The three OT cybersecurity controls most correlated with risk reduction are: Incident Response Planning (up to 18.5% average risk reduction), Defensible Architecture (up to 17.09%), ICS Network Visibility and Monitoring (up to 16.47%).