The Operational Technology Cybersecurity Coalition (OTCC) warned on June 30 that artificial intelligence is compressing cyberattack timelines from days to hours, challenging decades-old assumptions about patching, risk scoring, and perimeter defenses in industrial environments. For operations teams managing critical infrastructure, the shift demands a move toward operational resilience, continuous validation, and secure-by-design engineering to keep essential services running when defenses fail.
For operations managers, the threat acceleration makes AI for Operations expertise increasingly relevant-not just for predicting failures but for automating detection and response at the speed now required. The OTCC's AI Working Group Series surfaced consensus that the fundamentals of cybersecurity remain essential, but the speed, scale, and complexity of AI-driven operations are forcing a rethink of how those fundamentals are applied.
Patching's shifting role in OT defense
Patching has long been treated as a first line of cyber defense. Yet in OT settings, many assets run on legacy equipment that cannot be easily patched, and modernization projects often stretch over years. AI-powered adversaries can now discover and exploit vulnerabilities within hours, compressing the window that patch-first models were built for. OTCC participants said effective patch management remains necessary, but it no longer anchors a resilience strategy.
Rather than depending primarily on patching, the group emphasized zero trust architectures, network segmentation, and containment strategies that limit operational consequences. Operational impact, they noted, can often be achieved without exploiting a software vulnerability-through abuse of trusted credentials or manipulation of legacy industrial protocols. As a result, risk assessment may increasingly center on access and potential operational effect rather than any single flaw.
Rethinking risk scoring for operational environments
Scoring systems like the Common Vulnerability Scoring System (CVSS) provide a useful starting point for technical severity. However, the working group cautioned that numerical scores alone cannot capture operational risk in environments where a cyber incident can affect public safety. Participants highlighted frameworks such as Stakeholder-Specific Vulnerability Categorization (SSVC), which tie risk decisions to organizational priorities and mission impact.
Environmental context, exploitability, and operational consequences must inform patching and mitigation decisions. "Many AI-generated findings are either hallucinations or lack sufficient system understanding to be actionable," participants said, underscoring that the growing volume of vulnerability reports can obscure what truly matters. For operations teams, this means risk triage increasingly depends on understanding how a threat could disrupt physical processes, not just its assigned score.
Detecting and responding at machine speed
Even when organizations possess the telemetry needed to detect malicious activity, they often lack the capacity to analyze and act fast enough. AI is now expanding the potential for continuous monitoring, automated triage, and predefined response playbooks. Current AI-enabled detection, however, still generates significant noise, and the working group wrestled with where humans must stay in the loop.
The group concluded that "the key question is no longer simply whether systems can be protected from compromise, but whether critical operations can continue safely and recover rapidly when defenses fail." This reframing pushes operations leaders to validate controls continuously, prioritize recovery speed, and accept that breaches may occur without operational interruption if architectures are designed for containment.
Shifting toward secure-by-design
Long-term resilience, participants said, requires reducing the security debt embedded across the OT ecosystem. Manufacturers play a critical role in adopting secure-by-design development practices, strengthening vulnerability disclosure, and validating patches before operators deploy them. The group pointed to standards like ISA/IEC 62443 as baselines for both manufacturers and operators, and raised an open question: should the cybersecurity community challenge the assumption that asset owners inherently know what to do?
International participants also warned that diverging regulations could unintentionally extend the lifecycle of legacy equipment by shifting older technologies into markets with weaker requirements. Public-private partnerships, they said, must evolve beyond threat intelligence sharing to include support for smaller operators who lack the personnel and budget to respond at machine speed.
Why this matters for operations
Operations teams overseeing industrial processes are now on the front line of a threat environment where compromise can happen in minutes and outages can cascade across supply chains. The OTCC's message is clear: resilience depends on architectures that assume breach, detection that keeps pace with automated attacks, and risk decisions driven by operational consequence, not just technical scores. For operations managers, building the capability to manage AI-enabled security tools-and to collaborate with IT on machine-speed response-will be as foundational as traditional safety discipline. Structured training such as an AI Learning Path for Operations Managers offers one practical route to close the skills gap, but the deeper shift is cultural: accepting that protection is only one part of keeping the lights on.
Your membership also unlocks: