Danielle Jablanski, Cybersecurity Consulting Program Lead for Operational Technology (OT) Cybersecurity at STV, delivered a candid keynote urging asset owners across every sector to confront the reality that red lines and second-strike capability do not yet exist in cyberspace. Drawing on her prior roles at CISA and Nozomi Networks, she explained why traditional risk formulas fail for cyber-physical systems and outlined a practical “crawl-walk-run” approach—beginning with crown-jewel mapping, moving through dependency analysis, and ending with prioritized controls—that any organization can execute internally. Her central message: understand your interdependencies now, or risk losing control when the next state-sponsored campaign arrives.
Key takeaways
- Critical infrastructure is already a frequent target in ongoing state competition; assume you will be hit and focus on impact reduction rather than perfect prevention.
- Probability × impact calculations are misleading; shift attention to loss-of-view versus loss-of-control scenarios and the integrity of command-and-control data.
- No sector has fully implemented ISA 62443; the CSF alone is insufficient for OT environments.
- Interdependency analysis must be sector-specific and cannot be solved by visibility tools, threat intel, or regulation in isolation.
- Use the six NIST 800-82 cyber-physical scenarios to drive internal tabletop exercises and reveal hidden single points of failure.
- Adopt a crawl-walk-run model: map infrastructure (crawl), document dependencies and shared-responsibility gaps (walk), then rank and apply controls by risk tier (run).
- Defense-in-depth remains the only reliable strategy; redundancies can be people, procedures, or offline equipment—not just new cybersecurity products.
- Board-level ownership and a documented maturity baseline are prerequisites for continuous improvement in non-regulated sectors.
