“Our organisation is different.”
It’s the costliest phrase in industrial security. Said with complete conviction in every sector, every region, every conversation about OT cyber risk.
Mining companies insist their operations are unlike oil and gas. Utilities claim their regulatory environment makes them a special case. Manufacturing plants highlight their legacy systems as proof they can’t follow standard approaches. Almost invariably, the OT Manager or security leader will ask: “Have you worked on our specific SCADA system before?”
The answer they want is yes. The answer that matters is: it doesn’t matter.
This isn’t arrogance. It’s pattern recognition. After hundreds of engagements across critical infrastructure, the reality is clear: the belief that “we’re different” is not a reflection of technical complexity. It’s a psychological shield. One that costs organisations time, money, and security maturity.
The objection shows up everywhere
The uniqueness delusion doesn’t surface just once. It recurs at every stage of engagement.
Pre-engagement: Skepticism. “You haven’t worked in our industry, so how can you understand our constraints?”
During assessment: Defensiveness. “That finding doesn’t apply here because our operations are more complex than what you’re used to.”
Post-findings: Resistance. “Your recommendations won’t work in our environment. We need a bespoke approach.”
At each phase, the subtext is identical: external input is less valuable than internal context. The implication is that only someone embedded in the organisation, familiar with its history and quirks, can truly understand its security posture.
That assumption is exactly backwards.
What insiders can’t see
Organisations convinced of their uniqueness are often the most blind to their actual problems. They’re too close. Too invested. Too embedded in the compromises and workarounds that have calcified into “how we do things.”
Cross-industry experience reveals what insiders miss.
The same decisions get made for the same reasons. Technology is bought before strategy is defined. Controls are applied uniformly without risk prioritisation. Communication between IT and OT remains fragmented. Business cases for security investment are weak or absent.
The same gaps persist everywhere. Organisations can’t quantify their true cyber risk position. They underestimate the effort required to manage threats over time. They confuse compliance with security, mistaking visibility tools for resilience.
The same objections mask the same failures. Uniqueness isn’t a technical reality. It’s a defence mechanism that protects against accountability, delays difficult decisions, and justifies inaction under the guise of complexity.
When a consultant with exposure to mining, utilities, oil and gas, and manufacturing walks into a plant and recognises the pattern within hours, it’s not because they’ve memorised every SCADA vendor’s manual. It’s because the problems aren’t in the technology. They’re in the thinking.
The SCADA distraction
“Have you worked with our SCADA system before?”
This question comes up constantly. It’s a distraction.
A robust security methodology doesn’t assess vendor configurations. It assesses risk. It evaluates how decisions get made, how systems are architected, how roles and responsibilities are distributed, how the organisation responds when something goes wrong.
The specific SCADA brand is almost irrelevant to those questions. Whether it’s Siemens, Schneider, Rockwell, or ABB, the fundamentals remain constant. Control logic still runs on programmable devices. Networks still connect to corporate systems. Operators still make choices under pressure. Patch management is still deferred because of production schedules.
The methodology works because it’s agnostic to surface details while focused on structural realities. The risk landscape in a Pilbara mine is not fundamentally different from a petrochemical plant in Texas or a water utility in Europe. The constraints differ. The consequences differ. The failure modes are universal.
The six problems everyone has
If every organisation is unique, why do the same problems appear in every sector?
Jumping to technology before strategy. The impulse is always the same: buy the tool, deploy the platform, get the visibility. Strategy comes later. Or not at all.
Blanket approaches to OT security controls. Everything gets treated as equally critical. No prioritisation. No trade-offs. Just a compliance checklist and a false sense of coverage.
Fragmented or hostile IT/OT communication. IT sees OT as an unsecured liability. OT sees IT as a threat to uptime. Neither side shares a common language or aligned objectives.
No strong business case for OT security. Investment is reactive, driven by incidents or audits rather than strategic planning. The CFO doesn’t understand the risk. The board doesn’t grasp the consequences.
Inability to quantify true cyber risk position. Risk assessments are either too generic to be useful or too technical to inform decisions. Leadership is left guessing.
Underestimating the effort required. Security is treated as a project with an end date, not an ongoing operational discipline. Twelve months after deployment, tools become shelfware and policies are forgotten.
These problems don’t vary by industry. They don’t change based on SCADA vendor. They don’t depend on regulatory environment. They are universal because they are human, organisational, and structural.
When ‘uniqueness’ is truly politics
The uniqueness objection isn’t always innocent. Sometimes it’s political.
Claiming your environment is special deflects accountability. If the problem is unique, no one can be blamed for failing to solve it. If the constraints are unprecedented, slow progress is justified. If external advice doesn’t apply, internal decision-making is protected from scrutiny.
It’s also a way to resist change. Transformation is hard. It disrupts comfortable routines, challenges established hierarchies, demands new ways of working. Uniqueness becomes a convenient argument that change is impossible, without directly admitting resistance.
The uncomfortable truth: organisations that insist they’re different are rarely more complex than their peers. They’re just more committed to the status quo.
The reassurance you didn’t know you needed
“Don’t worry. You’re just as bad as everyone else.”
It sounds dismissive. For the right audience, it’s actually reassuring.
If your problems are universal, the solutions are proven. You don’t need to invent a bespoke approach from scratch. You don’t need a two-year research project to figure out what works. You can learn from the accumulated experience of organisations that have already walked this path.
A methodology tested across mining, oil and gas, utilities, and manufacturing isn’t weaker because it’s general. It’s stronger. It’s been stress-tested in environments with different technologies, different risk tolerances, different operational realities. It still works.
That’s not because the methodology is simplistic. It’s because the fundamentals of risk, resilience, and decision-making don’t change. The principles scale. The process adapts. The outcomes are repeatable.
What to do when you catch yourself
If you’re a CISO or security leader, here’s the uncomfortable question: when was the last time you said “our environment is different”?
If it was recently, consider:
- Am I describing a genuine technical constraint, or protecting a decision I don’t want challenged?
- Am I rejecting external input because it’s wrong, or because it’s uncomfortable?
- Am I confusing familiarity with my environment for superiority over others?
The antidote to the uniqueness delusion is humility. Not false humility or self-deprecation, but the operational humility of recognising that your challenges are not unprecedented. Others have faced them. Others have solved them. The lessons transfer.
You don’t need a consultant who has memorised your specific SCADA system. You need someone who has seen the pattern your organisation can’t see because you’re standing too close to it.
That’s not a criticism. It’s a fact. Acknowledging it is the first step toward better security.