Cyber-Physical Risk for Industrial Control Systems and Process Installations
The objective of this website is to share experience and insights on securing industrial control systems (ICS) and, where appropriate, to encourage discussion. The content will address typical ICS security topics, based on my experience of more than 40 years working with control systems as a field service engineer, system programmer, process engineer, and, for the past 20+ years, in cybersecurity.
I do not want this website and its blogs to become yet another collection of stories about vulnerabilities in ICS equipment. Instead, I want to discuss cybersecurity topics from the perspective of the hazards these vulnerabilities may create, the potential consequences for the production process, and the options available to reduce the associated risk. This requires a more detailed look at how industrial control systems are built, which subsystems they include, how these subsystems are used within the production process, and, at times, how the production process itself behaves.
My objective is to approach these topics from a cybersecurity risk-based perspective. What are the cybersecurity hazards? What is the associated risk? And what are the options to mitigate that risk? When I use the word risk, I mean quantitative risk, not generic or purely qualitative risk. I model the industrial control system and estimate threat frequencies or conditional probabilities to arrive at a likelihood.
I am not a process engineer by formal title, but I spent the first half of my career, roughly 20 years, writing and configuring software to implement control strategies. During that time, I learned on the job from highly experienced process engineers. In the second half of my 45+ year career, I focused on securing industrial control systems. Initially, I worked at a very detailed level as a technical security consultant. In recent years, this evolved into approaching cybersecurity from a process automation risk management perspective, placing the production process at the center, analyzing automation-related cyber risk, and comparing this risk with a plant’s risk assessment criteria.
As a result, more than a hundred HAZOP and LOPA studies have passed my desk. I have conducted workshops with many process safety and plant operations subject matter experts, giving me a detailed view of many different production processes and their cyber risk.
Combined with my knowledge of manufacturing process automation solutions, built over more than 40 years working for one of the major suppliers of these systems and, during that time, for many asset owners automating their manufacturing processes, this gave me a unique opportunity to bring together process engineering, process automation, risk analysis, and cybersecurity. This combination of process engineering, process automation, risk analysis, and cybersecurity forms the basis of what I call process automation security.
You might wonder why I do not use the term OT security and seem to prefer the much longer term process automation security. This website has existed for many years, and in earlier articles I was much more flexible in my terminology. You may therefore still find older texts where I use terms such as OT security, ICS security, industrial cybersecurity, or cybersecurity for industrial control systems more or less interchangeably.
Over the years, however, I have become less comfortable with the term OT security. The term is useful when we need to distinguish technology used in operational environments from technology used in office environments. In that sense, it reflects the way the term originally gained traction: as a broad label for technology applied outside the traditional IT environment. But that is also where, for me, the term starts to lose precision.
Operational technology covers many different applications. It may refer to building management systems, transportation systems, logistics systems, manufacturing systems, utilities, infrastructure, and many other environments where technology interacts with the physical world. My focus is much narrower. This website is mainly concerned with process automation in the process industries, such as chemical plants and refineries, and occasionally with related domains such as pipelines, water treatment, and power generation.
That narrower focus matters because process automation is not simply technology deployed in a different environment. It has its own structure and its own risk logic. At the system architecture layer, automation functions are connected, separated, segmented, and protected. At the application architecture layer, the production process itself is automated through control logic, sequences, interlocks, alarms, operator interfaces, and safety-related functions.
Both layers impose security requirements, but these requirements are not driven primarily by the protection of data, as is often the case in IT. They are driven by the need to preserve control, observability, operational integrity, and process safety. The key question is therefore not only whether systems and data are protected, but whether the automation functions continue to support the production process according to their design and operational intent.
For that reason, in all new articles I avoid the term OT security where possible and prefer the term process automation security. It keeps the discussion closer to the automation functions, the production process they control, and the risks that arise when these functions no longer behave as intended.
My blogs
2022
Intelligent Field Device (IFD) security.
OT security engineering principles
OT security risk and loss prevention in industrial installations
2021
Process safety risk, cyber security risk and societal risk
ICS cyber security risk criteria
Why process safety risk and cyber security risk differ
Cyber risk assessment is an exact business
The role of detection controls and a SOC
2020
Identifying risk in cyber physical systems
ISA 62443-3-2 an unfettered opinion
Dare for More, featuring the ICS kill-chain and a steel mill
Letting a goat into the garden
Are power transformers hackable?
The Purdue reference model, outdated or up-to-date?
How does advisory ICSA-20-133-02 impact sensor security?
Are sensors secure, is life an unhealthy affair?
Cyber security in real-time systems
Cyber security and process safety, how do they converge?
2024
Are Transformers Prime Targets for Nation-State Cyber-Physical Attacks?
2025
Beyond Robustness: Closing the Gap in Cyber-Physical Risk Management
Process Controllers Under Attack: Real-Time Performance and Cyber-Physical Risks
From Interdependence to Leverage: A New Era in Cyber-Physical Supply Chains
Secure by Design: The Illusion That Ignores How OT Really Works
Process-Informed Security: Why the Traditional Security Triad Fails in OT
The Lie We’ve Been Sold About OT—and Why It’s Time to Rewrite the Definition
Exposure by Design: Rethinking Risk in Converged Industrial Environments
Escaping the System-Centric Trap: A Look at Consequence-Driven and Control-Centric OT Defense
Beneath the Surface of OT — How Logical Drift Turns It Into Physical Danger
Cyber Resilience Act: Shifting Responsibilities Between Asset Owners, Integrators, and Manufacturers
When ‘Uptime’ Betrays You: Why OT Security Needs a Control-Centric Shift
The Importance of Scenario Thinking in Cyber-Physical Risk Analysis
The Hidden Drift: When Process Safety Loses Its Grip on Reality
Why Field Device Security Should Be Understood, Not Just Assumed
Extending Process Safety into the Cyber Domain
Why ‘Credible Scenario’ Thinking Undermines IEC 61511 Compliance
Does CIE conflict with IEC 61511?
Why Cyber Risk Needs a Defense-Centric Model, Not Attacker-Centric Assumptions
Risk Doesn’t Care Why — Just That You Crossed the Line
Why ISA/IEC 62443 Needs Control-Centric Complements in the Process Industry
The Next Step for Automation: Systems That Validate Their Own Operational Integrity
Beyond System and Safety Integrity: The Missing Definitions for Control-Centric Cybersecurity
Where OT Security Ends — and Why That’s the Wrong Question
Layer 3 – Last Line of Defense, First Line of Consequence
Why Digital Protection Alone Can’t Meet the 1 x 10^-5 per year Risk Fatality Target
Ransomware Is Modern Piracy—And We’re Still Responding Like It’s 1725
The Shift to Open Systems in Industrial Automation: Promises, Costs, and Changing Revenue Models
Determinism under cyber threat
Security Levels Only Gain Meaning in Context
Consequence over Count: Why Regulatory Risk Pressure Defines Cyber-Physical Security
Zone-based (IEC 62443) or Hazard-based (IEC 61511)
The Cyber-Physical System as an Echo Chamber
When “Everyone Uses IEC 62443” Becomes an Excuse to Avoid the Real Cyber Physical Risk Discussion
What the Iberian Blackout Revealed About Europe’s Energy Security
Understanding Level 0 Cybersecurity Constraints and the Role of Physics-Based External Validation
Sensor Fusion: Strengthening Control-System Integrity When Level-0 Devices Cannot Be Secured
The Digital Omnibus: Helping Operators Navigate Europe’s Expanding Cyber Regulations
From IT/OT Divide to Hazard Ownership
Security Levels and the Limits of SL-Based Risk Claims
Security Levels and Cyber-Physical Risk: From Baseline Resistance to Risk Justification
2026
Governing Risk vs Governing Control
Why “Just Isolate the SIS” Is Operationally Naïve and Technically Insufficient
IT/OT convergence has irritated me for years.
Operational Integrity When Trust Is No Longer a Control
SIL Compliance and Cyber Defeat: Why Functional Safety Alone No Longer Justifies Risk Reduction
License Dependency as a Cyber-Physical Risk in Industrial Control Systems
Part 1 – Control Centric Security: Designing for Intervention Under Cyber Attack
Part 2: Recognizing an Attack in Progress in the Pre Demand Detection Window | LinkedIn
Upcoming Cybernova conference in Antwerp
Quantifying Cyber-Physical Risk Without Attack Statistics
The Purpose of Security in Process Automation
Cyber incident strategy in the process industry
Incident Response in Process Automation: Do Not Become Part of the Incident
Operational Integrity Under Compromise
The Hidden Layer Between Cybersecurity and Physical Consequence
When does a security problem become a process safety problem?
After the Firewall Fails: Designing Process Automation for Cyber-Physical Resilience
This is a non-commercial website with a vendor-neutral focus on the security of automation systems used in industrial environments. The content is based on my personal experience, professional background, and ongoing interest in process automation security.
Although I spent many years working for a major supplier of industrial control system solutions, this website is independent. It does not represent the views, policies, products, services, or commercial interests of any company, vendor, employer, former employer, client, or professional organization.
The articles and opinions published on this website are my own. They are intended to share experience, encourage discussion, and contribute to a better understanding of security in process automation environments. The content is provided for general informational purposes only and should not be interpreted as professional advice for any specific installation, project, organization, or risk decision.
Any reference to vendors, technologies, standards, incidents, or methods should be understood in that context.
Sinclair Koelemij