Growing connectivity across industrial operations, supply chains and public infrastructure is changing the way cyber risk spreads, making incidents more likely to have consequences that extend beyond a single organization, according to an executive from Nexa Resources. As OT (operational technology) becomes increasingly interconnected, industrial cyber risk is evolving into a broader resilience challenge that can affect business continuity, critical services and economic stability. In response, industry leaders are being encouraged to adopt new approaches to understanding and managing industrial cyber risk, with a focus on strengthening resilience across interconnected ecosystems rather than individual organizations alone.
“Cyber incidents also now go beyond enterprise boundaries. They can disrupt physical processes or critical national services and cause domino effects across sectors. As interconnection grows, managing cyber risk is becoming a resilience challenge with implications far beyond one organization,” Marco Túlio Moraes, chief information security officer at Nexa Resources, wrote in a World Economic Forum (WEF) post.
As industrial operations become more dependent on connected technologies, governance frameworks must evolve to integrate cyber risk into enterprise risk management, investment decisions, and operational planning. Clearly, industrial cyber risk is challenging, due to increasing threats, but also because operational environments are inherently constrained.
Moraes added, “So, beyond protecting individual organizations, cybersecurity is also increasingly about maintaining stability in systems that support society and the economy. Disruptions might affect suppliers, partners and national economies. But while industrial environments are evolving rapidly, governance models are slower to adapt.”
He acknowledges that cybersecurity is now both a security and a governance issue, as well as a matter of market transparency.
Moraes argued that building industrial cyber resilience requires more than deploying additional security controls. Instead, it demands a fundamental shift in how organizations understand and govern cyber risk across increasingly interconnected industrial environments. He said organizations must move away from fragmented ownership models, where accountability is spread across multiple functions with differing priorities, toward governance structures that clearly define responsibilities, decision-making processes, and how trade-offs are managed when disruptions affect both operations and resilience.
He also emphasized the need to shift from control-centric oversight to a risk-scenario-based approach. In highly interconnected environments, resilience depends not only on the presence of safeguards but also on an organization’s understanding of how disruptions could cascade across assets, suppliers, services, and sectors. This requires governance practices that examine realistic operating conditions and interdependencies rather than relying solely on static reviews of security controls.
In addition, Moraes said organizations should complement internal confidence with independent assurance. As cyber incidents increasingly carry operational, economic, and societal consequences, self-assessments alone may not provide an accurate picture of resilience. Independent audits, external assessments, and other validation mechanisms can help determine whether governance processes remain effective under pressure, whether coordination functions across distributed environments, and whether resilience assumptions continue to hold as systems evolve.
Flagging that risk ownership is commonly fragmented across engineering, operations, technology and external partners, Moraes observed that accountability is frequently shared but not clearly defined. “And senior-level visibility is still inconsistent, especially when operational technology is separate from traditional IT structures. This gap is apparent in recent data.”
He pointed out that only 16% of organizations with industrial environments report OT security issues to their boards, 20% have dedicated OT security teams, and 36% assign direct OT security responsibility to the chief information security officer. This governance gap has systemic implications because industrial disruptions can spread beyond the enterprise.
Revealing uneven maturity and exposing a structural weakness in how many organizations still govern industrial cyber risk, the data observes that if oversight is limited, accountability is diffuse, and operational dependencies are not fully understood, resilience can become an aspiration rather than a tested capability. In interconnected environments, weak governance does not stay neatly contained within one function or one site.
However, Moraes wrote that the broader challenge is not limited to OT. “Recent disclosure analysis highlighted by the Harvard Law School Forum, based on EY research, found that 78% of companies still place cybersecurity oversight primarily with the audit committee, but 73% now disclose compliance with an external framework such as ISO 27001. This is progress, but it also suggests many boards are still relying on structures designed for general oversight, rather than for the particular complexity of cyber risk in interconnected operating environments.”
Pointing out that regulators are also emphasizing governance. The SEC’s 2023 cybersecurity disclosure rules require public companies to report material incidents and provide annual disclosures on cybersecurity risk management, strategy, and governance.
Drawing attention to a resilience problem, Moraes identified that industrial cyber risk is challenging, not only because of increasing threats, but also because operational environments are inherently constrained. Long asset lifecycles, limited visibility, embedded third-party access, and safety-sensitive conditions make rapid remediation more difficult than in typical IT environments.
Underscoring the significant importance of governance when it comes to industrial cyber risk, he wrote that resilience is not just the ability to recover technology. “It is the ability to preserve decision quality, continuity priorities and operational trust while systems are degraded. That distinction is especially important in industrial environments, where restoring a system and restoring confidence in the safe operation of a process are not always the same thing.”
He added that this helps explain why boards continue to struggle. “Harvard Business Review notes that, while boards are more focused on cybersecurity, they frequently lack the necessary expertise, treat AI separately from security or equate compliance with resilience. In industrial settings, these weaknesses can quickly escalate from cyber exposure to operational disruption.”
These changes do not replace technical controls; they put them in the right context. In industrial systems, resilience at scale is increasingly determined by the quality of governance that surrounds technology, not by technology alone. The challenge for business leaders is therefore larger than cybersecurity in the narrow sense. Governance models, assurance mechanisms and accountability structures must evolve fast enough to match the reality of interconnected operations.
In industrial systems, Moraes recognizes that resilience will increasingly be defined by how well organizations govern complexity before disruption tests them.
