In recent years, the landscape of cybersecurity threats to operational technology (OT) has evolved significantly, highlighting the potential financial risks that businesses could face. A recent study has quantified these risks, estimating that the global financial exposure due to OT cyber incidents could exceed $329 billion annually under extreme circumstances. This study, based on a comprehensive dataset of a decade’s worth of insurance claims and incident data, provides valuable insights into the economic threat landscape surrounding OT systems.

The research models three primary financial scenarios based on historical business interruption (BI) claims resulting from OT incidents. In what is deemed a typical year, the financial risk is calculated to be approximately $12.7 billion. This value escalates to $31.1 billion when considering every OT-related incident, independent of whether a BI claim is made. In the most severe cases, described as rare, high-impact “tail” events with a 0.4% probability in any given year, BI-linked losses could soar to $172.4 billion. Including both direct and indirect costs, such catastrophic scenarios could see risks climbing to $329.5 billion.

An essential consideration in these risk calculations is the impact of indirect costs, which play a significant role. The study notes that around 70% of OT-related breaches involve indirect consequences, such as operational halts or disruptions in interconnected systems. These effects tend to accumulate over time, sometimes eclipsing direct remediation expenses, particularly for larger enterprises where operational complexity and interdependencies are greater.

Across various industries, manufacturing stands out as particularly vulnerable, with a 0.71% general likelihood of experiencing an OT incident annually. Sectors like chemical manufacturing and pharmaceuticals present even higher risks. Utilities, oil and gas, construction, and building automation systems are also significantly exposed. Geographically, the prevalence of OT events is most pronounced in North America and Europe, although underreporting is a concern in regions with less established regulatory or monitoring frameworks. Larger organizations are particularly susceptible, a situation attributed to their increased profile and the complex nature of their OT environments.

In response to these daunting figures, the study suggests that the implementation of specific OT cybersecurity controls can significantly mitigate both the likelihood and impact of financial loss. Utilizing strategies based on the SANS ICS 5 Critical Controls, it identifies actionable measures. For instance, the development of robust incident response plans is highlighted as a crucial step, potentially reducing financial exposure by 18.46%. Additional safeguards include defensible network architectures and comprehensive network visibility and monitoring, which could yield risk reductions of 17.09% and 16.47%, respectively. Other vital controls involve vulnerability management and secure remote access, achieving reductions of 13.87% and 12.18%.

While these controls are not simple additive measures and their combined effects are challenging to precisely quantify, the data provides a directional framework for IT security leaders. Investing in tailored cybersecurity strategies is particularly pertinent when budgets are constrained.

The overarching message from the study is that OT cyber risk is both quantifiable and manageable. For Chief Information Security Officers (CISOs), this entails a dual-focus approach: prioritizing OT-specific incident response planning and ensuring continuous visibility into OT environments. This requires integration with both engineering and operations teams to simulate realistic threat scenarios and to maintain readiness against potential breaches. Without persistent monitoring, organizations may struggle to detect early warning signs, gather necessary forensic data, or mount an effective response when incidents occur.

The potential financial impact on industries underscores the importance of utilizing independent insurance data to validate and support OT security investments. By leveraging this data, cybersecurity experts can make a compelling case for leadership buy-in, ensuring that the necessary resources are allocated to protect their operational infrastructure.