Topics:
The phrase "predictive resilience" is used loosely. In an operational technology (OT) context, it means something specific: the ability to anticipate where the next disruption is likely to land — by sector, by asset class, by attack pattern — early enough to change posture before it arrives. It is not prediction in the sense of forecasting individual incidents. It is prediction in the sense that an experienced operator looks at the weather and decides which units to run hot.
What we have learned after years of running the OT Information Sharing and Analysis Center (OT-ISAC) alongside Asia-Pacific critical infrastructure operators is that predictive resilience is not a capability an individual operator can build alone. It is a property of the community. No single member sees enough of the threat landscape to anticipate what is coming. The signal is in the aggregate.
This is what collective intelligence does. It compresses the distance between the operator being hit and the operator about to be.
Consider a pattern we observe regularly: a vulnerability is disclosed in a widely deployed OT component—a protocol library, a runtime stack, an HMI vendor's update mechanism. Within hours, scanning activity picks up against exposed instances. Within days, the first opportunistic exploitation appears, almost always against the most exposed and least monitored deployments. Within weeks, the same exploit chain is being used more selectively, against targets where the attacker has done reconnaissance.
For any single operator, this looks like unrelated events. The scanning is background noise. The opportunistic exploitation happens to someone else. The selective campaign, when it arrives, looks like a fresh incident.
For a community sharing observations in near-real-time, this looks like a single arc. The scanning is the leading indicator. The opportunistic exploitation tells you which deployments are most exposed. The selective campaign tells you what the attacker has learned. By the time the third stage is visible, members tracking the first two have already adjusted segmentation, tightened monitoring, and briefed operations leadership on what a worst-case decision would look like.
That is predictive resilience in practice. It is not magic. It is structural.
People sometimes assume ISAC value flows in one direction — members consume intelligence produced by the centre. The reality is the opposite. The most valuable signal in any given week is almost always something a member observed and chose to share early, often before they had a complete picture of what it meant.
A member notices an unusual authentication pattern against a vendor remote-access portal. Three days later, two other members report the same pattern. A week later, the vendor confirms a vulnerability. The members who shared the early signal — and those paying attention when others shared theirs — were running with adjusted access controls before the advisory came out.
This is the mechanism that makes the community more predictive than any of its individual members. The investment a member makes in sharing a partial observation is repaid, on average, by the partial observations of dozens of others.
There are categories of insight that do not emerge from a single operator's vantage point. Three matter most for OT.
When the same reconnaissance tradecraft appears across multiple members in the same sector within a short window, the inference is not that each member has an isolated problem. The inference is that the sector is being mapped, and the actor has not yet decided when to act. This is the most actionable form of strategic intelligence we produce, and it only exists in the aggregate.
A vulnerability in a widely deployed OT component affects different members differently, depending on how it is deployed, configured, and exposed. The first member to do the impact analysis usually does so in isolation, under time pressure, with incomplete information. The fifth member, inside a community sharing analysis along the way, does it in a fraction of the time and with a more accurate result.
Tooling built for IT crime is now landing on jump hosts, historians, and engineering workstations more often than it used to. The members who see this earliest are those with the broadest IT-OT visibility, but everyone in their sector benefits. The signal converts into changed posture across an entire member base within days, not months.
OT-ISAC recognises that resilience now extends beyond cyber defence. It spans supply chain dependencies, cloud reliance, third-party risk, workforce readiness, geopolitical tension, and engineering governance. Convergence between IT, OT, cloud, artificial intelligence (AI), and industrial operations means isolated cybersecurity approaches no longer match the problem. Situational awareness has to be broader, and the ecosystems producing it more collaborative.
This is particularly visible across Asia-Pacific, where critical infrastructure maturity varies significantly between sectors and countries. Some operators run advanced OT security programmes; others are at the beginning of their resilience journey. A collective intelligence community lets both groups move forward together — accelerating learning, benchmarking practice, and building capability shoulder-to-shoulder rather than each operator solving the same problems alone.
There is a cultural shift underneath this. Cybersecurity was historically treated as a competitive or self-contained function. That framing is breaking down because the threat does not respect it. An incident affecting one operator, supply-chain partner, or service ecosystem now produces downstream effects across multiple industries within hours. Resilience, in that environment, is interconnected by default.
OT-ISAC's role is not simply facilitating information sharing. It is to hold open the collaborative ecosystem that lets operators strengthen preparedness, awareness, and strategic decision-making together. As industrial environments change, the importance of trusted communities will keep growing — because technology alone will not close the gap.
The organisations best positioned for what is coming are not those defending in isolation. They are the ones participating in communities that produce broader visibility, faster learning, and stronger outcomes than any operator can build alone.
That is where OT-ISAC seeks to contribute — as a community helping critical infrastructure stakeholders strengthen resilience together.
AJ Eserjose is Regional Director for the Operational Technology Information Sharing and Analysis Center (OT-ISAC), a trusted hub for secure threat intelligence exchange to strengthen the cybersecurity posture of critical infrastructure across Asia-Pacific. AJ leads the strategic growth and operational development of OT-ISAC, focusing on innovation programs, alliance-building, and deepening engagement with members, alliance partners, and key stakeholders.
