The global financial impact from catastrophic cyber events that disrupt operational technology could reach nearly $330 billion on an annual basis, according to a new report from Dragos and professional-services firm Marsh McLennan. The indirect losses, including the impact from disrupting normal operations, are the concerns that many companies fail to take into consideration.
Despite numerous warnings from industry thought leaders and countless advisories from the Cybersecurity and Infrastructure Security Agency (CISA), Dragos observed that many executive teams and boards mistakenly assume that IT security reporting and improvements extend to OT environments. The reality is that these cookie-cutter approaches continue to provide soft spots in network security that continue to be repeatedly leveraged by bad actors.
The study also confirms that measures such as incident response planning and OT monitoring deliver substantial risk reduction. Additionally, region, industry, and revenue are key factors in determining OT cyber risk levels. North America and Europe record the highest OT event rates, and manufacturing faces the greatest likelihood of impact.
Several industry leaders offered their thoughts in response to the report's findings:
Jeff Macre, Industrial Security Solutions Architect at Darktrace
"While incident response planning is a critical preparation step for SOCs, focusing on this step is often too reactive and overly reliant on insurance modeling. It is important to have incident response planning in any industrial organizations cyber program, however if these organizations prioritize continuous anomaly detection tailored to OT environments, threats can be detected and stopped before they escalate - preventing dangerous impacts that can result from cyber sabotage in critical industrial sectors.
"Incident response is important, but without real-time threat intelligence and predictive analytics, SOCs may only be preparing to fail more gracefully rather than preventing failure altogether.
"Some organizations rely heavily on frameworks like SANS ICS 5 Critical Controls, but this framework may be too narrow and static for modern OT environments. The controls are useful, but they don’t fully address dynamic threat landscapes, supply chain vulnerabilities, or third-party risks in these environments. There are many effective and successful new approaches being leveraged in OT environments like AI-driven OT threat detection and response platforms, digital twins, and Zero Trust architectures that are more suited for today's OT landscape."
Thomas Wilcox, Vice President, Security Strategy at Pax8
"SOCs need to assume that a compromise will eventually occur and meet that challenge. This means streamlining identification, alert and response processes. It should not be a surprise that adversaries are leveraging AI to increase the speed of compromise. The industry needs to meet the adversarial AI use with AI-powered toolsets that recognize, alert and can begin responding.
"It will not be acceptable to move at the speed of traditional incident response processes when our adversary moves at the pace of AI.
"New SIEM and SOAR technologies are rapidly incorporating AI threat analysis and active response capabilities. While SIEM and SOAR have been buzzwords for years now, the technology is finally showing real value with the emergent threats associated with large-scale OT compromise and patterns of compromise that humans likely would miss. AI is showing it has a valued place in providing rapid visibility and response.
"When these technologies get paired with capable endpoint threat detection, organizations gain actionable views into the point of most compromises, the human endpoint. Finally, we see increased capabilities emerging to find indications of compromise on the Internet or Dark Web. Again, these leverage AI to actively search for signs that a company may have been breached, as a last line to minimize the impact.
"The reality is that the industry is generally lagging behind the capabilities of APTs and AI in terms of attack capabilities. We need to move more quickly to leverage AI and meet the challenge."
Chad Cragle, Chief Information Security Officer at Deepwatch
"The Dragos findings highlight a staggering cost of OT cyber risks: $330B in potential yearly losses. If your SOC manages IT/OT data, that number should send chills down your spine, and if you're a CISO responsible for that data, you’re probably only getting 2.5 hours of sleep each night.
"The foundation starts with visibility into OT assets, anomaly detection tailored for industrial protocols, and incident playbooks designed for both operational and safety impacts. These aren’t just 'extras'—they are critical.
"The fastest way for many organizations to achieve this is by partnering with a Managed Detection and Response (MDR) provider. MDR expands your SOC with 24/7 monitoring, proactive threat hunting, and quick containment, all vital in OT, where every minute of downtime costs money and can threaten lives.
"Ultimately, an OT breach has real-world consequences. The financial damage is serious, but the harm to reputation and the risk to critical infrastructure can be even more severe."
James Maude, Field CTO at BeyondTrust
"Securing remote access remains one of the top priorities for many organizations, especially in high risk, OT and ICS environments which need to be kept well away from the public internet. Organizations need to think about how to securely manage privileged access into their critical environments - ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure.
"This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise. Relying on VPNs or Remote Desktop alone is not enough and risks introducing additional attack vectors.
"Beyond remote access, an important defense is to reduce standing privileges in the environment so that in the event an identity is compromised the ‘blast radius’ is limited. This is especially important in the age of identity attacks and hybrid environments where one compromised identity can open up paths to privileged access on dozens of systems on-prem and in the cloud that organizations weren’t aware of.
"The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevation privilege, move laterally and inflict damage. The identity security debt accumulated by many organizations represents a far greater risk than any other area as it only takes the attacker to login using the right identity and all is lost."
Richard Springer, Senior Director, OT Solutions at Fortinet
"We have seen an elevation of OT cybersecurity and production risk due to recent global events. Additionally, companies’ risk awareness processes are raising the prioritization of OT security to a corporate level.
"Challenges in converging OT and IT come in a wide spectrum of complexity and maturity for OT organizations. At the most basic, organizations are connecting their OT networks for the first time, eliminating the so-called air-gap from the internet.
"On the other side of the spectrum, there are OT organizations building out an OT security operations center (SOC), or they’ve progressed to a joint IT/OT SOC. Moving forward, and with the increased adoption of GenAI, the limited OT security resources will have tools to more easily detect and respond to cyber threats in OT networks and devices. Automation will follow, but in OT, there is always a need for special considerations and guardrails to ensure production and critical infrastructure reliability."
Mr. Agnidipta Sarkar, Chief Evangelist at ColorTokens
"Attack sophistication is on the rise and OT/ICS organizations come to a halt when faced with a cyberattack. Unfortunately, cyber OT leadership are focusing on stopping attacks rather than stopping the explosion of attacks. We now know that it is not if, but when, the cyberattacks should happen. It’s time to invest in foundational cyber defense capabilities to dynamically change attack paths to limit the impact of any attack.
"Zero trust authentication in OT to manage both human and machine identities, combined with zero trust approaches, are great strides to address breaches. Breach response should not lead to a full shutdown, but operate a minimum viable digital business."
