Dale Peterson reflects on 25 years in OT/ICS security and says the biggest shift in his thinking is that reducing consequences often matters more than endlessly trying to reduce the already-low probability of a successful attack. He argues most security controls won’t prevent every incident, but consequence-reduction measures can cap the maximum harm with high certainty (e.g., even if an attacker gains control, they still can’t trigger the worst physical outcomes). He frames this as a three-step risk approach: basic controls to drive likelihood “down to very low,” then consequence reduction to eliminate catastrophic outcomes, and finally more mature, efficiency-focused prioritization across both.

His second lesson is that OT reality limits what many “good” controls can accomplish: insecure-by-design protocols and Level 1 devices often let an attacker abuse legitimate functionality without exploiting a bug, which can blunt the effectiveness of otherwise solid security practices. Third, he says teams should refuse to fund OT security work without two metrics: (1) proof the control is actually implemented and maintained (not deployed then neglected), and (2) an estimate of the risk reduction achieved—even if imperfect—so efforts don’t become checklist theater. He closes by urging practitioners to rely on judgment and risk context rather than repeating the same universal “top 10” actions everywhere.

Source: https://dale-peterson.com/2026/01/12/25-years-3-lessons/