Key Takeaways
- The S4x26 conference is a significant event in the OT and ICS security community, known for promoting new ideas and public debate.
- The conference will feature a Proof of Concept Pavilion, showcasing real-world problem-solving and demanding clarity on problem-solving and success measurement.
- The event will address regulatory change, emerging threat landscapes, resilience practices, and next-generation architectures in traditional IT and OT paradigms.
- The conference is committed to growing a more diverse industrial security arena, with efforts such as the Women in ICS Security scholarship program and the Women in ICS Dinner.
- The future of OT security is being decided in Europe, with initiatives like the Cyber Resilience Act and growing pressure on vendors and integrators.
Introduction to S4x26 Conference
The S4x26 conference is shaping up to be one of the most important events in the OT and ICS security community, with a focus on catalyzing new modes of thinking and creating space for public debate, testing, and demonstrating what actually works in today’s rapidly evolving threat environment. The conference will debut a Proof of Concept Pavilion that adds a new level of realism, with eight products that intimately engage with a complete industrial automation stack. The agenda has been designed to offer a mix of deep-dive technical tracks and community formats, including keynotes, invited talks, and panel sessions that will address regulatory change and emerging threat landscapes, as well as resilience practices and next-generation architectures in traditional IT and OT paradigms.
The Culture of S4x26
What truly stands out at S4x26 is the culture, as hundreds of practitioners who don’t just soak up ideas but challenge them, remix them, and take them to the field. The conference is designed to break attendees out of their normal thought patterns, with attendee numbers cruising towards the 1,100 cap. The event is committed to growing a more diverse industrial security arena, with efforts such as the Women in ICS Security scholarship program, which will award ten scholarship packages this time, and the Women in ICS Dinner, which has grown into a significant community fixture. Combined, these efforts speak to a strategic commitment to broadening representation and participation within the industrial cybersecurity community.
Defining Success in OT Security
Dale Peterson, founder of the S4xEvent and CEO/catalyst at Digital Bond, notes that defining success is an issue the community, even the leaders, are struggling with. The conference will focus on metrics, with a big part of S4 dedicated to understanding what security controls are actually reducing the likelihood and by how much. Secure by design has moved from aspiration to regulation, with initiatives like the Cyber Resilience Act and growing pressure on vendors and integrators. The impact of these regulations on risk reduction and cyber posture improvement is an interesting question, as it will certainly increase the cost to address regulatory risk.
Cutting Through AI Hype in OT Security
AI is increasingly part of both the threat narrative and the defensive roadmap in industrial environments. However, Peterson is approaching AI at S4 in a way that cuts through hype and zeroes in on credible use cases, risks, and architectural implications for OT systems. The conference will feature a few sessions on AI’s use in defense, showing specific cases and details, and highlighting that AI will be part of several sessions related to the theme of S4x26: Connect. Peterson expects AI to increase the ease and value of connections, particularly via MCP servers, and notes that these connections will also be between non-security and security systems.
Stealthy Cyber Threats to Critical Infrastructure
Over the past year, there has been growing concern about long-term, low-visibility attacks aimed at degrading operations rather than causing immediate disruption. Peterson notes that adversaries are trying to obtain and maintain a presence on critical infrastructure networks to be positioned for a possible future attack. The conference will feature discussions on threat modeling, detection, and resilience, with a focus on the trend of ransomware on IT, preventing operations from delivering the product and service, even when the attacker has not accessed OT. Peterson emphasizes that if you can’t confidently say ransomware on IT will not have an unacceptable impact on your ability to deliver your product or service, then why are you spending money on anything else in OT security?
The Creative Engine of S4
S4 has always attracted a mix of deep technical practitioners, executives, and researchers. As the industry grows and diversifies, the conference works to balance depth with accessibility, and shapes the next generation of industrial security leaders. Peterson notes that the conference does not have a grand goal or view of itself, but rather creates a creative environment that throws a lot of ideas at attendees, giving them time to spend outside the sessions in a fun environment that breaks their patterns. The top 5% in the industry and those who have a pioneer or early adopter mindset are welcome, and the conference is designed for the person who knows most of the basics and wants to know what’s next.
The Next Phase of OT Security
Looking ahead to 2026 and beyond, Peterson examines which assumptions about industrial cybersecurity no longer hold and how the community should rethink its priorities if the goal is not just protection, but sustained operational trust in increasingly autonomous industrial systems. He notes that there is a huge amount of conventional wisdom in OT security that is wrong, and that an OT security pro needs to know the OT security 101 and 201, and then use their judgment in determining what risk reduction actions to take and what not to do. The trend is for an increasing number of government agencies, standards groups, and industry groups to create an ever-longer list of critical controls, many of which have little or no impact on risk reduction in a specific system. Instead, what is needed is the OT security pro to use their experience and judgment to pick the right mix of security controls and consequence reduction actions for their company or client, and to measure the risk reduction impact of everything they do.