Yesterday we talked about the real challenge of how to mitigate cyber risks effectively and efficiently in OT environments: focusing on consequences — not on the attack itself.
We also discussed the problem of applying incorrect methods and solutions that only mitigate the company’s budget, but do not mitigate the real risk.

Today it’s time to talk about the solution.

And no, it is not about buying more tools and spending more money — but about spending less. And spending it better.

In OT, the solution is much simpler… but also far more disciplined.

Here is the realistic, specialized solution that applies to any plant or industry:

With our WBS (Work Breakdown Structure) work methodology and our exclusive RMS (Risk Management System), powered by the Secure & Protect® technology, we help organizations meet all the requirements of the ISA/IEC-62443 standards series and, when necessary, complementary requirements from widely adopted regulations such as NIST, NERC, C2M2, API, INGAA, and others.

1. The essential first step: Work on the consequence.

The most important and effective step first.
Security-by-design goes beyond protecting the cyber asset — it focuses on protecting the physical asset as the first priority.
The objective is to prevent the potential consequence from occurring.

Working on the consequence means using engineering ingenuity to implement practical and highly robust solutions that ensure and guarantee that the consequence cannot occur, even if a cyber incident eventually happens.

This is true resilience.
It goes beyond deploying controls — which is what most organizations do.

2. Working on the Cyber Incident.

This part of the security strategy — the second priority — focuses on protecting cyber assets.
It means dedicating resources to prevent cyber incidents from occurring or from being successful.

The first priority is protecting the physical assets, but it is also necessary to protect the cyber assets as part of the security-by-design strategy and continuous improvement.

Even as a second priority, it must still be done.

3. Mitigate risk with a long-term solution.

The correct solution is to apply security-by-design, where the priority is to prevent the consequence from occurring through a fast yet long-term solution that is independent of current vulnerabilities and trending threats.

In general, 80% of risks can be mitigated with 20% of the resources and effort.
The key is knowing how to prioritize in order to implement effective and efficient solutions.

This is achieved with the right methods — not through trial-and-error, not by doing unnecessary tasks that add no value, and not by wasting resources.

4. About vulnerabilities and patching.

Once risk is mitigated through first-priority solutions, the potential consequences can no longer occur — even if a cyber incident does happen.

This strategy allows the plant to evaluate patch implementations and system updates with the time required, without negatively impacting the process and without every patch becoming an emergency.

5. About new or persistent threats.

Just like with vulnerabilities, new or emerging threats aimed at compromising cyber assets stop being a first priority.

They are no longer the center of attention because a resilient security solution has been implemented — one capable of withstanding the occurrence of potential cyber incidents.

6. Monitoring that truly serves the plant.

A monitoring system that truly makes sense and is useful for the plant requires a rationalization process so that it does not generate false positives and does not become a source of distraction for valuable organizational resources.

When a rationalized system is implemented, event response becomes informed, fast, and free of wasted time.

7. Change Management

Changes are managed through detailed evaluation and decision-making processes that analyze positive impacts, potential negative impacts, and cybersecurity implications to support informed decisions.

This determines whether additional security measures are needed.

The idea is simple:

It is neither possible nor meaningful to eliminate all attacks or fix all vulnerabilities.
But we can prevent an incident from becoming a non-tolerable consequence, and ultimately, a crisis.

The solution in OT is not technology. It is ingenious.
It is solved from the inside — from the heart of the plant — with discipline, knowledge, and sound decision-making.

That is what transforms a potentially severe incident… into a controllable interruption without stress.
That is a resilient solution, even against the most persistent threats.