Published by DeNexus · May 2026
At the Fortinet OT Thought Leadership Security Summit in Detroit last week, DeNexus CEO José María Seara walked a room of OT security leaders through a thought experiment: imagine tightening a bolt without a torque spec. You feel it getting tighter. You might even be confident it's right. But without the number, you can't prove it. And you can't repeat it.
In an automotive plant, that's not acceptable. You wouldn't run a production line on feel.
So why are we running OT risk management that way?
The talk identified five specific break points in the standard OT security lifecycle — identification, assessment, treatment, monitoring, and communication — and made the case that all five share the same root cause: the absence of a financial measurement instrument for cyber risk.
This post goes deeper on what that instrument looks like in practice.
Every risk management program starts with an asset inventory. In IT, that's a solvable problem. In OT, it's almost never fully solved — not because teams are negligent, but because half the devices predate the documentation. The PLC installed in 2003. The historian server the vendor said never to touch. The remote access path an integrator opened during a commissioning visit and never formally closed.
When an asset doesn't exist in the inventory, it doesn't exist in the risk program. Vulnerabilities on undocumented assets never make the CVE list — not because they aren't critical, but because nobody knew the asset was there.
How CRQ addresses it: Cyber Risk Quantification starts by building a financial exposure model that maps assets to business impact. That process — linking plant equipment to production lines, revenue streams, and contractual dependencies — surfaces assets that pure scanning tools miss. When a historian server that "nobody touches" sits on a flat segment adjacent to a revenue-critical controller, the financial model makes that adjacency visible in dollar terms. Discovery becomes driven by financial consequence, not just network visibility.
Most OT security teams in the room knew their environment better than any tool does. They knew which line was the crown jewel. They knew which CVE kept them up at night. That knowledge is real and hard-earned.
The problem isn't what they know. The problem is what they can do with what they know.
A CVE scored 3.4 on a flat OT segment controlling a revenue-critical process — with active exploitation observed in the sector — is a more urgent problem than a CVE scored 9.8 on an isolated legacy system with no viable network path and no known active exploitation. Every experienced OT practitioner knows this. But in a board meeting, a 3.4 doesn't survive a 9.8 in the same conversation. The gap isn't knowledge. It's the instrument that makes knowledge auditable.
How CRQ addresses it: DeRISK CRQ re-weights vulnerability risk across four lenses: exploit likelihood (actual probability in the wild, weighted by threat intelligence specific to the sector); asset criticality (financial exposure based on the asset's role, connections, and consequence of compromise); network reachability (do your segmentation, firewall rules, and remote access configurations actually block the attack path?); and business impact (downtime cost, contractual penalties, recovery costs, regulatory implications — all expressed as a financial range).
The result: 1,247 CVEs become a prioritized list where 23 represent 70% of financial exposure. Eight are addressable this week without a maintenance window. That list survives a board conversation.
Here is the reality of OT security operations: the standard answer — patch it — is frequently unavailable.
The maintenance window is six months away. Patching voids the warranty. No patch exists because the firmware is end-of-life. The line cannot go down before the Q2 OEM delivery commitment. That's not a security failure. That's OT.
When patching isn't an option, risk treatment doesn't disappear. It changes shape. Segmentation isolates exposure without touching production. Virtual patching via IPS blocks known exploit patterns at the network layer. Allowlisting restricts communication with at-risk assets. Enhanced monitoring reduces the magnitude of a loss event if one occurs.
The question — the one that never gets answered in the standard framework — is how much risk does each of these actually remove?
How CRQ addresses it: Because DeRISK CRQ expresses risk in financial terms, compensating controls can be evaluated as investments with measurable returns. A network segmentation project that costs $200K and reduces annualized loss exposure by $1.4M is a 7× return on security spend. That framing changes the conversation with a production manager who is pushing back on a maintenance window. "We need this for security" becomes: "Delaying this three months keeps $2.3M of exposure unaddressed. That's a business decision — I need you and the CFO to sign off on it." One framing produces a debate about priorities. The other produces a decision.
The team patched in the window. They deployed the compensating controls. They legitimately made progress. And then an operational decision — not a security decision — changed everything overnight.
A contractor connected a laptop. A remote access tool installed to fix a conveyor was never removed. A new production line was added to a previously isolated segment because building a new one was harder. None of these were security decisions. Every one of them changed the risk profile — without the security team knowing.
The question isn't whether something changed. Something always changes in an active OT environment. The question is: did the risk number move, and did the right person know?
How CRQ addresses it: DeRISK CRQ maintains a continuous financial risk model that responds to changes in the OT environment. When network topology shifts, when new assets appear, when a previously isolated segment gains connectivity — the model recalculates. The security team isn't watching a perimeter. They're watching a number. And when that number moves past a threshold, the right people know — in terms they can act on.
The Detroit talk opened and closed with the same four questions:
Were you safer after that? How much safer? Did it bring us within our risk tolerance level? What was the return on that investment?
The silence that follows those questions in most organizations isn't incompetence. It's the sound of a framework failing the people who trusted it.
The board isn't asking to be difficult. Under SEC cyber disclosure rules, material cyber risks must be identified, governed, and disclosed — and the board carries legal accountability, not just the CISO. Under TISAX Version 6.0, which now explicitly includes OT controls, the stakes are contractual: PACCAR mandates it, Stellantis is following. When the board asks "are we within tolerance?" they need to prove it to an auditor, a customer, and a regulator — often all three at once.
How CRQ addresses it: Dollars. Money is the only unit of measurement that works on both sides of the conversation. DeRISK CRQ answers each of the four questions directly:
Were you safer? — Exposure moved from $3.2M to $1.1M. We removed $2.1M of risk. How much safer? — $2.1M removed on $180K invested. 12× return on security spend. Within tolerance? — We entered at $3.2M, above threshold. We exited at $1.1M, within tolerance. Auditable. Return on investment? — 12×. Plus: we know within hours when a contractor changes our exposure.
Not because you got lucky. Because you finally have the torque spec.
Finance found its common language in Value at Risk. Aviation found it in mean time between failures. Insurance found it in actuarial tables. Every one of those industries went through a period that looks exactly like where OT security is today — and then someone built the instrument. Not to replace the expertise. To give it a form that could travel.
With 300+ DeRISK CRQ implementations across power generation, manufacturing, and data centers, that instrument is no longer theoretical in OT security.
The question isn't whether it will arrive. The question is whether your organization will be the one that brought it — or the one still explaining a heat map when the board asked for a number.
Ready to see what your OT cyber risk looks like in dollars?
Talk to Our Team: https://denexus.io/contact
DeNexus builds the global standard for OT Cyber Risk Quantification. DeRISK CRQ has been deployed in 300+ implementations across industrial sectors globally.