Business leaders neglect operational technology (OT) risk at their peril. These are the systems that power some of the UK’s most critical national infrastructure (CNI) – from nuclear power plants to water treatment facilities. Unlike IT threats, attacks targeting OT could have a direct physical impact on the populace. Yet still, CNI boards are often guilty of prioritising other business goals over cybersecurity.

That might be about to change with the publication of a new report from OT security specialist Dragos. Backed by independent analysis from insurer Marsh McLennan, it reveals that the annual financial risk associated with OT incidents could be as much as $329.5bn. The question is: if boards finally start listening to their CISOs, what happens next?

Why Is OT at Risk?

OT security isn’t terrible across the board. But common failings include:

  • Legacy equipment which has a long lifespan and is often running outdated software, either due to hardware compatibility issues and/or because it is difficult to take offline to patch
  • Historic approaches to risk management which involved air-gapping OT systems from the public internet. These are now failing, as systems increasingly converge with IT and are fitted with connectivity
  • Skewed priorities which prioritise availability and safety over security

As a result, many OT environments are left without critical updates, run outdated, insecure communications protocol, and feature flat, unsegmented networks. There may also be a lack of insight into OT assets, and weak authentication such as static passwords on endpoints.

Security issues like these were famously exploited by Chinese threat actors to “pre-position” themselves on US CNI networks, with the aim of launching destructive attacks in the event of a conflict. According to March McLennan, the sectors most commonly hit by OT breaches over the past decade were

  • Healthcare (27%)
  • Construction (27%)
  • Manufacturing (16%)
  • Building automation: (3%)
  • Utilities: (2%)

What the Report Says

To arrive at its figure for OT risk, thought to be the first time financial risk has been measured in this way, Marsh McLennan crunched data from one the world’s largest insurance claims databases. It also analysed independent third-party data, insurability reports, and breach recovery reports – covering the period 2014-2024.

Alongside the worst-case scenario of OT cyber incidents resulting in financial risk of nearly $330bn annually, the report notes that incidents resulting in a business interruption claim could drive $172bn in losses. Interestingly, much of these losses come from indirect costs – which are often not counted as part of risk modelling. Some 70% of OT breaches incur these costs – which come from related operational disruption and “abundance-of-caution” shutdowns.

“The complexities of interconnected OT systems can often introduce compounding aggregate risk in these environments,” the report notes.

 A C-suite Concern

According to Dragos, organisations have historically struggled to manage OT risk because:

  • They couldn’t quantify financial exposure linked to specific incidents
  • They couldn’t measure the effectiveness of OT security controls
  • They lacked independent benchmarks to inform them which controls matter most, and why

Now they have better insight, thanks to the report. It highlights the following five controls as most effective in reducing “the likelihood and severity of financial loss” from an OT breach:

  • Incident response plans
  • Defensible architecture
  • Network visibility and monitoring
  • Secure remote access
  • Risk-based vulnerability management

Dragos field CTO, Phil Tonkin, explains that building a defensible architecture must start with an understanding of the physical processes and safety-critical systems that industrial operations are built on.

“A defensible architecture in OT must be designed to withstand targeted attacks, accidental disruptions, and other failures. This means isolating control networks from enterprise systems, enforcing strict access controls for remote connectivity, and ensuring visibility into every asset and communication pathway,” he tells ISMS.online.

“It also requires designing systems with resilience in mind. This means that, even if a breach occurs, the impact is contained and recovery can be swift. The architecture needs to reflect the operational realities of any industrial control system – not just the theoretical models of IT security. It’s about engineering trust into the infrastructure itself.”

The Next Step

Armed with compelling data like that in the Dragos report, OT security leaders have a great opportunity to start strategic discussions with senior leadership on how best to improve operational security.

” The next step is to translate operational vulnerabilities into business language – showing how a compromised control system could lead to production downtime, safety incidents, or regulatory exposure. It’s now possible for leaders to quantify that risk and demonstrate how specific controls reduce it,” says Tonkin.

“This empowers them to advocate for targeted investments, not just broad security spending. It also opens the door to more meaningful collaboration between operations, finance, and risk teams. The goal is to move from reactive defence systems to proactive resilience – embedding OT security into an organisation’s overall risk posture and decision-making framework.”

Best practice standards can help with these efforts, especially ISO 62443 – which is designed with industrial automation and control systems in mind. The key is to ensure they are applied “through an OT lens”, Tonkin says.

“When adapted thoughtfully, these standards can help OT teams establish a structured approach to risk management,” he concludes.

“It’s often been difficult for security teams and management to link these frameworks to measurable outcomes. But we can now see how specific OT controls, like incident response planning and network visibility, correlate directly to financial risk reduction.”