Presenters:
This talk zeroes in on the disconnect between what security testers think they’re evaluating and what asset owners actually care about. In OT environments especially, that gap leads to findings that don’t translate into meaningful risk reduction.
Key takeaways
- Tester intent ≠ operational reality
- Pentesters focus on technical exploits and attack paths
- Asset owners care about safety, uptime, and process impact
- The two perspectives rarely align
- Findings often lack real-world context
- Reports highlight what can be exploited
- But not what would actually matter operationally
- This creates noise instead of actionable insight
- Risk is defined differently in OT
- IT: data loss, access, confidentiality
- OT: physical impact, downtime, safety risks
- If findings don’t map to these, they get deprioritized
- Communication is the failure point
- Security teams speak in vulnerabilities
- Operators think in process disruption
- Without translation, findings don’t drive action
- Testing needs to reflect operational impact
- What systems are truly critical?
- What failure would actually stop production?
- What’s exploitable and consequential?
