How the Overview Effect Can Help Us End the Cybersecurity Standards War

On the historic Apollo 8 mission, astronauts captured the iconic image of Earth rising above the Moon’s horizon. That moment, later coined the “overview effect,” represented a profound shift in perspective—a realization of interconnectedness and systemic fragility when viewing Earth as a whole. This concept serves as a metaphor for how the Operational Technology (OT) cybersecurity community must evolve. Rather than relying on fragmented, compliance-driven frameworks, there’s a growing need to step back and view the full landscape of interconnected systems, stakeholders, and risks. By adopting this broader perspective, organizations can begin to move beyond reactive standards and toward more integrated, forward-looking approaches to securing cyber-physical systems.

Why Standards Are Falling Short for OT Cybersecurity

OT systems today aren’t simple, standalone setups anymore—they’re sprawling, interconnected webs of vendors, cloud services, asset owners, and data - think Industrial Internet of Things (IIOT). Every piece of physical equipment now creates valuable data, which means companies aren’t just selling products—they’re selling ongoing services, insights, and subscriptions. It’s a big shift, and it’s pushing OT into complex, multi-stakeholder territory.

But the standards we rely on haven’t caught up. Frameworks like IEC 62443 are solid, but they’re built around narrow, stove-piped use cases—one standard for components, another for systems, another for integrators. That doesn’t reflect how modern systems actually work. Today’s environments:

• Involve multiple owners and stakeholders
• Have complex interconnections
• Need real-time coordination across layers

Trying to secure these systems using fragmented standards can be messy, slow, and increasingly unworkable. It’s clear the old approach isn’t scaling with the new reality.

The Root of the Problem: Standards Wars

The OT cybersecurity and cyber-physical systems security space is overwhelmed by a growing list of fragmented, overlapping standards. Each was created in response to a specific need, often by volunteer-driven groups trying to reach quick consensus. This leads to narrowly scoped documents that don’t align—forcing asset owners and integrators to make sense of it on their own.

Standards bodies operate like information businesses, prioritizing speed and scope over cohesion. The result is what Kenneth Crowther calls “standards wars”: too many disconnected rules with no clear way to integrate them. This framing of a “standards war” was inspired by a concept shared by Mark Oakes, PSP, during a personal mentoring conversation. His insights helped shape the lens through which this presentation was developed 

The slide below shows just a fraction of today’s standards explosion—a mess that mirrors the chemical industry’s past, which wasn’t solved until global harmonization saved billions of dollars. OT security may need the same kind of fix.

A New Path Forward: SAE’s Security Assurance Framework

To break out of the cycle of fragmented and rigid standards, we need a framework that can support this multi-stakeholder environment. An example is the SAE G-32 committee’s approach to cyber physical systems security engineering: JA7496, a framework built around the idea of exchangeable security assurance cases. Instead of relying on static checklists or one-size-fits-all controls, this model allows organizations to create security claims that are specific to their system, development process, and risk environment—while remaining objective, verifiable, and adaptable across stakeholders.

At the core of JA7496 are three foundational pillars that make this flexibility possible:

• Technical Processes: A structured but tailorable set of lifecycle tasks that can align with any development, acquisition, or operational process.
• Risk Management Framework: Decisions are tied back to clearly defined risk scenarios, allowing for traceability and justification—regardless of the risk modeling method used.
• Domains of Consideration: A broad set of security areas mapped to existing standards, enabling organizations to mix and match the guidance they need without losing coherence.

Together, these pillars form a flexible foundation for building interoperable assurance cases—designed to evolve with the complexity of today’s cyber-physical systems. It’s not about throwing out standards, but about creating a common language to make them work together.

Call to Action: Building a Harmonized Future

As Kenneth Crowther illustrated the complexity of today’s OT systems demands more than a patchwork of rigid standards. These systems span multiple vendors, technologies, and environments—and there’s no single asset owner managing it all. Ensuring their security requires a shared language for trust, one that allows each stakeholder to make and evaluate assurance claims in a way that’s transparent, flexible, and traceable.

The good news? This kind of interoperability isn’t just theoretical. Other industries have done it—Airbus with component suppliers, Patagonia with sustainability disclosures, and Walmart with local cold chains. The same principles can be applied to OT cybersecurity. Dr. Crowther’s message is clear: the tools exist, the need is urgent, and the community is capable. It’s time to move beyond stove-piped standards and start building systems that reflect how the world actually works—together.