How Maintenance Debt Becomes a Cyber Risk

Industrial facilities run on workarounds. Bypassed interlocks, offline sensors, and temporary fixes that have been in place for years are common realities of aging equipment and limited maintenance staff. OT cybersecurity assessments track patch backlogs, CVE remediation SLAs, and network vulnerabilities, but they routinely miss the physical conditions that already exist on the plant floor. At S4x26 in Miami, security researcher Esther Stepansky presented a framework for measuring and reducing what she calls maintenance debt: the accumulation of physical and procedural gaps that give attackers persistence without requiring sophisticated tools.

Workarounds as Attack Surfaces

Traditional cybersecurity metrics are effective at tracking software vulnerabilities and network exposure. They do not capture degraded safety functions or systems operating outside their design specifications.

If an automated cooling sensor goes offline and is replaced by a manual procedural workaround, operators see a minor inconvenience. For an attacker, this persistent condition is favorable. An adversary does not need to hack a safety system if the plant has already bypassed it to maintain production. Persistence in OT environments beats novelty: attackers do not always need sophisticated zero-day exploits if they can rely on existing degraded conditions that the facility has been living with for months or years.

The difference between a maintenance problem and a security problem is often a matter of perspective. What operations teams document as a known equipment limitation is, from an adversary’s point of view, a reliable and pre-existing condition that reduces the cost and complexity of an attack.

Scoring Maintenance Debt: The Risk Priority Matrix

Stepansky proposed a methodology for converting maintenance debt from an unstructured concern into discrete, measurable objects. Every workaround, bypass, and degraded condition is logged and assigned a Risk Priority Score calculated from two factors.

Operational Dependency (scored 1 to 5) measures how much the process relies on the affected system. A score of 1 means the system provides convenience only. A score of 3 indicates impact on availability and production delays. A score of 5 means the system is safety-critical, involving risk to life or the environment.

Adversary Leverage (scored 1 to 5) measures how easily an attacker can exploit the condition. A score of 1 requires physical access with limited impact. A score of 5 means the condition is remotely exploitable, produces a high-impact effect, and is difficult to detect.

Multiplying the two scores produces a risk priority from 1 to 25, which maps to four response zones: Monitor (1 to 4), Plan (5 to 9), Prioritize (10 to 15), and Emergency (16 to 25). A bypassed pressure relief valve might score 5 in dependency and 3 in adversary exposure, producing a score of 15 (Prioritize). An offline cooling sensor scoring 4 in both categories reaches 16 (Emergency).

From Blame to Governance

Documenting maintenance debt requires a cultural shift in how facilities handle degraded conditions. After an incident, the question should be “what conditions were already degraded?” rather than “who failed?”

Some maintenance debt can be fixed immediately. Some must be managed over time. Some must be accepted because the cost of remediation exceeds the risk. But that acceptance needs to be a documented, governed decision with clear ownership, not a byproduct of deferred maintenance schedules and limited budgets. The difference between managed risk and unmanaged risk is whether the organization knows the condition exists, has scored it, and has assigned accountability for the decision to accept it.


FAQ

1. What is maintenance debt in OT security?

Maintenance debt is the accumulation of physical and procedural workarounds in industrial facilities: bypassed interlocks, offline sensors, manual procedures replacing automated safety functions, and temporary fixes that persist for months or years. These conditions create pre-existing attack surfaces that adversaries can exploit without needing sophisticated hacking tools. Security researcher Esther Stepansky presented a framework for measuring and reducing maintenance debt at S4x26.

2. How do you score maintenance debt for cybersecurity risk?

Each workaround or degraded condition is assigned a Risk Priority Score by multiplying two factors: Operational Dependency (1 to 5, from convenience to safety-critical) and Adversary Leverage (1 to 5, from physical-access-only to remotely exploitable). The resulting score from 1 to 25 maps to four response zones: Monitor (1 to 4), Plan (5 to 9), Prioritize (10 to 15), and Emergency (16 to 25).

3. Why do maintenance workarounds create OT security risks?

Workarounds bypass safety and control functions that cybersecurity defenses assume are operating normally. An attacker does not need to hack a system that the plant has already bypassed. These degraded conditions provide persistence: they are pre-existing, documented by operations as known limitations, and often not visible to cybersecurity teams that focus on software vulnerabilities and network exposure rather than physical plant conditions.

Related from IIoT World

This article is based on a presentation at S4x26 in Miami by Esther Stepansky, attended by Lucian Fogoros of IIoT World. AI tools were used to help summarize and organize the content. Reviewed and edited by the IIoT World editorial team.