Innovators Spotlight: Converting OT Cyber Risk Into Financial Terms With Centrii
If you’re overwhelmed by dashboards flashing red alerts constantly, this article is for you.
Over the past ten years, the OT and energy industries have been layering on cybersecurity tools as if decorating a race car with stickers. Each new vendor promises greater visibility, more alerts, and deeper context. The outcome is entirely predictable: more noise than useful signals, more alarms than actual actions, and a collection of costly technology that still fails to answer the one question that truly matters to your board:
How much money could we lose if things go wrong?
During a discussion at RSA, I met with Rafael Narezzi, the founder of Centrii, to explore how his company is working to shift OT security away from a world of flashing red indicators and into a language that CEOs and CFOs can actually grasp.
“The challenge I observed in the industry was, first, alarm fatigue: excessive noise and information that sometimes leads to false positives,” he explained. “And second, you need a large team to handle it, which AI can assist with, but what is the actual business impact?”
This question lies at the heart of Centrii’s mission: transforming the complex, technical landscape of OT cyber risk into a precise, justifiable financial exposure figure for each individual asset and entire portfolio.
This isn’t another pitch for a unified dashboard. It’s something more challenging and more sophisticated. It asks: among everything flagged as red, which issues are serious enough to cost you millions if left unaddressed?
Moving From Alert Overload to Financial Transparency
If you’re involved in critical infrastructure, Rafael is describing your daily reality.
On one end, you have operations teams whose top priority—first, second, and third—is uptime. “They want cybersecurity but also resist it,” Rafael noted, “because it affects their system availability, and availability is their primary concern.”
On the other end, you have security teams deploying sensors into environments that may already be fragile, held together by outdated routers and neglected PLCs.
“We deploy a sensor that generates numerous alarms,” he said. “And the operations staff respond, ‘Alright, what action should I take? Is this critical or not? What’s the right step? Should I shut things down?’ It quickly becomes a management headache.”
If that sounds familiar to your SOC, you’re in good company.
Rafael recognized that the industry had become highly skilled at informing operators and CISOs about what’s wrong, but completely inadequate at explaining what it costs to leave those issues unresolved.
“If you look around, every alert appears red,” he said. “Everything seems like an emergency. But what does that translate to in actual dollar terms?”
Centrii’s solution is elegantly straightforward: take all existing knowledge about assets, threats, and the operating environment, and convert it into financial impact per site and per portfolio. Not hypothetical. Not generic. Tailored to that specific turbine, that particular solar farm, that specific battery installation, in that market, at that point in time.
Merging Cybersecurity, Operations, and Finance
Fundamentally, Centrii serves as a risk translation platform for OT and energy sectors.
“We combined all the elements of cybersecurity and operations, merged them together, and produced a financial impact assessment,” Rafael said. “We monitor CVEs and threats. But rather than simply presenting them, we do what others in the field don’t: we discuss actual risk that goes beyond the threats themselves.”
This “beyond threat” dimension is where the Centrii platform delivers answers to the questions that business leaders genuinely ask:
- If a single site goes offline, what is the financial exposure?
- If ten sites are compromised simultaneously, what is the effect on the bottom line?
- Which sites, if breached, would truly make a significant difference?
“Picture having 300 assets spread across various locations worldwide,” Rafael said. “You’re managing all the variables: regulations, compliance requirements, program maturity levels, team capabilities, and language barriers. How do you express that financially for your entire portfolio? Where do you stand in terms of financial exposure from an asset perspective, from a cybersecurity standpoint?”
Centrii’s platform takes all of that complexity and condenses it into something a CFO can understand on a single slide. It calculates exposure for each individual site, then aggregates it across the entire portfolio. It tells you, in dollar amounts, how much financial risk is embedded within those wind farms, battery systems, solar installations, and hydroelectric plants.
Rafael provided a real-world example.
“If a 98-megawatt wind turbine is highly vulnerable and goes offline for a week due to a cyber incident, it could cost that asset owner $2 million in lost revenue.”
That’s a fundamentally different discussion than saying “We have 600 high-severity alerts.”
Budgeting Based on Risk That Truly Earns the Label
Every vendor claims to offer risk-based prioritization. In most cases, what they really mean is “we reorganized the alert colors again.”
Centrii’s approach is distinctly different. It doesn’t merely rank vulnerabilities by CVSS scores or threat intelligence. Centrii asks: if this asset is compromised, what is the financial consequence for the business, and how does that compare across the entire portfolio?
“When a CEO or CFO purchases our product, they recognize that it’s not about spending money across all assets indiscriminately,” Rafael said. “For instance, if they’re facing a patch management challenge, Centrii won’t blindly roll out a fix to every asset. We’ll analyze, for example, the most critical sites to determine what’s genuine and what isn’t. Perhaps they simply need to update the default password. That’s a far more cost-effective solution than a blanket approach.”
This is where Centrii becomes compelling. It transforms what is typically a vague “risk-based” narrative into a concrete financial one.
- Rather than patching everything, concentrate on sites where a single incident could eliminate a quarter of annual profit from a region.
- Rather than overpaying for cyber insurance across the board, transfer specific residual risks that you can actually quantify.
- Rather than vaguely referencing “critical” alerts, enter the boardroom and state: “These ten red items represent a potential loss of X million if left unaddressed. Here’s the cost to mitigate them. Here’s the return on investment.”
“We convert everything into business and financial outcomes based on the cyber risk presented,” Rafael said. “The problem is straightforward: you’re seeing too much red. You truly need to understand which red items require your attention?”
At last, a question your dashboard might genuinely be able to answer.
Asset Profiling Grounded in Reality, Not Just CVSS
One reason OT risk
Measuring risk in the energy sector is notoriously tricky, largely because not all megawatts are created equal.
A 98 MW wind farm is fundamentally different from a 98 MW battery installation, which in turn differs from a 98 MW solar array that only generates power for eight hours a day—and none of these compare to a 20-year-old hydroelectric plant with aging equipment and outdated SCADA systems.
Centrii builds that level of detail directly into its model.
“We start by assessing the asset and building a unique profile for each type,” Rafael explained.
Beyond that, the platform also factors in:
“We look at the age of the facility. Why is that important? Because a 20-year-old installation will produce less energy than one that’s only five years old. Older technology isn’t as finely tuned as modern equipment, which directly affects output levels.”
- Energy market prices and geopolitical factors
“We take into account the going market rate for energy. For instance, Europe is currently experiencing a severe energy crisis. That could mean paying several times over for power just to meet your PPA obligations. These dynamics have a major effect on the bottom line and must be included in the analysis.”
- Generation patterns and irregularities
“We also analyze the asset’s own generation data, which reveals any unusual patterns or anomalies that might be occurring at the site.”
- Revenue figures and site-specific indicators
“Our clients provide us with their revenue data. When we assess risk and estimate potential revenue loss or gain, it’s tailored to that particular site and its unique circumstances.”
The outcome isn’t a one-size-fits-all risk rating applied to a category of assets. It’s an exposure assessment rooted in how that specific asset operates in practice—how it generates power, how it degrades over time, how it sells energy, and what the market consequences would be if it suddenly went offline.
Batteries, Blackouts, and Zombie Threats
If the state of the grid already worries you, what follows won’t ease your mind.
Rafael pays particular attention to large-scale battery deployments. As more data centers and renewable sources come online, grid operators are growing increasingly reliant on large battery systems to maintain stability.
That’s a double-edged sword—great for resilience, but also a tempting target for attackers.
“Another key asset we manage is BESS,” he said, referring to Battery Energy Storage Systems. “Why are BESS units so critical? Because their impact on a site’s economics is enormous.”
If batteries are activated at the wrong moment or in the wrong manner, the fallout could resemble a cyber-heist straight out of Ocean’s Eleven.
“The movie Ocean’s Eleven is actually a pretty realistic example,” Rafael noted. “The device Don Cheadle’s character used pushed more energy into the grid than it was prepared to handle, triggering a temporary blackout across Las Vegas. It took several minutes for the grid to shut down, reset, and come back online.”
Now imagine that scenario on a much larger scale.
“Consider the push toward decentralized energy, which is essential to meeting today’s data center demand,” he continued. “Picture a malicious actor gaining control of a company that operates 1,000 distributed BESS units. It’s entirely plausible for that actor to issue a dispatch command causing all those assets to operate simultaneously. The resulting imbalances could crash the grid and trigger widespread chaos and financial damage.”
This isn’t the stuff of science fiction. It’s a realistic attack scenario in environments where:
- Assets are unstaffed and remotely located.
- Networking hardware is outdated.
- Default passwords remain unchanged.
- Cybersecurity was treated as an afterthought during a decade focused solely on expanding capacity.
“We’ve encountered some form of these vulnerabilities at every single site we’ve visited,” Rafael said. “Many of these issues aren’t sophisticated at all. You don’t need a cutting-edge firewall. You need solid cyber hygiene—just the fundamentals.”
So yes, we’ve effectively turned critical infrastructure into a potential army of zombie devices.
Centrii doesn’t claim to wave a magic wand and solve all of that. What the company does is spell out, in clear financial terms, just how damaging it would be if someone decided to hit that big red button.
Regulation, Liability, and Why Europe Is on Edge
If financial figures don’t grab your leadership team’s attention, the threat of personal liability usually will.
Rafael highlighted some sharp contrasts between how the US and Europe are tackling OT security.
In the US, frameworks like NERC CIP have been in place for years, backed by substantial penalties. In Europe, the NIS2 directive has raised the stakes even further.
“European regulations differ from those in the US,” he explained. “Under NERC CIP, an organization can be fined $1 million per day if a violation occurs.”
Europe chose a different approach.
“NIS 1.0 was similar to NERC CIP—if a company experienced an incident, it faced fines and potentially the loss of its operating license,” he said. “Now Europe has introduced NIS 2.0, which introduces personal liability for executives. When you hold an individual executive personally accountable for an organization’s cyber hygiene, while also putting the company’s license at risk, things tend to change very quickly.”
This is precisely where Centrii’s approach to quantification shifts from a “nice to have” to a legal necessity. If you can demonstrate to regulators that you understand your exposure, have prioritized risks based on real-world impact, and have made well-informed decisions about what to mitigate versus what to transfer through insurance, you’re in a far stronger position than an operator whose only proof of security is a screenshot of a SIEM dashboard full of red alerts.
Insurance That Truly Understands What It’s Covering
When it comes to insurance, Rafael has seen Centrii customers achieve meaningful reductions in their premiums.
“We’ve seen clients cut their cyber insurance costs by 5 to 7 percent,” he said. “Those may seem like small percentages, but they translate to significant sums of money.”
The key differentiator is precision.
“Rather than approaching an insurance renewal with only a vague sense of risk, operators can come armed with a detailed catalog of quantified exposures and a clear plan,” Rafael added. “Here’s what we’ve mitigated. Here’s what remains. Here’s the modeled financial impact. Here’s what we’d like to transfer to you.”
Both insurers and CISOs tend to appreciate that level of clarity.
Not Just Another Sensor Vendor
A common concern with any OT security platform is whether it aims to become your single, all-encompassing tool. Centrii appears perfectly comfortable operating on top of whatever infrastructure you already have in place.
“Centrii does offer our own sensors,” Rafael said. “But if a company has already invested in other sensor technologies, we can integrate with them and pull the data we need. Our core value lies in translating risk into financial terms for decision-makers.”
Centrii is fully capable of ingesting data from established OT security vendors.
“All those vendors essentially do similar things—CVE tracking, criticality scoring, threat intelligence, IDS,” he said. “It’s become a commodity. What matters to us is what a customer does with that information, regardless of which sensor is running on the network.”
In a landscape where every startup claims to be “vendor neutral” while quietly trying to replace half your existing stack, that kind of focused honesty is a welcome change.
Go-to-Market: Talk Megawatts, Not Just Malware
While RSA and other cybersecurity events are valuable for brand building, Centrii understands that its actual buyers operate in the energy sector.
“Our event strategy today is a bit different,” Rafael said. “RSA is great for raising brand awareness and helps us educate CISOs on how to translate cyber risk into financial impact. But it’s not necessarily where our buyers are.”
So where are they? That’s where utility conferences, solar industry expos, and energy-focused events become critical to Centrii’s business.
“We attend a wide range of energy events”
“I regularly attend conferences focused on utilities, wind power, and solar energy, and I’m often a speaker at these events because of my deep expertise in the energy sector,” Rafael explained. “I understand that what I’m presenting to asset owners and CEOs needs to make solid financial sense to them. And I’m confident that even if a competitor is presenting at the same event, they don’t communicate in terms of megawatts the way Centrii does.” That was one of the most understated yet incisive criticisms of conventional OT security I’ve encountered in some time.
Why CISOs Should Pay Attention
If you serve as a CISO in energy, utilities, or any sector where operational technology plays a central role, you’re already facing pressure from all sides.
- Regulators are demanding proof of sound security practices and organizational maturity.
- Boards want straightforward explanations of risk exposure expressed in financial terms, not buried in technical jargon.
- Insurers want measurable, quantifiable risk assessments, not vague assurances.
- Operations teams want fewer false alarms and minimal disruption to their workflows.
Most solutions manage to satisfy one of these groups, perhaps two. Centrii is deliberately designed to serve all of them by converting OT cyber risk into a universal language: financial impact.
You can continue debating which alerts deserve priority, or you can walk into your next meeting and say:
“These 12 facilities account for 80 percent of our modeled cyber exposure across the entire portfolio. Here’s our plan to reduce that exposure by X million over the coming quarter, along with the associated cost.”
One of those approaches is far more likely to secure the budget you’ve been told isn’t available.
What CISOs Should Do Next
If you’re tasked with protecting OT or energy infrastructure and you’re still operating in an environment where everything appears critical yet nothing is truly transparent, it may be time to shift the dialogue.
Centrii’s approach serves as a powerful reminder that winning this challenge isn’t about layering on another stream of threat intelligence or adding yet another alert dashboard. It’s about being the person in the room who can translate “30 compromised wind turbines in Poland” into “Here’s our projected loss range if this scenario affects our entire fleet, and here’s how we can reduce that impact by half.”
You can make that shift by following these steps:
- Treat your OT and energy assets as a portfolio, not merely a checklist of locations. Frame your thinking around megawatts, power purchase agreements, and revenue rather than just counting endpoints.
- Put your current vendors on the spot with a direct question: which of their outputs can you directly tie to financial exposure at both the site and portfolio level? If the response is “we can integrate with a third party for that,” you already know your next move.
- Assess platforms like Centrii that inherently combine cyber data, operational data, and financial metrics into a unified risk model.
- Involve your CFO and head of operations from the outset. If a platform can’t deliver something they can use in terms they understand, it’s unlikely to solve your actual problem.
You won’t deter nation-state threats with a more polished alert. But you can maintain grid stability, shield your directors from personal legal liability, and keep your insurance costs in check by finally understanding which red flags genuinely demand attention.
For many CISOs working in OT and energy, that alone makes this kind of approach well worth serious consideration.
Author’s Note
The author met with Rafael Narezzi for this Innovators Spotlight interview at the 2026 RSA Conference in San Francisco, held March 23rd through 25th, 2026. The discussion took place live on the expo floor, where topics like AI, autonomous agents, and the rapidly shifting OT threat environment were dominating the conversation.
For additional details, visit www.centrii.com.
About the Author
Pete Green serves as CISO and CTO of Anvil Works, a ProCloud SaaS company, and is co-author of “The vCISO Playbook: How Virtual CISOs Deliver Enterprise-Grade Cybersecurity to Small and Medium Businesses (SMBs)”. With more than 25 years of experience in information technology and cybersecurity, Pete is a highly seasoned and accomplished security professional.
Over the course of his career, he has occupied a broad spectrum of technical and leadership positions, including LAN/WLAN Engineer, Threat Analyst, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Director of IT, CTO, CEO, Virtual CISO, and CISO.
Pete has worked with clients spanning a wide range of industries, including federal, state, and local government, as well as financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality.
He holds a Master of Computer Information Systems in Information Security from Boston University, designated as a National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA/CD) by the NSA and DHS, along with a Master of Business Administration in Informatics.
