Most OT security guidance is written for organizations that don't exist: well-staffed, well-funded teams with mature programs. The reality for much of critical infrastructure is the opposite. A water district, a rural cooperative, or a regional manufacturer often runs critical processes with a handful of people and a fraction of the baseline controls that frameworks assume. These operators have long been protected less by their defenses than by a simple fact: they weren't worth the effort to attack.

That protection is eroding. As the marginal cost of a capable attack falls, the economics of target selection change with it. Reconnaissance, social engineering, and exploitation are all getting cheaper, and when attacking gets cheaper, attackers cast a wider net. Operators who used to sit below the threshold of attention increasingly won't.

This session makes the case that the right response is not the advanced, expensive tooling the market tends to sell, but getting the fundamentals right first. We'll walk through what a right-sized OT security baseline actually looks like for a resource-constrained operator, including a pragmatic take on defense in depth that fits real staffing and budgets.

We'll then look at how open-source tooling can help teams raise that baseline at little or no cost, focusing on the structural building blocks rather than specific product picks, and being honest about where the gaps are. Attendees will leave with a way to reason about sequencing and spend on their own terms.