As the industrial cybersecurity scene prepares to converge next month for S4x25 at the JW Marriott Water St, Tampa, Florida, Industrial Cyber connected with Dale Peterson, founder of the S4xEvent and CEO/catalyst at Digital Bond, to discuss the event agenda, how the cybersecurity challenges facing the industry are evolving and why OT (operational technology) security training is critical. He addressed intricacies of the event’s agenda, explored ways in which industrial cybersecurity challenges are continuously evolving, and highlighted the importance of OT security training in safeguarding critical infrastructure. 

He also shared insights on how S4x25 aims to address pressing issues affecting the industrial cybersecurity sector and foster a more inclusive community through initiatives like the OnRamp sessions. Such initiatives are tailored to equip industrial cybersecurity professionals with skills necessary to navigate the evolving landscape. The conference is set to address regulatory shifts that are reshaping priorities within the industry, ensuring that participants are well-prepared to adapt to new compliance requirements.

S4’s future focuses on building innovation and connection across the industrial cybersecurity space largely by providing a platform for ideas to grow and partnerships to bloom. By bringing together thought leaders, practitioners, and policymakers, S4x25 is not just a conference but a catalyst for change, focused on driving the industrial cybersecurity industry forward into a more secure and interconnected future. As Peterson continues to lead the initiative, S4 continues to be at the forefront of pioneering efforts in industrial cybersecurity, driving excellence and progress.

S4: Pioneering industrial cybersecurity with a visionary agenda

S4 has consistently been at the forefront of highlighting pivotal issues in industrial cybersecurity. Peterson highlights how this year’s agenda reflects the industry’s current state and pressing needs and the outcomes or discussions he is most looking forward to seeing emerge from the event. “S4 is a future focused event. It’s addressing, and forecasting, the issues that will come up in the next one to three years and potential solutions,” he added.

“I see a trend in this year’s agenda aimed at determining what is making, or could make, a difference in OT cyber risk and what is good practice and happy talk,” Peterson said. “There are a lot of metrics and risk management, dealing with adversary owned supply chains, what regulations are and are not making a difference, implementation aspects of secure by design in OT, and evaluation of security controls. Of course, Stage 2 has the gory technical deep dive sessions on offense and defense that started S4 back in 2007.” 

Peterson noted that there also is a recognition that OT security and cyber risk management is not an island. There are sessions on related fields of crisis communications, international relations, finance, and more. 

“What you won’t see are sessions that are ‘pressing needs’ that are well understood,” he added. “For example, ransomware on IT affecting supporting systems needed by OT and production is by far, as much as 10x, the cause of OT outages. Removing Internet connected OT is another pressing need, and it was discussed at S4x12. These aren’t on the S4x25 agenda because the attendee S4 is designed for will know these issues well enough to give a presentation on the topic, and often have.”

Create The Future: Transforming Code and Bridging OT/IT at S4x25

The S4x25 agenda features sessions such as ‘Converting Legacy Codebases to Memory Safe’ and ‘OT and IT – Convergence, Integration, and Separation.’ 

When discussing how topics are selected for S4 and identifying the most pressing themes or issues for the community to tackle, Peterson explained that the mantra or motto at S4 is ‘Create The Future.’ 

“Our target attendee, the person we design S4 for is the experienced OT security pro who is an early adopter. Someone who likes to be on the leading or bleeding edge. A person who wants a window on what might happen in the next 1 to 3 years,” according to Peterson. “This is a fraction of the OT security community, less than 10%. There are other great events for the much larger 90% who need to learn the OT security 101, good practices, and lessons learned on the mainstream topics.” 

Peterson disclosed that the focus is on new ideas and new research that have a strong point of view and would drive change. “Even if I think it is dead wrong, which is true of about 25% of the agenda, we want it on a S4 stage if it is a thought provoking idea that will be well and differently presented. The goal is to throw a lot of new ideas at the S4 tribe in a creative and fun environment.” 

He, however, pointed out that the ‘OT and IT – Convergence, Integration, and Separation’ is an exception. “It is far from a new topic. In fact, it’s a bit of a tired topic that too often devolves into IT v. OT, security v. engineering, change v. stability. We are trying a different approach this year by making it part of a Long Conversation. This is a format where two people talk about this issue and every 10 minutes one of the two is replaced. Over the 90 minutes there will be 10 people who have been part of the conversation.” 

Peterson added that “If Marty Edwards and I do a good job of selecting the people, much like a seating chart at a dinner party, it could be fascinating … or it could be a flop. We like to try new things at S4. Some work, some don’t.”

Bridging knowledge gap: OnRamp sessions, OT security training at S4x25

The reintroduction of OnRamp sessions at S4x25 suggests a focus on educating newcomers to OT security. Looking into whether he sees a gap in foundational knowledge across the industry and how such initiatives can bridge that gap to foster a more inclusive cybersecurity community, Peterson noted that OT security training has grown a lot in the last decade. “There are a lot of choices in all different price ranges and topics. There is plenty of quality OT security training in 2024/2025. The real question is what training is right for me? We decided in December to add an OT Security Training Roundup on Tuesday afternoon at S4x25.” 

Identifying that the Roundup is really simple, Peterson said that training organizations who have an attendee at S4 are given a table to show what they offer and answer questions. “There’s no charge to get a table. We thought we should create a mixer since the trainers and the people who decide where to send new talent to train will both be at S4. So far 9 training organizations will have tables, and I expect it will be about 15 in total.” 

“We had some of the best in the OT security present ten 30-minute videos on OT security 101 back at S4x19 and called it the OnRamp,” Peterson said.” Those videos are available on the S4 Events YouTube channel and have aged well. Still very helpful for the beginner. New topics have arisen over the past five years, such as AI in OT, supply chain, and ransomware. We wanted to add four videos to the OnRamp collection, and we put those four sessions on Stage 3.”

Exploring challenges and opportunities in industrial cybersecurity in 2025

Looking ahead to 2025 and beyond, Peterson examines the anticipated progress within the industrial cybersecurity sector, identifying specific challenges the industry may face and opportunities that should be prioritized.

“It’s a continuation of what I’ve been harping on for the last two years – metrics,” Peterson said. “We need to be placing resources where they are proven to reduce likelihood or reduce consequence. If we don’t measure any of our efforts, then we can’t do this. Every class of security control should have an implementation effectiveness and risk reduction metric. Every consequence reduction effort should note the level of reduction. Every government initiative should have a risk based metric (not a report written or initiative started).” 

Peterson mentioned the need to start identifying success and failures. “I’m very disturbed that we don’t have more things that have been tried that have failed or not delivered as expected. Every year at S4, we try new things and some fail.” 

“It’s unfortunate that the attention OT security has garnered in recent years has led to an increasing list of security controls that are being called cyber hygiene,” Peterson added. “Many, if not most, of the recommended security controls have little impact on OT cyber risk. They sound good. They’re not bad practices or wrong. They just don’t move the risk needle in OT. And consequence reduction, which is often the most effective and efficient risk reduction, is largely ignored.” 

However, he said he is “encouraged that this year we have a number of sessions on OT cyber risk management and metrics. I don’t know if this signals a shift in the industry or a recognition that this type of session is more likely to get on stage.”

Diving into regulatory shifts reshaping industrial cybersecurity priorities

CISA’s Secure by Design pledge program and the EU Cyber Resilience Act highlight increasing regulatory focus on proactive security measures. Peterson discussed the impact of these regulations on the priorities and investments of industrial organizations and examined whether these shifts are evident in S4x25’s agenda.

Noting that the Secure by Design pledge is a feel good story with little impact, Peterson added that at best it’s a security awareness tool. “The Secure by Design effort isn’t anything new. This information has been widely available for years. Our S4 keynoter way back in 2008, Steve Lipner, was talking about this. Explaining the basic elements and importance of Secure by Design would be known by most of the S4 attendees because again we built S4 for the most experienced and forward leaning 10%. S4x25 does have some highly technical sessions that dive into specific aspects of product and system design that would be part of Secure by Design.” 

He added that the CISA proposed doing a session on Secure by Design, and it wasn’t a fit. “We challenged them, and they accepted, to come to S4 with a session: What Secure By Design Aspects Should You Prioritize? The idea is where to start and what to prioritize. This is something worth discussing because the community won’t go from today’s Insecure By Design to Secure By Design in one leap.” 

“I must admit to not having much insight on what is going on in Europe,” Peterson said. “One European focused session we did hunt for and get is: NIS2 As A Multi-Country Cyber Regulation Experiment. I’m personally much more interested in NIS2 since it is asset owner focused, and where else can we see a wide variety of country based regulatory efforts based on the same regulation?” 

Similarly he added that “we have a leader at CSA in Singapore who will talk about their lessons learned and next approach to regulating critical infrastructure cyber security and risk. Singapore is a great laboratory since they have a relatively small number of critical infrastructure entities and the authority to make happen what they decide on.”

S4’s future focuses on fostering innovation and connection

S4 has become a cornerstone event for the industrial cybersecurity community. Peterson outlines his vision for the future of S4, discussing how he envisions the event evolving over the next five years to foster continued innovation and facilitate meaningful dialogue within the industry.

“I don’t see the S4 ‘Create The Future’ mission changing. We will still strive to bring together the best in the world, throw a lot of ideas at them in a creative environment that breaks their patterns, and watch what this talent does,” Peterson responded. “While we’ve talked a lot about the agenda, the largest benefit is the gathering of the people and the conversations and relationships that come from this. We spend as much or more time on the social events, open time and spaces, sponsor numbers and packages, the vibe/culture, design, and other non-session parts of S4.” 

He also noted that it’s fortunate that through the growth from 40 to 1100+ attendees there has been enough of a core group that carries forward the S4 feeling from the early years. “We get a bit nervous anytime it grows or we change venues like we are doing this year with the move to Tampa.” 

Peterson remarked that it’s a very welcoming group. “Beyond the ideas and progress, we hear that S4 is a big energy boost for attendees. I know that’s true for me as well,’ he concluded.