What the API Cybersecurity Conference Revealed About the Future of OT Security — And Why Zero Trust for Outsiders Can’t Wait

TL;DR
AI is accelerating attacks, OT systems remain fragile, and M&A is creating hidden cyber debt. Identity is now the primary attack surface, and attackers can map networks faster than defenders can secure them. Framework adoption is rising, but real OT implementation still lags. The industry is shifting toward Operational Zero Trust: invisible OT, no shared credentials, no flat networks, and tightly controlled outsider access. Zero Trust for vendors, contractors, machine identities, and AI agents is now essential — not optional.

‍

Recently, at the 20th Annual API Cybersecurity Conference for the Oil & Natural Gas Industry, one message came through clearly:
Everything in the threat landscape is accelerating — especially the risks driven by AI — but OT environments are not becoming easier to defend.

Across keynotes, technical tracks, and deep-dive sessions, several themes emerged that should concern every operator, integrator, and executive responsible for industrial cyber resilience.

At the same time, the industry is beginning to converge around new defensive models — ones far more aligned with continuity, safety, and Zero Trust principles.

As someone who works closely with OT defenders and industrial operators, here are the biggest insights I took away from this year’s event. These insights directly map to the four sessions in our OT cybersecurity webinar series, built for engineers and leaders facing these exact challenges.

‍

1. Identity Is Now the Center of the Cyber Universe — Human and Machine

Multiple sessions reinforced a reality many of us have observed for years:
identity is now the central nervous system of cybersecurity.

Microsoft’s team highlighted that adversaries are:

• targeting identities more than systems
  
• exploiting workload and machine identities at scale
  
• using AI to automate credential theft and impersonation
  

This is unfolding at the same time OT environments are rapidly adopting:

• remote access
  
• cloud telemetry
  
• contractor and integrator connectivity
  
• AI-assisted tooling
  
• machine-to-machine APIs
  

Meanwhile, most OT systems cannot:

• run agents
  
• support MFA
  
• be routinely patched
  
• tolerate downtime
  
• integrate with traditional IAM
  

The identity gap between IT and OT is widening — and attackers are capitalizing on it.

If you're looking to close this gap without passwords or fragile MFA, we broke this down in depth during one of our webinars for CISA Cybersecurity Awareness Month:
Passwordless Industrial MFA → https://www.blastwave.com/webinar/passwordless-industrial-mfa

‍

2. AI Is Reshaping the Offensive Playbook Faster Than Defenders Can Respond

AI is not simply accelerating attacks.
It is transforming them.

From the threat briefings:

• reconnaissance is nearly instant
  
• attack chains can be auto-generated
  
• tradecraft can be cloned or improved by LLMs
  
• logs and traces can be erased
  
• cloud identities are being abused continuously
  
• covert decentralized networks are emerging
  
• “cyber mercenaries” are being hired remotely with no visibility into who they really are
  

AI-enabled attackers no longer need deep OT expertise.
AI gives them just enough knowledge — and automation — to be dangerous.

This makes undiscoverability, identity-based gating, and no-fail-open access essential. Detection alone is no longer fast enough.

That’s why we showed operators how to make legacy OT invisible — even to AI-driven reconnaissance — in the first webinar from the series:

The Invisible OT → https://www.blastwave.com/webinar/the-invisible-ot

‍

3. Every Acquisition Increases Cyber Risk — Significantly

One of the clearest themes across discussions was the growing cybersecurity burden created by mergers and acquisitions — a constant reality in oil and gas.

Every acquisition introduces:

• undocumented networks
  
• unknown vendor connections
  
• inherited credentials
  
• flat, unsegmented OT systems
  
• legacy equipment
  
• incomplete asset inventories
  
• misconfigurations
  
• conflicting IAM models
  
• incompatible policies
  
• compliance gaps
  

In today’s accelerated threat environment, AI-assisted attackers can map this inherited complexity far faster than defenders can.

As I put it at the conference:

“The most dangerous moment in cybersecurity isn’t the day you get breached — it’s the day you acquire an environment you don’t fully understand.”

You cannot patch or scan your way out of inherited cyber debt.
You can only isolate, cloak, and tightly control access to limit exposure.

‍

4. Framework Adoption Is Rising — But OT Implementation Still Lags

New data presented at the conference showed:

• over 50 percent of companies align with NIST CSF
  
• midstream adoption is more than 80 percent
  
• 13 percent of companies use multiple frameworks, typically NIST + ISO
  
• framework adoption continues to rise year over year
  

However, alignment does not translate to implementation in OT.

Operators consistently struggle with NIST CSF controls related to:

• access control
  
• remote access management
  
• network integrity
  
• least privilege
  
• anomaly detection
  

Most IT controls cannot be deployed into OT without operational risk.
This is why more operators are now seeking Zero Trust architectures designed specifically for industrial environments.

‍

5. The Industry Has Shifted From Prevention to Detection to Assumed Breach — And Now to Operational Zero Trust

Ten years ago, prevention dominated discussions.
Then the industry shifted to detection.
Then to “assume breach.”

This year, a new theme took center stage:

Zero Trust is no longer theoretical — and OT needs a Zero Trust model built for operational reality, not IT retrofits.

This means:

• no shared credentials
  
• no flat networks
  
• no fail-open remote access
  
• no discoverable surfaces
  
• no implicit trust for vendor or contractor networks
  
• no uncontrolled machine identities
  
• no AI-driven tools with unrestricted access
  

We are entering a world where defenders must assume attackers are already using AI — and build architectures that limit what those attackers can see or reach.

This is exactly why our recent webinar focuses on segmentation without downtime or re-architecting OT:
Microsegmentation Simplified → https://www.blastwave.com/webinar/microsegmentation-simplified

‍

6. Outsider Access Is Now the Most Critical Attack Surface in OT

Vendor access.
Integrator access.
Contractor access.
Supply chain access.
Machine identities.
AI agents.

These aren’t edge cases — they are the dominant vector for breaches.

This is exactly why our 4th webinar in our OT cybersecurity series focuses entirely on securing outsider access.

‍

Register for Our Next Webinar:

“Secure the Outsider: Zero Trust for Remote Vendors, AI Agents & the OT Supply Chain”
Live on December 3rd

We will demonstrate how to enforce:

• identity-based authorization
  
• time-limited access
  
• network cloaking
  
• non-human identity segmentation
  
• full session visibility
  
• Zero Trust without VPNs or passwords
  

Register here: https://www.blastwave.com/webinar/ot-zero-trust

‍

Final Reflection: Attackers Have Accelerated. OT Security Must Simplify.

AI has changed the speed and scale of cyber threats.
But OT environments cannot absorb more complex tools, more agents, or more operational risk.

What OT needs is:

• simplicity
  
• invisibility
  
• identity-based access
  
• instant isolation
  
• Zero Trust built for the physical world
  

The industry is converging on this view — and operators that move early will be in the strongest position to protect operational continuity in the years ahead.

I hope to see you at our next webinar.

‍

Tom Sego
CEO, BlastWave