sabri Tuzcu / Unsplash.
From PowerPoint to execution
We’ve supported clients across sectors like paper manufacturing, food production and transportation in designing and executing OT roadmaps, significantly improving their industrial cyber security posture.
This ranges from defining secure network architectures and deploying advanced monitoring solutions to training technical and operational teams, implementing OT network segmentation, ensuring secure remote access and protecting industrial endpoints.
It is possible to build a robust and realistic OT cyber security roadmap, but doing so requires a shared methodology, regulatory expertise, business insight and strong commitment from those responsible for implementation.
■ Are you ready to move from paper to practice?
Header image: Startaê Team / Unsplash.
