The author argues that operational technology (OT) cybersecurity suffers from a lack of empirical data on what controls and practices actually reduce incident frequency and impact, despite growing confidence in certain conventional measures such as asset inventories, detection systems, and segmentation. Many widely accepted recommendations lack measurable evidence demonstrating their effectiveness, and the prevailing narrative often assumes their value without clarifying the extent of risk reduction or cost-benefit tradeoffs, leading to premature consensus within the community. Initial actions such as effective segmentation between IT and OT, removing direct internet exposure, enforcing two-factor authentication for remote access, and strict removable media policies have demonstrated practical benefits, but broader consensus on other controls remains unsupported by incident outcome data.

The proliferation of artificial intelligence compounds this problem by dramatically increasing the volume of content that reiterates conventional wisdom with unwarranted certainty. This accelerated content generation creates feedback loops in which human practitioners increasingly accept unproven ideas, and AI models further embed these patterns into subsequent outputs, reinforcing a false sense of consensus. To counteract this trend, the author recommends grounding risk-reduction decisions in measurable hypotheses and metrics, and encouraging experienced OT professionals to articulate skeptical, evidence-based perspectives that challenge prevailing assumptions, enabling more nuanced and justified prioritization of security investments.

‍

Source: https://dale-peterson.com/2025/12/11/premature-consensus-in-ot-security-made-worse-with-ai/