How to mitigate unforeseen cyber risk in Operational Technology transformation

25 January, 2023

James Hunt

Cyber Security Director, PwC United Kingdom

+44 (0)7701 296796


As many organisations embrace digital transformation of operational technology (OT), it is vital to address and mitigate potential unforeseen vulnerabilities and cyber risk that can be created from the integration of digital technologies with existing legacy systems.

Digital transformation of OT is increasing as organisations seek to create competitive advantage, support cost reduction and ensure resilience and survival in an increasingly uncertain and disruptive business environment. But achieving these benefits securely requires a different approach to cyber risk management.

Unseen danger in OT systems

Practical requirements and operational constraints, such as the need to preserve intellectual property, usually require integrating these new digital systems with existing legacy systems. This convergence of new systems that have increased connectivity to the business network and the internet together with legacy systems optimised for operability rather than security creates vulnerabilities and weak links that could be exploited by various cyber threats.

Advances in OT – including internet connectivity and capabilities for remote control and monitoring - have outpaced awareness of the new and unforeseen risks that these developments inevitably create, according to a report by PwC.

The key to transforming securely is having a digital transformation strategy that contains guidelines and value propositions that will successfully guide the migration or integration of legacy technology processes onto Industry 4.0 powered sets of technologies - without business disruption while ensuring high levels of cyber defence.

The 3 phases of secure OT transformation

The cyber risk management process must be a part of any secure digital transformation strategy. But making cyber risk management routine in the OT environment is a transformational journey that requires the commitment of management, board-level directors and all employees.

  1. Define
    The transformation journey begins with understanding that cyber security risk exists in the operational or manufacturing environment. The measure of current cyber risk exposure is evaluated in terms of where an organisation is versus where it should be, while analysing its cyber risk profile and identifying its assets' threats and vulnerabilities.
  2. Execute
    Most organisations are in this ‘define’ phase of transformation but the second major phase - ‘execute’ - of the journey focuses on implementing a remediation programme to improve security maturity to the target level defined in the first stage.
  3. Embed
    The final 'embed' phase of transformation, aims to manage the now mature security positioning of each asset and provide the necessary assurance to the overall transformational programme.

Although the OT transformation journey will use technology such as Radiflow to improve the security of assets, success will be the result of how well an organisation can embed the new systems and processes into its culture.

Building cyber risk management into secure digital transformation

A holistic strategy will ensure the buy-in of all stakeholders as cyber risk management efforts rely on the workforce changing its behaviours as well as on technology to mitigate cyber security threats. Only with a holistic strategy can the OT cyber security posture be sustainably transformed.

Industry 4.0 and digital transformation can deliver immense benefits to manufacturing and operating systems across various sectors. But, as with every emerging technology, the benefits come with associated risks that must be managed to ensure those benefits are achieved safely and securely.

Organisations must make a cyber risk management programme integral to their digital transformation strategy so that migrated and integrated legacy systems are resilient to current cyber realities and threats and can help deliver the benefits of transformation.

Get in touch to discuss any of these issues and find out more about how to start and deliver an OT cyber transformation journey.

Samuel Ubido

Manager, PwC United Kingdom

+44 (0)7484 059102


Mohammed Jbair

Senior Manager, PwC United Kingdom

+44 (0)7483 338792


James Hunt

Cyber Security Director, PwC United Kingdom

+44 (0)7701 296796


Follow us

Contact us

James Rashleigh

James Rashleigh

Cyber Security Partner and Cyber Business Leader, PwC United Kingdom

Tel: +44 (0)7808 028337