Billions at Stake: The Financial Risks of OT Security

Operational Technology (OT) is the beating heart of critical infrastructure—power grids, manufacturing plants, oil refineries, and water systems. But according to Dragos's newly-released 2025 OT Security Financial Risk Report, produced with independent analysis from Marsh McLennan, OT remains a massive "billion-dollar blind spot" in cyber risk modeling.

For the first time, insurance industry statistical modeling has quantified the global financial impact of OT cyber incidents and the measurable risk reduction from specific cybersecurity controls. The results in the report aren't just eye-opening; they should drive a serious recalibration of OT security investment strategies.

The study estimates that OT cyber incidents will generate up to $31.1 billion in global financial risk over the next 12 months, even without business interruption (BI) claims.

When BI claims are involved, average annual risk is $12.7 billion, but a worst-case "tail event" (0.4% likelihood) could push BI-related OT losses to $172.4 billion in a single year.

In the same worst-case scenario, total OT-related cyber risk could hit $329.5 billion globally—a staggering figure that excludes warfare, espionage, and pre-positioning impacts.

Indirect costs—such as abundance-of-caution shutdowns, ripple effects through supply chains, and prolonged recovery—make up approximately 70% of OT breach costs and often outpace direct losses.

Risk varies significantly by industry, region, and revenue:

• Highest sector risk: Manufacturing, especially sub-sectors like Chemical Manufacturing (3.43% in North America) and Pharma (3.28% in North America)

• Regional hotspots: North America and Europe see the highest event rates; for utilities, North America has a 2.17% likelihood of an event in electric power generation and distribution.

• Revenue effect: Larger organizations face a higher likelihood of OT breaches due to increased attack surface and visibility.

"Attack sophistication is on the rise, and OT/ICS organizations come to a halt when faced with a cyberattack," said Agnidipta Sarkar, Chief Evangelist at ColorTokens. "Unfortunately, cyber OT leadership are focusing on stopping attacks rather than stopping the explosion of attacks. We now know that it is not if, but when the cyberattacks should happen. It's time to invest in foundational cyber defense capabilities to dynamically change attack paths to limit the impact of any attack."

Sarkar continued, "Zero trust authentication in OT to manage both human and machine identities, combined with zero trust approaches, are great strides to address breaches. Breach response should not lead to a full shutdown, but operate a minimum viable digital business." 

The study mapped insurance claims data to the SANS ICS 5 Critical Controls to assess their measurable impact on risk reduction (average risk reduction per control):

• Incident response: 18.46%

• Defensible architecture: 17.08%

• Network visibility and monitoring: 16.47%

• Risk-based vulnerability management: 12.87%

• Secure remote access: 12.18%

Incident Response Planning stood out as the single most effective measure; yet Dragos notes that many boards assume IT incident response extends to OT, when it often does not.

"While incident response planning is a critical preparation step for SOCs, focusing on this step is often too reactive and overly reliant on insurance modeling," said Jeff Macre, Industrial Security Solutions Architect at Darktrace. "It is important to have incident response planning in any industrial organization's cyber program, however, if these organizations prioritize continuous anomaly detection tailored to OT environments, threats can be detected and stopped before they escalate—preventing critical system outages and potentially saving loss of life or other dangerous impacts that can result from cyber sabotage in critical industrial sectors. Incident response is important, but without real-time threat intelligence and predictive analytics, SOCs may only be preparing to fail more gracefully rather than preventing failure altogether."

"Some organizations rely heavily on frameworks like SANS ICS 5 Critical Controls, but this framework may be too narrow and static for modern OT environments," Macre continued. "The controls are useful, but they don't fully address dynamic threat landscapes, supply chain vulnerabilities, or third-party risks that are increasingly relevant in these environments. There are many effective and successful new approaches being leveraged in OT environments, such as AI-driven OT threat detection and response platforms, digital twins, and Zero Trust architectures, that are more suited for today's OT landscape."

The report provides key strategic takeaways for cybersecurity leaders:

1. Quantify OT security ROI: For the first time, leaders can use financial modeling to justify OT security budgets. This isn't a direct ROI calculation, but it offers credible loss-avoidance estimates to present to boards and insurers.

2. Prioritize high-impact controls: Incident Response, Defensible Architecture, and Network Visibility deliver the biggest modeled risk reductions. These should be early focus areas, especially for resource-constrained operators.

3. Consider insurance leverage: Underwriters can use control implementation status to influence coverage and rates. OT operators who demonstrate maturity in these controls may secure more favorable terms.

4. Don't underestimate indirect costs: Indirect losses are both more common and more expensive over time. This underscores the need for resilience planning, not just breach prevention.

Based on the findings, Dragos advises organizations to:

• Define and test an ICS Incident Response Plan aligned to OT-specific threats

• Build a defensible architecture that limits adversary movement

• Establish OT network visibility to detect threats early

• Adopt risk-based vulnerability management to focus on vulnerabilities that matter in OT environments

• Implement secure remote access controls to reduce exposure from vendor and third-party connectivity

U.S. CISA has offered guidance on OT cybersecurity in a new report, Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators. According to an August 13th CISA release:

"This guidance was developed to provide operational technology (OT) owners and operators across all critical infrastructure sectors with a systematic approach for creating and maintaining an OT asset inventory and supplemental taxonomy—essential for identifying and securing critical assets, reducing the risk of cybersecurity incidents, and ensuring the continuity of the organization's mission and services. By following the outlined process, organizations can enhance their overall security posture, improve maintenance and reliability, and ensure the safety and resilience of their OT environments. This guidance was created by CISA in partnership with:

• U.S. Environmental Protection Agency

• U.S. National Security Agency

• U.S. Federal Bureau of Investigation

•  Australian Signals Directorate's Australian Cyber Security Centre

• Canadian Centre for Cyber Security

• Germany's Federal Office for Information Security 

• Netherlands' National Cyber Security Centre

• New Zealand's National Cyber Security Centre"

Richard Springer, Senior Director of OT Solutions at Fortinet, offered several perspectives: 

• "We have seen an elevation of OT cybersecurity and production risk due to recent global events. Additionally, companies' risk awareness processes are raising the prioritization of OT security to a corporate level. We are seeing these efforts led by the CISO and/or CIO, which often includes additional funding and resources to more adequately address their OT security posture."

• "Challenges in converging OT and IT come in a wide spectrum of complexity and maturity for OT organizations. At the most basic, organizations are connecting their OT networks for the first time, eliminating the so-called air-gap from the internet. On the other side of the spectrum, there are OT organizations that building out an OT security operations center (SOC) or they've progressed to a joint IT/OT SOC. For example, Fortinet simplifies this strategic initiative for customers with our OT Security Platform, which is an extension of the enterprise, or IT, security fabric. The combination of an integrated platform, along with a common operating system, FortiOS, puts our customers in a strong position to execute on their IT/OT convergence plans."

• "Legacy systems and older OT devices pose a tremendous challenge in industrial organizations. Although these devices are very reliable, many were produced in a time when cybersecurity wasn't a reality. Therefore, the OT devices are vulnerable and don't have the ability to be upgraded to include cybersecurity features. Fortunately, there are several mitigation techniques, or compensating controls, for these legacy and vulnerable OT devices. The use of a modern next-generation firewall (NGFW) with security services included will provide a secure network connection that can understand OT network, or OT protocol, traffic. Secondly, segmentation and micro-segmentation with industrial switches prevents lateral movement by bad actors in OT networks. Next, virtual patching, or shielding, protects unpatched OT devices until a patch can be deployed—if a patch is ever created at all.  Lastly, the use of deception, or honeypots, can serve as an early warning system if bad actors are investigating the virtual decoys that mimic the vulnerable device."

• "Moving forward, and with the increased adoption of GenAI, the limited OT security resources will have tools to more easily detect and respond to cyber threat in OT networks and devices. Automation will follow, but in OT, there is always a need for special considerations and guardrails to ensure production and critical infrastructure reliability."

• "Securing remote access remains one of the top priorities for many organizations especially in high-risk OT and ICS environments which need to be kept well away from the public internet. Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and third parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real-time monitoring and controls to audit and terminate access in the event of identity compromise. Relying on VPNs or Remote Desktop alone is not enough and risks introducing additional attack vectors."

• "Beyond remote access, an important defense is to reduce standing privileges in the environment so that in the event an identity is compromised the 'blast radius' is limited. This is especially important in the age of identity attacks and hybrid environments where one compromised identity can open up paths to privileged access on dozens of systems on-prem and in the cloud that organizations weren't aware of."

• "The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements, and roles that could be exploited by an attacker to elevate privilege, move laterally, and inflict damage. The identity security debt accumulated by many organizations represents a far greater risk than any other area, as it only takes the attacker to login using the right identity and all is lost because of the paths to privilege that flourish in their environment."

• "Understanding and reducing your identity attack surface should be at the forefront of every organization's thinking when it comes to cyber defense moving forward."

For more insights on this topic, attend the SecureWorld Critical Infrastructure virtual conference on August 28, 2025. See the agenda and register here.