Risk-Based Model for OT Security Technology Implementation and Segmentation

Abstract: As digital connectivity expands across factory systems, cybersecurity risks within industrial supply chains have grown significantly. Previous research by the authors addressed these challenges by developing a web-based risk assessment tool, analyzing responses from 225 factory sites, identifying governance issues, and introducing OT (Operational Technology) risk workshops to support cybersecurity posture visualization.Building on this framework, this study focuses on the "Technology" layer of OT cybersecurity. Rather than applying conventional IT security measures to OT environments, a risk-based approach is proposed to guide technology selection. This approach introduces a two-axis framework: (1) threat detection capability (known vs. unknown) and (2) automation in incident response. These axes produce four models: X (manual response to known threats), X+ (automated response to known threats), Y (manual response to unknown threats), and Y+ (automated response to unknown threats).Each model is mapped to real-world security solutions such as antivirus tools, Unified Threat Management (UTM) systems, OT-IDS (OT Intrusion Detection Systems), and application whitelisting. For example, USB-based antivirus tools align with Model X, UTM systems fit X+, and behavioral analysis or whitelisting tools relate to Y or Y+, though the latter are more complex to implement due to operational risks.The study also highlights the role of logical network segmentation in reducing cyber risk. A sample configuration divides the factory into zones (e.g., production control, parts management, DX promotion), each with different risk profiles. Without segmentation, malware can easily spread across zones, increasing downtime and recovery cost. Segmentation, paired with the X/Y classification, allows tailored security strategies that improve cost-effectiveness and align with business risk.This framework reframes technology selection as a risk mitigation strategy, supporting investment decisions and stakeholder alignment. It also complements earlier governance-oriented work by connecting technology choices with risk workshop outcomes.Future research should explore industry-specific applications. For instance, SMEs may start with X or X+ models, while industries with low downtime tolerance (e.g., automotive, food) may pursue X+ or Y+. In highly sensitive operations (e.g., blast furnaces), Y+ may be required. Digital exposure levels should also be considered.This study offers a structured, scalable method for selecting OT security technologies, enabling practical deployment in resource-constrained environments while maintaining flexibility and risk awareness.

Keywords: Operational technology security, Risk-based cybersecurity design, Network segmentation strategy

DOI: 10.54941/ahfe1007044

Cite this paper:

​