Day 2: What S4x26 Made Clear: OT Security Has Moved Past Awareness.

Yesterday we covered the Day 1 sessions at S4x26, including talks on AI agent security in OT, Industrial DataOps, and OT risk mitigation. You can read that recap here. S4 has always been where the OT and ICS security community gets honest with itself. This year in Miami, the conversations felt different, both on the main stage and in the poolside cabanas. Less debate about whether OT security deserves serious investment. More urgency, and in several sessions, real candor about where the gaps still are.

Four sessions stood out. Across all of them, a consistent picture emerged: adversaries who've grown more capable and more patient, a workforce pipeline that hasn't caught up, a technical community reckoning with what "visibility" actually means, and an overdue conversation about how we explain OT risk to the people outside this room.

The Threat Has Changed Character, Not Just Scale

John Hultquist, Chief Analyst at Google Threat Intelligence Group, took the main stage for "OT Threat Predictions for the Next 1-3 Years" and opened with a prompt for security leaders to rethink how they're framing OT risk internally.

John Hultquist, Chief Analyst at Google Threat Intelligence Group

Volt Typhoon, he argued, isn't just another espionage campaign. China-nexus actors have built a sustained, deliberate effort to pre-position inside critical infrastructure. That's not just a tactical shift. These actors may never pull the trigger. But they're building access and keeping it warm, so the option's there when they want it. As Hultquist framed it: you're already fighting a hypothetical war. By the time the decision to act gets made, getting ready won't be an option.

He also flagged a more recent signal: an FSB-linked actor known as Berserk Bear attacked energy systems in Poland. Berserk Bear has been embedded in US and European critical infrastructure networks for over a decade without ever acting on that access. Poland was the first time. Hultquist's point was clear: stop assuming dormant means harmless.

Both cases connect to something he said about AI and obscurity. OT environments have always had a quiet advantage: the technology is arcane. Most threat actors don't understand industrial protocols, the architecture, or how these systems actually behave. AI is changing that. Tools that help someone troubleshoot unfamiliar systems are turning OT's "security through obscurity" into a shrinking asset. Hultquist was clear that defensive AI is equally powerful, but his point stood: passive obscurity as a strategy has a closing window. The time for a stronger OT security program is now.

If you're running large-scale OT across manufacturing, industrial, or healthcare facilities, Hultquist's session made one thing hard to ignore: visibility and segmentation aren't compliance checkboxes. They're how you stop lateral movement once someone's already in.

Having the Right People Isn't a Soft Skill. It's a Hard Requirement.

Daryl Haegley, Technical Director of the Cyber Resiliency Office for Control Systems at the U.S. Air Force and Space Force, delivered arguably the most candid session of the day. His talk, "OT Warriors Lock It Down," opened with a confession: more than a decade of trying to convince senior military and government leaders that OT is mission-critical and that near-zero cybersecurity investment isn't acceptable. He's still frustrated.

Daryl Haegley, Technical Director of the Cyber Resiliency Office for Control Systems at the U.S. Air Force and Space Force

NIST's cybersecurity framework defines 74 cyber roles. One covers OT. Haegley's been trying to formalize that role since 2017. A dedicated AI work role was developed in roughly 90 days. That gap says plenty about where priorities have been sitting.

He drew from his time as a naval officer on a guided missile destroyer. An engine room fire killed two crew members who grabbed handheld extinguishers to fight it, a job they weren't trained or qualified to do. No dramatic license in that story. Untrained people making confident decisions in a crisis: that's how catastrophic failures happen. OT incident response works the same way.

Haegley also walked through the zero trust pilots his office has completed on government OT environments, work that took 12 years of advocacy to actually fund. What worked and what failed both matter to enterprise security leaders evaluating zero trust for OT. His larger point: zero trust in OT isn't aspirational. You can deploy it. But only if you pair it with performance measures, repeatable processes, and people who've trained for it.

Tooling alone doesn't close the gap. Organizations that've invested in visibility platforms and segmentation still need defenders who understand how OT behaves under attack, and how it differs from IT. Exercises need to include OT scenarios. Playbooks need rehearsal, not just documentation.

Visibility Isn't a Checkbox. It's a Quality Problem.

Grant Geyer, Chief Strategy Officer at Claroty, could have made "How Complete Is Your Asset Visibility? A Metrics Answer" a deep technical session. He didn't.

Grant Geyer, Chief Strategy Officer at Claroty

His core argument: the OT security industry has been too quick to declare asset visibility a solved problem. Having a device list isn't the point. Whether that list is accurate and granular enough to support real decisions, that's the actual question.

He described Claroty's approach to "visibility quality," which builds comprehensive evidence from multiple weaker models, drawing on receiver operating characteristics concepts that date back to US military work in the 1940s, to reach high confidence in asset identification. A single model might identify an HMI with 93% confidence. Stack multiple models with uncorrelated errors, and you can push that to 99%. In a healthcare setting, where misidentifying an MRI or an infusion pump carries real stakes, that gap matters.

His take on collection strategy was equally useful. Passive collection is essential for mapping communication pathways, understanding zones and conduits, and identifying what's talking to what. But if your goal is deep, granular inventory for exposure management, passive alone won't get you there. Active query methods, combined with passive collection, produce materially better data.

For any organization running or evaluating a microsegmentation program, this connects directly. Segmentation policies are only as strong as the identity data underneath them. An incomplete or imprecise inventory means your segmentation rests on a shaky foundation, and those gaps tend to surface at exactly the wrong moment.

OT Security Needs a Better Way to Talk About Risk

One of the more surprising sessions was Dale Peterson's panel, "A Richter Scale for OT Security Incidents." Peterson, S4's Founder and Program Chair, is proposing a simple, public-facing OT incident impact score: a zero-to-ten scale built on three dimensions, severity, reach, and duration. Multiply the three, divide by 100, and you have a single number that communicates real-world impact to the general public, to policymakers, and to the media.

Joining Peterson were Kelly Jackson Higgins, Editor-in-Chief and VP of Cybersecurity Editorial at Dark Reading; Munish Walther-Puri, Head of Critical Digital Infrastructure at TPO Group; and Robert Hanson, Associate Program Leader for National Security Infrastructure at Lawrence Livermore National Laboratory. Industry press, policy, and hard technical expertise in one room.

What they're solving is a genuine problem. OT security incidents get covered in the media in wildly inconsistent ways. A minor water tank overflow generated a congressional hearing. Colonial Pipeline, which genuinely cut fuel supply to a significant portion of the eastern US, got scored by public perception more than actual impact. Without a standard, whoever talks loudest shapes the narrative.

Three things have to work for this to stick:

• Speed - A score that publishes within 12 hours can still shape the initial narrative.
• Independence - An organization without classified equities can say things government agencies often can't.
• Back-testing - Credibility only accumulates if early scores hold up over time.

This is a conversation worth following. How an incident gets characterized in the first 24 hours shapes policy, budget, and public trust, sometimes for years.

Conversations in the Cabanas: What the Hallway Revealed

S4's best conversations often happen away from the main stage. This year's Cabana Sessions were no exception.

Claroty and Nozomi were both active with big booths, each making their case for OT asset visibility and threat detection. What's changed is the quality of the questions practitioners are asking. Nobody's debating whether OT visibility matters anymore. That question got settled years ago. Now practitioners want to know about integration quality, how visibility data feeds into policy enforcement, and what deployment actually costs across multi-site environments. That's a more mature conversation.

Most memorable, though, was a conversation with Joshua Corman, Executive in Residence for Public Safety and Resilience at the Institute for Security and Technology, and one of the driving forces behind UnDisruptable27. UnDisruptable27 is an initiative focused on turning national-level threat awareness into practical readiness at the local level, with a specific focus on water infrastructure and emergency healthcare. Its urgency comes directly from US government testimony about PRC actors' capability and intent to disrupt domestic infrastructure by 2027.

Corman's contribution to the conversation was something the main stage sessions touched on without fully landing: the gap between threat awareness and community-level readiness. Hospitals that lose water or power during a conflict scenario aren't just cybersecurity problems. They're life-safety problems. Equipping local leadership, infrastructure operators, and front-line teams with actionable guidance is the kind of ground-level resilience work that complements the technical investments enterprises are making.

Their work is worth your attention: securityandtechnology.org/undisruptable27.

What to Take Back to Your Organization

S4x26 didn't surface new problems. What it did was narrow the window for treating them as someone else's future problems.

Patient adversaries with AI tools are actively working to understand the OT environments that obscurity used to protect. A workforce gap in OT cybersecurity won't close without deliberate, formalized effort. Visibility quality, not just visibility coverage, determines whether your segmentation policies hold when it counts. And the industry's ability to communicate OT risk clearly to the people who fund and govern security programs is still lagging.

Across manufacturing, healthcare, and industrial facilities, these four conversations pointed at the same practical priorities:

• Know what's on your network with real confidence.
• Enforce policies based on device identity rather than static network position.
• Make sure your incident response team has trained for OT scenarios, not just IT ones.

These aren't theoretical recommendations. They're the conditions that separate organizations that can contain a breach from those that can't.

At Elisity, we work with enterprises navigating these exact challenges, organizations that need to move from incomplete visibility to enforced microsegmentation without disrupting operations. If you're working through how to close those gaps, the conversation is worth having: elisity.com/demo-request.