The OT security investment paradox
Many organizations invest heavily in cyber security solutions to protect their vital IT infrastructure, pouring money into safeguarding CIA —Confidentiality, Integrity and Availability. This makes perfect sense for retailers, financial service providers, healthcare, tech companies, or education organizations, for whom IT infrastructure is their primary operating environment.
However, that emphasis on IT security is largely misplaced for industrial/manufacturing facilities and public utilities. For them, the primary means of generating revenue is their operating technology and their priority should be on securing the safety and continuity of their operations.
Yet why do so many businesses that rely on OT to generate revenues still invest far more in IT security controls than in protecting their operational assets?
An Armis report found that nearly three-quarters of OT devices are "unmanaged." In a separate McKinsey report, 96% of business leaders admit they need to invest in OT cyber security.
This paradox in investment leaves industrial and critical infrastructure organizations extremely vulnerable. They rely on OT to deliver as close to 100% uptime as possible (much like an SLA), and when an operational system or machine goes down, the impact can be devastating, now exceeding $5 million—a new record high.
But even more importantly, there are serious physical safety risks as well—a malfunction at the direction of a bad actor could create a life-threatening situation.
The attack on the German Steelworks blast furnace could have easily caused the system to overheat and explode, putting workers at risk. Attacks on water infrastructure could have devastating effects, contaminating the water supply for untold numbers of innocent victims. Officials at American Water (which serves 14 million people in the US) admit they are "unable to predict the full impact" of the recent breach of their internal networks.
Compromised OT at a chemical plant could pose a significant threat to operators and the surrounding area, potentially creating toxic substance exposure and environmental damage. Also, consider if an energy operator were forced offline by an attack in the depths of winter, it could put lives at risk from the lack of heat.
With so much at stake, why is there a lack of investment in OT cyber security?
Recently, I've noticed a few common reasons for that coming up more and more in conversations with peers and clients. The speed and scale of innovation and digital transformation over the last several years has been staggering, and there are many things left for organizations to catch up with.
• Most just don't think of OT infrastructure as an attack surface. IT threats have dominated the landscape for so long that we forget how digitized our operational infrastructure has become. In fact, industrial teams often turn to OEMs when machinery or OT devices go down, assuming it's a technical malfunction and not recognizing the potential for it to be cyber attack. Because they don't recognize the risk, they also exclude OT from incident response planning and tabletop exercises.
• Security hasn't kept pace with the rush to Industrial Internet of Things (IIoT) integration. Industrial operators have embraced the data gathering, productivity insights, and predictive maintenance benefits of IoT technology, but they haven't recognized Pandora's box that this connectivity has opened concerning security.
• They don't consider OT cyber security in their downtime cost calculations. Every company knows precisely the loss impact of equipment downtime on a weekly, daily or even hourly basis. Nevertheless, they rarely include the risk of a cyber attack in those calculations, making it feel ambiguous and nebulous.
• The OT environment is variable; you have an electricity substation, which is different from a gas compressor station, which is different from a food manufacturing plant, etc. IT cyber security is relatively standardized— there are solutions for securing routers, ports, software, etc., that are pretty universal. Yet, when it comes to OT, every factory and facility has different devices, industrial protocols, and setups, so crafting an OT cyber security strategy can be much more complex.
• Until recently, there haven't been penalties for OT security failures. On the IT side, the SEC, PCI, GDPR, and HIPAA requirements set standards for resilience, response, and penalties for security breaches. However, similar mandates have only recently been applied to industry and critical infrastructure through NIS and NIS 2. OSHA in the US enforces guidelines for workplace safety, but none of those address OT cyber security.
Unfortunately, the safety risks are impactful and can't be overlooked. According to a 2023 UK HSE report, there are some 606,000 workers per year that are injured in the workplace on average, with 124 fatalities per year. Aside from the human cost of these incidents, the monetary cost stacks up to ₤20.7B. While individuals bear most of the brunt, a 2024 UK HSE report shows these safety incidents still cost employers ₤3.9B a year.
In the UK, executives can — and have been — personally prosecuted for gross negligence manslaughter in the event of workplace fatalities in which they've been found to commit a gross breach of duty.
How to mitigate OT risks in 2025:
Between geopolitical issues, the devastating conflicts in Eastern Europe and the Middle East, not to mention China's persistent threat, and hacktivists targeting OT systems, organizations must prioritize OT security to prevent financial loss—or worse, loss of life. The recent cyber kinetic attacks leveraging phones, pagers, and walkie-talkies shed harsh new light on the real-world consequences of supply chain vulnerabilities.
Here's how to convince decision makers to invest in OT cyber security for the benefit of your organization, your customers, and your neighboring communities:
1) Focus on risk calculations.
Don't rely on fear, hunches, or doubt —business leaders need empirical data to understand what's on the line. Link OT cyber risk directly to the risk of downtime and the calculated potential losses.
2) Prioritize health and safety.
Safety should always be the #1 priority for every organization. Be clear about the risks of a hacker-driven or even unintentional attacks on OT malfunction and the potential cost involved—both human and financial in terms of liability, litigation, insurance premiums, environmental remediation and reputation.
3) Manage change effectively.
The pace of change in OT can sometimes make it hard for CISOs to keep pace—they build a defensible architecture, then your operations department makes a change that undoes it all just six months later. OT and IT must work together to stay on the same page with new introductions, processes and adjustments.
4) Raise operator awareness.
The folks on the production floor are there to do the job, but they have to remember they're not an island. Train operators to be mindful of the security context and remind them that anything they do can unintentionally open a portal or eliminate airgaps designed to protect the organization.
5) Bring OT, IT, and safety to the table.
While IT and OT certainly have to work together, don't forget the safety staff responsible for monitoring, training, and incentivizing safe working practices. They may not even be thinking about the OT cyber security safety risk, but it definitely needs to be part of their sphere of influence. This is an area where large, end-to-end firms like ours can be a powerful ally: integrated threat monitoring solutions can give you a 360-degree view across the entire estate, including IoT, IT, OT, and safety, to help you identify and manage risk in complex environments.
6) Implement the SANS 5 Critical Controls.
The SANS framework provides a sensible, proven approach to OT security that's built on practices that could have reduced the likelihood of real-world attacks. Deploying this protocol establishes a solid foundation for OT security that can easily be scaled and adapted as your organization grows.
Protect your people, profits, and productivity with NCC Group
Securing OT infrastructure can feel daunting, especially when you're starting from scratch, and human health and safety are on the line. It feels urgent but almost unachievable at the same time.
NCC Group has you covered with our Facility Due Diligence services, which bring the resources, expertise, and tools you need to systematically identify, assess, and neutralize OT cyber security risks.
Our team can help you prioritize which threat vectors to address first based on real-time threat intelligence, and we can help you bring the IT, OT, and safety teams to the table for productive, data-driven discussions and solutions that protect people and support productivity.
Learn more about NCC Group's Adelard team and how they provide products and services to clients in the areas of safety, dependability, security, and risk management:
Director of Operational Technology, NCC Group
Ray has upwards of 30 years’ experience in the software and cyber security industry advising clients on implementing effective strategies in Agile and waterfall project delivery streams, including security and penetration testing.
Over the last 20 years, he’s become and OT specialist working in the Energy, Regulation, Public, Engineering and Finance sectors. In his role at NCC Group, Ray has worked with numerous UK Government departments and industrial sector clients on their digital transformation, ICS/OT, cloud, and cyber security programmes.
Secure your operational resilience.
Learn more about our Facility Due Diligence (FDD) service and take the first step towards a prudent, practical OT security program.