Podcast: Episode #39 - John Cusimano: Leveraging ISA/IEC 62443 to Quantify OT Risk

November 2, 2023

John Cusimano is a seasoned business and thought leader, boasting over 30 years of expertise in process control, functional safety, and operational technology (OT) and industrial control systems (ICS) cybersecurity. With a track record of conducting numerous OT cybersecurity vulnerability assessments, he has played a pivotal role in establishing cybersecurity programs for numerous companies. As a prominent member of the ISA 99 cybersecurity standards committee, he chaired the subcommittee responsible for crafting the ISA/IEC 62443-3-2:2020 standard and developed multiple training courses on OT cybersecurity, showcasing his extensive knowledge and influence in the field.

In this episode, Aaron and John Cusimano discuss:

  • The challenges of quantifying risk in OT environments
  • Prioritizing cybersecurity risks and cybersecurity measures in industrial control systems
  • Identifying critical operational risks and mitigation strategies in industrial environments
  • Navigating risks and embracing opportunities in the face of technological advancements

Key Takeaways:

  • Understanding the complex interplay between physical and cyber risks is crucial; utilizing structured frameworks like the ISA 62443 Standard not only provides a starting point for overwhelmed organizations but also emphasizes the importance of tailoring security measures to the specific, high-impact vulnerabilities unique to each facility.
  • Prioritizing industrial cybersecurity involves breaking down complex systems, evaluating specific vulnerabilities, and engaging in focused discussions between experts and business stakeholders to identify critical risks, ensuring an effective security strategy.
  • In cybersecurity assessments, identifying and prioritizing risks is crucial; often, seemingly small oversights, like unsecured backups, flawed file transfer mechanisms, or unchecked permissions in asset management systems, can lead to significant vulnerabilities, emphasizing the need for comprehensive evaluation and proactive measures in securing critical infrastructure.
  • In the rapidly evolving world of control systems and cybersecurity, the key is to understand and manage risk rather than striving for absolute security, while also embracing technological advancements with caution and vigilance.

"The other approach that a lot of people take is just piling on every security control out there. And that's also not tenable either long term. Sometimes it's actually counterproductive to security because every tool you put in has access." — John Cusimano

Connect with John Cusimano:  



LinkedIn: &

John will be speaking at the 18th Annual API Cybersecurity Conference for the Oil and Natural Gas Industry next week:

Connect with Aaron:


Learn more about Industrial Defender: