Full Report
Network cybersecurity (IT and OT) and control system organizations have fundamentally different objectives and criteria when it comes to identifying and addressing cyber incidents. The Verizon Data Breach report, the Dragos 2025 Report, and the OT I Impact Score are typical of OT cyber incident reporting that equate data breaches and ransomware with cyber incidents. […]
Analysis Summary
# Morning News Roll-up 2026-03-03
## Overview
Today's report highlights a critical governance and definitional gap in Operational Technology (OT) cybersecurity. Experts warn that the current industry focus on IT-centric "data breaches" and "ransomware" results in the systematic ignoring of physical control system incidents, leaving critical infrastructure vulnerable to non-malware-based operational disruptions.
## Top Stories
### The Gap Between Network Security and Control System Incident Definitions
- Summary: The OT cybersecurity community is facing a "governance failure" by equating cyber incidents primarily with data breaches and ransomware (as seen in major industry reports like Verizon and Dragos). This narrow definition excludes physical control system anomalies that impact safety and reliability but may not involve typical network indicators.
- Source: hxxps://scadamag[.]infracritical[.]com/index[.]php/2026/03/03/the-ot-cybersecurity-community-continues-to-ignore-control-system-cyber-incidents-a-governance-failure-masquerading-as-a-vocabulary-issue/
### Misalignment in OT Incident Reporting Metrics
- Summary: Current reporting frameworks, such as the OT Impact Score, are criticized for focusing on network security metrics rather than engineering-centric operational impacts. This "apples to oranges" comparison hinders the ability of critical infrastructure providers to identify and mitigate process-level cyber threats.
- Source: hxxps://www[.]controlglobal[.]com/blogs/unfettered/blog/55360902/ot-cybersecurity-is-a-governance-failure-masquerading-as-a-vocabulary-issue
### The Need for Engineering-Centric Cybersecurity Training
- Summary: To address the vulnerabilities in critical infrastructure, there is an urgent requirement for both network security and engineering organizations to receive cross-functional training. This involves adopting a unified cyber incident definition that encompasses both data integrity and physical process control.
- Source: hxxps://scadamag[.]infracritical[.]com/index[.]php/author/jweiss/
---
# Main Topic
Discrepancy between Network Security (IT/OT) and Control System Cyber Incident Identification.
## Key Points
- **Definitional Failure:** Current OT reporting (e.g., Dragos 2025, Verizon DBIR) focuses almost exclusively on ransomware and data breaches, overlooking direct control system manipulations.
- **Data vs. Physics:** Network organizations prioritize data confidentiality and availability, while control system organizations prioritize physical process safety and reliability.
- **Visibility Gap:** Incidents that do not trigger traditional network IoCs (Indicators of Compromise) are often not recorded as "cyber incidents," even if the root cause is a digital system compromise.
- **Reporting Bias:** Existing impact scores are heavily weighted toward network-level impacts rather than mechanical or process-level damage.
## Threat Actors
- **Nation-State Actors:** Targeted campaigns against critical infrastructure requiring deep knowledge of industrial processes.
- **Ransomware Groups:** Mentioned as the current primary (though arguably misplaced) focus of OT security organizations.
- **Insider Threats:** Engineering staff or contractors with the ability to manipulate control logic without triggering network alerts.
## TTPs
- **Process Logic Manipulation:** Changing setpoints or control logic to cause physical damage or operational shutdown.
- **Living off the Land (OT):** Using legitimate engineering tools and protocols (Modbus, PROFINET, etc.) to execute malicious actions that appear as normal operations.
- **Bypassing Network Monitoring:** Executing commands directly at the Level 0/1 sensor and actuator layer where network-based IDS may lack visibility.
## Affected Systems
- **Industrial Control Systems (ICS/DCS):** PLC, SCADA, and HMI units managing physical processes.
- **Critical Infrastructure:** Power grids, water treatment facilities, and manufacturing plants.
- **Process Sensors/Actuators:** The physical "Level 0" hardware that is often overlooked in IT-centric security audits.
## Mitigations
- **Unified Governance:** Establish a shared definition of "cyber incident" that includes both network events and unexplained physical process anomalies.
- **Cross-Domain Training:** Engineering teams must be trained in cybersecurity basics, and IT security teams must be trained in control system fundamentals.
- **Control System-Specific Monitoring:** Implementing monitoring solutions that analyze physics-based sensor data to detect anomalies, rather than relying solely on network packet inspection.
- **Improved Reporting Frameworks:** Adopting metrics that account for mechanical wear, safety system activation, and process instability caused by cyber interference.
## Conclusion
The current trajectory of OT cybersecurity is overly reliant on IT-centric methodologies. To secure critical infrastructure effectively, organizations must bridge the gap between network security and engineering. Without a governance shift that recognizes control system-specific incidents, infrastructures remain vulnerable to sophisticated attacks that bypass traditional network defenses.