Translating Cyber-Physical Risk into Action
By Chet Brandon and Fay Feeney
Series Context
This four-part series examines how artificial intelligence is reshaping cyber risk in operational technology and what it means for industrial organizations. It brings together perspectives from safety leadership, cybersecurity, operations, and board governance to address cyber-physical risk as an enterprise issue. The series is co-authored by Chet Brandon, a global Environmental, Health & Safety (EHS) and operational risk leader, and Fay Feeney, an expert in board governance and enterprise risk oversight.
Introduction: From Awareness to Execution
In Parts 1 and 2, we established two critical realities: cyber risk in operational technology (OT) environments is physical risk, with consequences that can include serious injury, environmental harm, and major business disruption; and artificial intelligence is accelerating both the threat landscape and the tools available to manage it. But understanding the problem is not enough. The real challenge facing organizations today is execution—how to translate cyber-physical risk into structured, actionable practices that improve safety, resilience, and operational performance. This is where safety professionals play a central role. For decades, EHS leaders have managed complex, high-consequence risks in industrial environments, and the same disciplines that prevent catastrophic process safety events can be applied to cyber-physical threats—if organizations integrate them effectively.
The Tangible Outputs of EHS Risk Management
EHS professionals create value through structured outputs that guide decision-making and risk reduction. In the context of OT cyber risk, these outputs fall into two primary categories: pre-incident risk identification and prioritization, and post-incident resilience and recovery. Before an incident occurs, safety professionals help organizations identify and prioritize which physical assets that could be compromised by where cyber threats that are likely to impact operations, evaluate those risks in terms of safety, environmental, and business consequences, and prioritize vulnerabilities based on real-world impact. After an incident, they contribute to stabilizing operations, restoring systems safely, and embedding lessons learned into future prevention efforts. This structured approach ensures that cyber risk is managed with the same rigor as other high-consequence operational risks.
Identifying and Prioritizing Cyber-Physical Hazards
The first step in managing OT cyber risk is developing a clear understanding of where system vulnerabilities intersect with high-consequence outcomes. In industrial environments, not all cyber vulnerabilities carry equal weight. Safety professionals bring a critical lens by asking, “If this system is compromised, what happens physically?” This reframes the discussion from technical severity to operational consequence, including impacts on safety, environment, and production.
Effective risk identification begins with mapping critical assets and processes. This includes identifying safety-critical systems such as safety instrumented systems (SIS), emergency shutdown systems, key control loops, and monitoring functions that maintain process stability. It also requires understanding dependencies—how sensors, controllers, networks, and human interfaces interact to maintain safe operation. From there, organizations can identify where cyber vulnerabilities exist, including exposed network pathways, remote access points, legacy systems, or gaps in monitoring and control integrity.
Once critical systems and vulnerabilities are mapped, established safety methodologies can be expanded to include cyber scenarios. Process Hazards Analysis (PHA) and Hazard and Operability Study (HAZOP) studies can be adapted to evaluate how manipulated inputs, false sensor readings, or disabled alarms could drive deviations in process conditions. Teams can explore scenarios such as incorrect temperature signals, overridden interlocks, or delayed shutdown responses, asking how these deviations could propagate through the system. Failure Modes and Effects Analysis (FMEA) can then be used to identify specific failure modes associated with loss of system integrity—such as loss of control, incorrect system response, or delayed operator awareness—and assess their potential impact. Layers of Protection Analysis (LOPA) adds another layer by evaluating whether existing safeguards are sufficient if digital systems are compromised, particularly where multiple protections may rely on shared infrastructure.
Prioritization is where safety professionals add the greatest value. Rather than treating all vulnerabilities equally, risks are ranked based on severity of consequence, likelihood of occurrence, and effectiveness of existing controls. High-priority risks are those where a cyber event could lead to serious injury or fatality, major environmental impact, or significant business interruption—especially where safeguards may be degraded or insufficient. This risk-based approach ensures that mitigation efforts are focused on the vulnerabilities that matter most.
The resulting risk profile becomes a powerful management tool for driving timely and measurable improvement. Rather than remaining a static assessment, it should be actively used to guide decision-making, resource allocation, and performance monitoring. High-risk scenarios identified in the profile can be translated into targeted mitigation actions, such as isolating critical systems, strengthening access controls, improving alarm validation, or enhancing manual backup capabilities. Each action should be assigned ownership, timelines, and expected outcomes.
To ensure progress, organizations should align the risk profile with key risk indicators (KRIs) and performance metrics. These may include reduction in exposure of safety-critical systems, closure rates for high-risk vulnerabilities, improvements in detection and response times, and completion of resilience testing. Regular integration of the risk profile into management reviews ensures that priorities evolve with changing threats and system conditions. By using the risk profile as a living tool, organizations move beyond identifying risk to actively reducing it in a structured and measurable way.
Partnering with Cybersecurity and Process Control Teams
Effectively managing cyber-physical risk requires close partnership between EHS professionals, cybersecurity specialists, and process control engineers. Chief Information Security Officers (CISOs) are a key sponsor for these efforts and help translate findings into information for the executive leaders, and provide executive oversight. No single function has complete visibility into how operational technology systems are designed, how they can fail, or how they may be targeted. Safety professionals bring deep expertise in consequence analysis and risk prioritization, but must collaborate with those who understand system architecture, network design, and control logic to fully assess exposure.
Cybersecurity teams provide insight into threat vectors, access pathways, and system vulnerabilities, while process control and engineering teams contribute a detailed understanding of control system architecture, instrumentation, interlocks, and operating limits. Together, these perspectives allow organizations to map how a malicious attack could move through systems and ultimately impact physical operations.
This collaboration is essential for identifying realistic failure modes triggered by cyber events and evaluating their severity. It also enables more effective prioritization by focusing attention on vulnerabilities with the greatest potential to impact safety, environment, and business continuity. Integrating these perspectives creates a more complete understanding of cyber-physical risk and improves both prevention and resilience strategies.
Protecting Safety-Critical Control Systems
Once high-risk scenarios are identified, the next step is ensuring that critical control systems remain reliable under all conditions—including during a cyber event. In industrial environments, systems such as safety instrumented systems (SIS), emergency shutdown systems, alarm systems, and key control loops are essential to maintaining safe operations. EHS professionals help define which systems are safety-critical, what level of independence is required, and how failures could impact operations.
A foundational step is defining and validating system independence. Safety-critical systems should be architected to operate independently from primary control systems and broader networks wherever possible. This includes physical and logical separation, dedicated controllers, and minimized shared infrastructure to reduce common-cause failure risk.
Network segmentation and controlled connectivity are essential. Critical systems should be isolated within defined security zones with tightly controlled access. Remote access must be limited, monitored, and governed through strict controls to reduce exposure.
Ensuring instrumentation and signal integrity is another key focus. Redundant instrumentation, validation logic, and cross-checking of critical measurements help detect abnormal conditions even if one source is compromised.
Alarm system reliability must be maintained through rationalization, verification, and testing. In cyber scenarios, well-designed alarm systems improve the likelihood that operators will recognize abnormal conditions.
Manual override capability provides an essential layer of protection. Systems should allow operators to intervene safely when automation is unreliable, supported by clear procedures, training and routine hands on practice.
Routine testing and validation of safety functions, including cyber-informed scenarios, ensures safeguards perform as expected. Finally, strong configuration management and change control prevents unauthorized or unintended modifications that could introduce vulnerabilities.
The objective is clear: even if cyber systems are compromised, critical safety functions must continue to operate as intended. At a minimum, segregating OT risk for operational continuity makes shutting down the entire operations unnecessary and allows businesses to operate.
Building Cyber-Aware Process Safety Programs
Cyber-physical risk cannot be managed in isolation; it must be embedded into existing safety systems. This requires evolving traditional process safety programs to explicitly include digital threat scenarios. Cyber risks should be incorporated into hazard analyses, management of change processes should evaluate digital modifications, and operational procedures should reflect potential cyber-driven abnormal conditions. Training programs must also prepare operators to recognize and respond to anomalies that may originate from compromised systems.
A practical way to do this is by integrating cyber scenarios directly into Process Hazard Analyses (PHAs) through targeted “what if” questions that connect digital failure to physical consequence. For example: What if a sensor provides false data due to cyber manipulation? What if control logic is altered or overridden? What if alarms are suppressed or delayed? What if remote access is gained through a vendor or compromised credentials? What if operators lose visibility into critical process conditions? Framing cyber risk in this way allows teams to evaluate how these events could drive process deviations, challenge existing safeguards, and ultimately impact safety, the environment, and operations—bringing cyber risk into the core of process safety decision-making.
Strengthening Operational Resilience
Even with strong preventive controls, organizations must assume that disruptions will occur. Operational resilience is defined by the ability to anticipate disruptions, maintain safe operations under abnormal conditions, and recover quickly from incidents. Safety professionals strengthen resilience through layered protections, structured response frameworks, and disciplined operational procedures.
A critical—and often underappreciated—capability safety professionals bring is the design and execution of emergency shutdown and response strategies. In high-hazard industries, EHS leaders routinely define when and how to transition systems to a safe state under rapidly evolving conditions. This includes establishing clear criteria for initiating shutdowns, ensuring that shutdown systems are independent and reliable, and developing procedures that enable operators to act decisively when system integrity is uncertain.
In cyber-physical events, this capability becomes essential. When control systems are compromised, data integrity is questionable, or system behavior becomes unpredictable, the ability to execute a safe, controlled shutdown may be the most effective way to prevent escalation. Safety professionals ensure that these actions are not improvised—they are pre-defined, tested, and supported by clear decision authority and operator training.
Beyond shutdown, EHS professionals also design incident response structures that coordinate actions across operations, cybersecurity, engineering, and leadership. This includes incident command frameworks, escalation protocols, and communication strategies that maintain situational awareness and enable timely decision-making under uncertainty.
Resilience, therefore, is not just about keeping systems running—it is about knowing when and how to safely stop them, stabilize conditions, and recover without introducing additional risk. This is a core competency of safety professionals and a critical component of managing cyber-physical threats in modern industrial environments.
Business Continuity Planning for Industrial Cyber Events
Traditional business continuity planning often focuses on IT recovery, but industrial environments require restoration of safe operational control. EHS professionals help define shutdown procedures, restart protocols, alternative operating modes, and safety measures for personnel. Effective plans include validated recovery procedures, coordination across functions, and structured communication strategies to ensure recovery is both efficient and safe.
Enabling Visibility Through Metrics and Dashboards
Managing OT cyber risk requires clear visibility. Dashboards and key risk indicators translate technical data into operational insight, helping leadership understand exposure, performance, and improvement over time. Metrics such as asset visibility, vulnerability status, detection performance, and resilience readiness provide actionable information that supports decision-making and continuous improvement.
Applying the Framework: A Practical Assessment and Action Tool
To translate these principles into consistent execution, organizations should use a structured risk assessment process. The concept is demonstrated in this OT Cyber-Physical Risk Assessment and Action Form. This tool enables cross-functional teams—EHS, cybersecurity, and engineering—to work through a standardized process for identifying hazards, evaluating consequences, assessing safeguards, and defining actions.
The form guides teams through key steps, including identifying safety-critical systems, defining cyber-driven failure modes and physical outcomes, evaluating safeguard independence and effectiveness, assessing vulnerabilities and access pathways, and prioritizing risks using severity, likelihood, and control effectiveness. It also drives accountability by requiring defined actions, owners, timelines, and expected risk reduction outcomes.
Importantly, the form supports measurable improvement by linking actions to key risk indicators and performance metrics. When used in workshops or site-level assessments, it helps organizations move beyond discussion to clear, documented actions that improve both security and operational reliability over time.
Integrating People, Process, and Technology
Effective OT cyber risk management requires integration across people, process, and technology. Operators, engineers, cybersecurity professionals, and safety leaders must work together within structured risk management systems supported by appropriate technology, as no single function can manage this risk in isolation. Safety professionals serve as integrators—translating cybersecurity insights into operational implications, connecting them with real-world conditions, and ensuring that risk management approaches align with how work is actually performed in industrial environments.
Conclusion: Turning Risk Insight into Action
Managing cyber risk in operational technology environments requires more than awareness—it requires disciplined execution of systems. By applying proven approaches from process safety and operational risk management, organizations can identify critical vulnerabilities, protect key systems, strengthen resilience, and improve recovery capability. This enables a shift from reacting to cyber threats to actively managing cyber-physical risk as part of core operations.
Looking Ahead to Part 4
In Part 4, we move to the boardroom—examining how directors and executives govern cyber-physical risk and ensure organizations have the capabilities needed to manage this evolving threat.
Addendum – Key Risk Assessment Tools
- PHA – Process Hazard Analysis, a structured study to identify and evaluate hazards in a process that could harm people, property, or the environment.
- HAZOP – Hazard and Operability Study, a systematic examination of a process to identify potential hazards and operability problems due to deviations from design intent.
- FMEA – Failure Mode and Effects Analysis, a step‑by‑step method to identify possible failure modes in a system, assess their effects, and prioritize actions to mitigate them.
- LOPA – Layers of Protection Analysis, a semi‑quantitative method to evaluate whether existing independent protection layers are sufficient to reduce risk for specific hazardous scenarios.
LeadingEHS.com 