S4x26 Day 1 Recap: Connect, AI in OT, Industrial DataOps and OT Risk Mitigation

S4x26, the premier OT cybersecurity conference in Miami Beach, drew ICS/OT security leaders from manufacturing, critical infrastructure, and energy organizations for four days of sessions, debates, and live demonstrations. S4 isn't built for vendor showcases. Dale Peterson designed it for practitioners who want to pressure-test assumptions and build toward the future of OT security rather than react to the latest threat brief. That was obvious from the first session.

"Connect" was the 2026 theme. Industrial DataOps, AI in OT security, the debate over OT visibility, and consequence-driven OT risk mitigation ran through every session, hallway conversation, and POC demonstration on the floor today. Here's what stood out from Day 1.

What you'll learn from this S4x26 Day 1 recap:

• How AI in OT security is reshaping industrial connectivity and what security teams need to do about it now
• Why Industrial DataOps connectivity is expanding OT attack surfaces faster than most organizations realize
• The case for prioritizing OT segmentation before scaling visibility spending
• How to calculate OT Return on Mitigation (RoM) and build a board-ready business case for security investment
• A live microsegmentation demo showing IEC 62443 zone-based enforcement on an active OT network

"Connect": Opening Keynote with Dale Peterson

Session: Connect   Time / Location: 9:00 AM, Main Stage   Speaker: Dale Peterson, Founder and Program Chair, S4 Events

Dale opened with a direct challenge: OT security teams are about to face an explosion of new connections to and from industrial systems, and their job is to secure those connections, not block them. Business wins from AI-driven industrial connectivity will be too significant for the security team to simply say no. The CISO, he said, cannot be the "CS-No." Teams that thrive will be the ones who shape and govern new connected systems from the start, not the ones who discover them later.


Dale Peterson, Founder and Program Chair, S4 Events

AI needs rich contextual data to work, and that data lives in OT systems. At the Ignition Community Conference last September, Dale said he watched a team deploy an AI agent to analyze production variance across an entire manufacturing line, pull from multiple data sources, identify the top five contributing factors, and deliver results in a week. That project used to take months.

What stayed with me was a question he said he couldn't shake: do manufacturing systems have an OT cyber asset inventory? He asked every practitioner he met at that conference. Every one of them said no. But when he asked whether they'd want to connect to one if it existed, the answer shifted just as quickly to yes. That gap, between what security systems know about OT assets and what manufacturing systems could do with that information, is one of the more interesting opportunities he sees for 2026.

Third: vendor integration. For 20 years, OT security vendors competed for the same budget and avoided meaningful cross-integration. Dale argued that's changing, and the arc lines visible across the POC Pavilion on the third floor, each one representing live data sharing between different security tools, were evidence.

His main point throughout: security teams that understand what's coming, shape the architecture, and build controls to govern new connections will lead this field. Those who wait to react won't.

"Connect For Industrial DataOps" with Aron Semle

Session: Connect For Industrial DataOps   Time / Location: 9:30 AM, Main Stage   Speaker: Aron Semle, Chief Technology Officer, HighByte

Aron Semle opened with a scene anyone who's worked a factory floor will recognize. Night shift, a month into a new job at a bottled water plant, running the filler line at 1.25x speed to cover for day shift. Bottles start getting kicked out by the rejection camera, a few at a time, then more. Not enough to trip an alarm, but enough that an experienced operator notices. The old move was to find the veteran who could put his hand on the machine and tell you whether it was going to be a good day or a bad day. As Semle put it: that veteran is now AI.

Aron Semle, Chief Technology Officer, HighByte

In 15 years of industrial technology, he's never seen anything move into manufacturing environments as fast. He's watched cloud, IIoT, AR/VR, and blockchain all cycle through the hype machine. AI is different because it lowers the barrier between technology and communication. And what's standing between manufacturers and an AI-assisted operator is their data.

OT environments don't have a data shortage. They have a data coherence problem. Semle was refreshingly honest about this: he's personally helped large industrial companies connect to SQL Server 2000 databases that are 26 years old and still running. Nobody's replacing them.

What's gaining traction is the Unified Namespace, or UNS, a way to unify factory data, add context, and make it available to any consumer in a form they can use. Think of an ISA-95 hierarchy laid over existing systems, pulling from everything already there without ripping and replacing anything. Data stays in place; UNS makes it accessible. AI connects to it through protocols like MCP (Model Context Protocol), letting agents request data, surface insights, and increasingly take limited actions within defined parameters.

His demo scenario: a bottling plant where an AI agent spots extra capacity on Line 3 and moves volume to hit a shipping target. No custom dashboard, no analyst pulling reports, just a frontline worker having a natural language conversation on the floor. First technology in his career, he said, that actually makes the operator's job easier rather than asking them to adapt to it.

His ask to the security side of the room: go back and find out if a UNS initiative is already underway in your organization. If nothing else, find the data stream and test what happens when bad data gets injected. Use that conversation to get a seat at the table before the architecture is locked in.

"The Closing Panel In Prime Time": AI's Impact on OT Security

Session: The Closing Panel In Prime Time   Time / Location: 10:00 AM, Main Stage   Speakers:

• Dale Peterson, Founder and Program Chair, S4 Events
• Megan Samford, VP, Product and Supply Chain Security, Schneider Electric
• Ralph Langner, CEO, OTbase
• Zach Tudor, Associate Laboratory Director, Idaho National Laboratory (INL)

This session was originally slated for later in the week and moved to Day 1 when a speaker couldn't make it. Having these experienced and passionate experts on stage right after the morning keynotes gave the AI discussion some real edge.

Dale set the terms early: no generic commentary on AI. He pushed panelists toward specific, non-obvious insights, and they largely delivered. Everyone agreed AI is speeding things up in both directions at once, improving OT defense capabilities around anomaly detection and decision support while also lowering the skill floor for attackers. Neither is a future scenario.

Langner and Tudor pushed on regulatory and safety implications. What happens when an AI agent takes an action in an industrial environment that nobody fully anticipated? Samford grounded the conversation in practical terms from the asset owner side: for manufacturers at scale, risk language needs to shift from compliance-based to consequence-based if organizations are going to make meaningful decisions about where AI belongs in their operations and where it doesn't.

Nobody walked away with tidy answers, and that felt intentional. What the session did establish was that AI in OT security is a present-tense problem, not a horizon one. Whether organizations are building controls to govern it now or discovering that need after the fact is a question every CISO in that room was carrying.

"OT Visibility Is Overrated" with Bryson Bort

Session: OT Visibility Is Overrated   Time / Location: 11:00 AM, Main Stage   Speaker: Bryson Bort, CEO and Founder, SCYTHE; Founder, GRIMM; Co-Founder, ICS Village

That title alone was enough to fill the room.

His argument was precise: visibility is overrated relative to the budget and attention it receives, not relative to zero. A decade of chasing visibility as a primary outcome has meant underinvestment in controls that actually reduce risk. His metaphor was the drunk person looking for his keys under the streetlight, not because the keys are there, but because that's where the light is.

He built the case around a well-known incident. A Las Vegas casino's multi-million-dollar fish tank ran IoT sensors for remote maintenance. The casino knew those assets existed. They had visibility. What they didn't have was any understanding of the relationship between that fish tank and the core operational network. A nation-state actor exploited the exposed sensors and pivoted into critical systems. Estimated damage: $50 to $100 million. "It wasn't just a question of visibility," Bort said. "It was a question of relationship."

His reframe: OT cybersecurity sits in a fundamentally different position than IT security when it comes to the balance between prevention and detection. In IT, prevention is a fraction of what's achievable; detection and response carry the weight. In OT, that balance shifts. Physical consequences and operational continuity mean prevention and access control matter more.

His model for why controls matter even when they're not impenetrable: a minefield with overwatch. Any access control point can be defeated given unlimited time. Add overwatch, monitoring at the control point, and an attacker has to interact with it, which generates activity you can detect. An OT segmentation boundary doesn't just block traffic; producing visibility of attacker behavior is a byproduct.

His advice: start at ISA-95 Level 3, where traffic moves north-south between OT and IT. That's where most attackers enter and exit, and where access control and zone-based security can be established without needing a complete bottom-up inventory of every device in every zone. Work inward from there.

He closed with a line that stuck: "It's not about the visibility. It's about the action."

"Calculating Return On Mitigation" with Hector Perez

Session: Calculating Return On Mitigation   Time / Location: 1:30 PM, Stage 3   Speaker: Hector Perez, Head of Strategy, Industrial Cybersecurity, Black and Veatch

Hector Perez opened with a car analogy. Two vehicles, identical speed, identical route. One costs $50,000, the other $52,000. ROI says take the cheaper one every time. Then he revealed: the extra $2,000 is a seat belt upgrade. Now which do you choose to drive at 75 miles per hour?

Hector Perez, Head of Strategy, Industrial Cybersecurity, Black and Veatch

ROI measures speed of return. Return on Mitigation, or RoM, measures what you put at risk by not investing. Most industrial organizations run one calculation without the other.

A problem he sees consistently: a security leader asks two project managers how much risk their project will reduce, and both say "a lot." No basis for prioritization. Decisions default to politics or inertia. RoM is how you replace that conversation with one grounded in numbers.

His equation: risk equals threats multiplied by vulnerabilities multiplied by consequences. None of the three can reach zero in practice. Threats come from nation-states and criminal actors, and you can't do much about those. Vulnerabilities and consequences are where mitigation investment belongs.

Put those variables into financial terms and you have a number a CFO can evaluate. He walked through a specific scenario: OT-impacting ransomware at 0.3% annual probability and $150 million estimated loss produces $450,000 in annualized risk. Deploy segmentation and secure remote access, and probability drops to 0.1%. Annualized risk falls to $150,000. Spend $110,000 on those controls and you've generated $190,000 in annual risk reduction. Any CFO can evaluate that using the same math applied to any capital investment.

He tied RoM to digital transformation. Every new connection added to an OT environment expands the attack surface. Replace ten old flip phones with ten new iPhones running ten apps that each talk to 100 devices, and you've gone from ten connections to ten thousand. Digital transformation creates the same exponential connectivity growth. Security has to be part of the design, not something you retrofit.

His closing point was an answer to an audience question: data centers, in his view, are accumulating cyber risk faster than any other sector right now. They're building their own power substations and cooling infrastructure to support AI demand, but security investment is concentrated on the IT equipment inside the building. Power and water infrastructure, keeping those facilities operational, is frequently underprotected. For an industry obsessed with uptime, that's a significant blind spot.

Elisity POC Live Demo: Preventing Unnecessary OT Communication

Session: Elisity POC Live Demo   Time / Location: 4:00 PM, 3rd Floor, POC Pavilion   Speaker: Mike Korenbaum, Senior Director, Technical Marketing Engineer at Elisity   Moderator: Danielle Jablanski

The problem statement was simple and specific: how do you prevent unauthorized communication in OT zones without re-architecting the network? Booz Allen Hamilton had built a simulated automotive paint shop on the third floor, running real Siemens and Rockwell Automation equipment with Ignition overhead, and that became the proving ground.

Mike Korenbaum, Senior Director, Technical Marketing Engineer at Elisity, deployed Elisity Virtual Edge alongside Cisco 9200, 9300, and IE 3400 switches in the paint zone, plus two Palo Alto firewalls. Total deployment time: less than a day. OT assets discovered passively through NetFlow and syslog telemetry within minutes. Device profiles pulled context from OT security stack integrations with Active Directory, Claroty, CrowdStrike, ServiceNow, and in some cases a plain Excel spreadsheet, all feeding into the Elisity IdentityGraph™ to drive zone policy definitions.

Simulation mode let the team observe 30 days of real traffic before pushing a single enforcement rule. Zone pairs that never communicated became safe deny-all candidates without guesswork.

When enforcement hit, a contractor workstation inside the paint shop zone lost access to every PLC, sensor, and workstation in under ten seconds after a SOC-initiated quarantine. No downtime, no infrastructure changes.

During Q&A, Mike shared that in the S4x26 POC Pavilion environment, Elisity governs east-west lateral movement at the access layer where perimeter firewalls don't reach; IEC 62443 alignment is built into the zones-and-conduits design that was implemented.

S4 Welcome Party

Event: S4 Welcome Party   Time / Location: 5:00 PM, Jackie Gleason Theater at the Fillmore Miami Beach

Dale and his team outdid themselves. A full casino set up inside the Jackie Gleason Theater, a Lego station where you could build your own customized OT minifigures, food trucks outside, cool Miami evening air, and a room full of people who actually wanted to keep talking about the day's sessions. That's a good event.

Some of my best conversations happened here. Less structured than the sessions, more honest, and exactly the kind of thing that makes S4 worth the trip.

Key Day 1 Takeaways from S4x26 – Miami Beach, 2026

A few things stood out from Day 1 for anyone running security in large manufacturing or critical infrastructure environments.

• AI-driven connectivity is arriving whether security teams are ready or not. Industrial DataOps is creating new data flows across every level of the Purdue Model. Organizations that shape those architectures early, influencing zone design, data access policies, and segmentation from the start, will be in a far stronger position than those who inherit them.
• OT visibility is a tool, not a strategy. Bryson Bort's challenge to the industry was fair: prevention architecture and zone-based access control should come before you scale visibility spending. A control point creates visibility of attacker behavior as a byproduct. Working the other direction isn't guaranteed.
• Boards are starting to expect OT risk in financial terms. Hector Perez's Return on Mitigation (RoM) model gives security leaders a way to speak about OT risk using the same math finance teams already use. Segmentation and access control sit near the top of that mitigation list for good reason.
• IEC 62443 alignment is achievable without ripping and replacing. The Elisity POC showed that organizations can move from OT asset discovery to IEC 62443 zone-based policy enforcement in under 30 days on existing switching infrastructure, no network redesign required.
• Live proof matters more than marketing claims. S4's POC Pavilion was one of the most engaged spaces on the floor. Practitioners want to see claims tested in environments that look like theirs before they commit. That's a reasonable standard, and the vendors delivering on it are the ones earning attention.

Elisity is a sponsor, POC Pavilion Demo participant, and exhibitor at S4x26 in Miami Beach. Schedule a demo to learn more about Elisity's identity-based microsegmentation for OT and industrial environments platform.