Presenter:
This talk argues that vulnerability management in OT is fundamentally broken because it’s still modeled after IT and that mismatch leads to wasted effort, poor prioritization, and persistent risk.
Key takeaways
- IT-style vulnerability management doesn’t translate to OT
- Scanning, patching, and CVSS scoring dominate the approach
- But OT environments can’t always patch or reboot
- What’s “critical” in IT isn’t always critical operationally
- Volume isn’t the problem—context is
- Teams are flooded with vulnerability data
- But lack understanding of which issues actually matter
- Prioritization fails without operational context
- Asset criticality is misunderstood
- Not all systems are equal
- True risk depends on process impact, safety, and uptime
- Without this lens, teams chase the wrong fixes
- Patching is often unrealistic
- Downtime constraints limit maintenance windows
- Vendor dependencies slow remediation
- Some systems can’t be patched at all
- Compensating controls are key
- Network segmentation
- Access control
- Monitoring and detection
- Risk reduction often comes from mitigation—not remediation
- Programs need to be risk-driven, not compliance-driven
- Stop chasing “all vulnerabilities”
- Focus on what could actually disrupt operations
- Align remediation with business impact
