[ad_1]
The economics of industrial cybersecurity is no longer a straightforward matter of considering preventive expenses but a broader analysis of intangible losses that reframe the dynamics of cyber risks. Cyber events can generate a domino effect on costs through production halts, disrupted supply chains, failure to meet contractual agreements, and regulatory inquiries that come into play following a cybersecurity incident.
Numbers speak for themselves. According to IBM’s Cost of a Data Breach Report 2024, the average breach cost reached US$4.88 million globally. Healthcare leads at over $7 million per incident, with ransomware-specific costs averaging $10 million. This comes as OT-impacting breaches average $4.56 million, accounting for production expenses, safety, and regulation. Meanwhile, ransom amount makes up a small proportion of the potential liabilities.
A Forbes article states that the average manufacturer faces 800 hours of equipment downtime each year, or more than 15 hours per week. In total, unplanned downtime costs industrial manufacturers up to $50 billion annually. In addition, reputation management and downstream effects on supply chain partners drive up the losses far beyond the immediate incident period. One-quarter of industrial companies that encountered security incidents causing financial losses incurred damage greater than $5 million.
Such dynamic scenarios are creating a fundamental shift in how industrial leadership approaches OT (operational technology) cybersecurity. An obligatory regulatory task has morphed into an issue of concern at the board level as attacks become more frequent, breach costs rise, and insurers begin differentiating themselves among companies based on whether they have invested in security maturity versus those who haven’t. Industrial firms are shifting from being defensive in their approaches to OT cybersecurity towards being proactive and focused on access control, allowing for securing assets and applications without causing any disruptions to operational continuity.
Insurance firms are playing a role in this paradigm shift, too. The estimated $16.3 billion market in 2025 is still underpenetrated, but insurers are getting stricter about underwriting practices. Thus, effectively makes robust OT investment more of a financial imperative than just an operational one.
This trend is reflected in the spending trajectory. According to global estimates, cybersecurity spending will grow to $240 billion by 2026, with OT cybersecurity among the fastest-growing areas within the cybersecurity market, indicating a growing tendency towards risk-based and structured budgeting. Industrial organizations can no longer ask themselves whether they should invest in OT cybersecurity; the question is whether their investment strategy takes into account the real economic value that comes from the lack of investment. Financially, it is now possible to quantify downtime, accidents, fines, and even reputation risks.
Hidden costs of industrial cybersecurity rewriting risk equation
Industrial Cyber spoke with industrial cybersecurity experts to examine how the economic calculus of OT security is shifting, and why the traditional ‘cost of security versus cost of breach’ model no longer captures real risks facing industrial environments.
In OT, a breach doesn’t just expose records, Jacob Marzloff, president and co-founder at Armexa, assessed, adding that it can halt production, trigger safety system failures, damage physical equipment, or endanger lives.
“The variables are fundamentally different,” Marzloff told Industrial Cyber. “To address these, industrial organizations need to stop asking ‘how much does security cost?’ and start asking ‘what is the financial exposure of not having adequate controls?’ This shift reframes cybersecurity as a risk management problem rather than a discretionary expense, setting the stage for understanding the true scope of potential impacts.”
Maarten Oosterink, co-founder and COO at Indurex, identified that when dealing with OT or cyber-physical systems, the old IT cost-benefit math breaks down. “We aren’t just protecting data; we are protecting human lives and the environment. You simply cannot put a price tag on safety of people or environmental disaster to calculate an ‘acceptable ROI’ for your cybersecurity investments.”
Agreeing that the economic calculus has shifted, David Mussington, professor of the Practice at the University of Maryland’s School of Public Policy, told Industrial Cyber that the active threat environment makes the old framing not just insufficient but dangerous. “The adversary picture has clarified considerably. U.S. agencies assess with high confidence that PRC-sponsored Volt Typhoon actors are pre-positioning on IT networks specifically to enable disruption of OT functions across energy, communications, transportation, and water sectors — not espionage, but crisis-contingent sabotage.”
“Throughout 2025, Volt Typhoon‘s operations shifted toward directly interacting with OT-connected devices and stealing sensor and operational data, and Dragos now assesses that some compromised U.S. utilities will never be fully remediated,” Mussington told Industrial Cyber. “Salt Typhoon separately demonstrated persistent penetration of the telecommunications sector at scale. BRICKSTORM — attributed to PRC-nexus actors — achieved an average dwell time of 393 days across dozens of confirmed U.S. victims before detection.”
On the Iranian side, Mussington highlighted how Pyroxene and Bauxite demonstrated destructive OT capability during the June 2025 Iran-Israel escalation cycle, with Bauxite already having compromised OT devices at U.S. water utilities. “These are not theoretical scenarios. The economic framing must reflect the actual threat environment: pre-positioned adversaries with demonstrated willingness to cause physical effects. Security investment must be evaluated against operational resilience across the full consequence chain, not breach probability at any single node.”
Identifying that this framing was never valid for OT in the first place, Tony Turner, vice president of product at Frenos, told Industrial Cyber that it breaks down for three reasons. “You can’t solve an equation when half the inputs are missing. Industrial breaches are increasing, but they don’t occur often enough to yield reliable data. We simply don’t have the volume needed to model cost the way IT does.”
He added that when incidents do happen, the outcomes aren’t comparable. “The impact varies wildly depending on the environment. A production disruption at Jaguar Land Rover is not the same class of problem as Colonial Pipeline triggering fuel shortages across the East Coast. Those aren’t different points on a spectrum; they’re fundamentally different risk categories.”
Most importantly, Turner said that most asset owners still can’t quantify their own downside. “They don’t have a credible view of what a cyber-physical event would actually cost, across safety, operations, regulatory impact, and recovery. If you can’t define the probability with confidence, and you can’t bound the impact with confidence, there is no equation. At that point, “cost of security vs. cost of breach” isn’t a model, it’s a guess.”
Quantifying downtime, safety, reputational damage from cyberattacks
The executives address what a cyberattack truly costs an industrial organization. Beyond ransomware payments, they examine how to quantify operational downtime, safety incidents, regulatory penalties, and the long-term impact of reputational damage.
Marzloff said that even a single day of downtime at a facility can far exceed the ransom itself. “Lost production revenue is only the starting point. The true cost of a cyber incident includes safety and environmental exposure, contractual penalties, regulatory fines, remediation and recovery costs, increased insurance premiums, and long‑term reputational damage. The difference between hours and days of recovery often separates minor losses from multimillion‑dollar impacts.”
He noted that cybersecurity in OT environments is fundamentally a business risk decision, not an IT exercise. “Consequence‑based risk assessments aligned with ISA/IEC 62443‑3‑2 translate credible cyber scenarios into quantifiable business impact by evaluating how cyber events affect operations, safety systems, compliance obligations, and time to recovery. This enables leadership to prioritize investments based on risk to operate and financial exposure, not theoretical vulnerabilities.”
“There is no single, universal price tag for an OT cyberattack because context is everything. The cost depends entirely on the physical process you are running,” Oosterink told Industrial Cyber. “In oil and gas, the cost could be measured in explosions, environmental leaks, and direct harm to human life. In pharmaceuticals, it’s about ruined batches, severe regulatory penalties, and loss of compliance. But across the board, the true cost is almost never the ‘simple IT repair bill’ or the ransom payment.”
He added that the real financial impact comes from the cascading operational downtime, the lasting damage to reputation, and the severe consequences to Health, Safety, and the Environment (HSE).
“Ransomware payments remain the smallest line item. The real costs are operational: production downtime exceeding $500K per hour in manufacturing, emergency forensics, regulatory penalties under NERC CIP and the EU NIS2 Directive, supply chain disruption, and insurance escalation,” Mussington evaluated. “Safety incidents add litigation exposure. Reputational damage compounds over time in ESG-sensitive capital markets. Proliferating federal incident reporting obligations — across CIRCIA, SEC, and TSA sector-specific directives — add compliance overhead that resource-constrained OT teams struggle to absorb in parallel. Organizations treating these as separate cost buckets invariably undercount total exposure.”
In most industrial environments, Turner assessed that “the ‘true cost’ of a cyberattack isn’t something you can calculate cleanly. It’s something you approximate, usually with a lot of assumptions and not a lot of confidence. The data is fragmented across many disciplines. The operational impact sits with engineering and operations. Safety implications live somewhere else. Regulatory and legal exposure are separate again.”
Noting that the financial impact is modeled in a completely different system, he added that stitching that together into a single, defensible number is a heavy lift, and most organizations simply aren’t staffed or structured to do it well. And even when they try, the correlation between a cyber event and physical consequences is still poorly understood. That’s been an open problem in this industry for over a decade.
“The organizations that handle this well have stopped chasing precision they’ll never fully trust. Instead, they focus on high-consequence events (HCE),” Turner pointed out. “The question morphs into ‘If this system fails, what actually happens? What does it do to operations? How long are we down? What does recovery look like?”
Turner said that shifts the conversation from abstract modeling to scenario-based reality. “Frameworks like CIE/CCE and ISA/IEC 62443 help structure it, but the value isn’t in the framework itself. It’s in a defensible understanding of where risk actually matters, where it intersects with relevant threats, and where reducing it will have the most impact.”
Framing OT cybersecurity as strategic investment
The executives address how OT security leaders should build a business case for investment, and what financial frameworks, metrics, and language resonate most with CFOs and boards who still see cybersecurity as a cost center rather than a strategic imperative.
Recognizing that this reframing is crucial because security leaders lose influence when they speak in purely technical controls and threat taxonomies, Marzloff called upon CFOs to shift from seeing cybersecurity as a cost center to recognizing cyber incidents as operational risk events that hit the P&L directly.
He explained that the ‘most effective’ OT security programs translate cyber risk into financial terms that map directly to the P&L by quantifying operational downtime, regulatory exposure, and recovery costs as financial liabilities rather than operational incidents. Using metrics such as expected annual loss, value-at-risk scenarios, and return on mitigation investment, we reframe cybersecurity from a necessary cost center into a strategic risk management function, which is key to securing buy-in from business leadership.
Oosterink said that to build a real business case, “you have to get the CFO out of their comfort zone. You need to get them out of their office and onto the shipyard or the plant floor—anywhere where the business actually moves, smells, and makes noise. Once they are standing next to a multimillion-dollar asset that is the heartbeat of the company’s revenue, the realization hits: this isn’t an IT problem; it’s a ‘license to operate’ problem.”
He added that “When they see the physical ‘stuff’ that can be touched, they understand that a cyber investment is actually an investment in operational uptime and asset integrity. After this, you can talk about operational terms like production loss per hour, asset availability, and safety exposure.”
Mussington urged them to lead with operational risk language — margin impact, regulatory liability, insurance cost trajectory. “CFOs respond to production availability rates, mean-time-to-recovery figures, and avoided penalty calculations, not CVE counts.
“The institutional context has shifted: CISA’s Stakeholder Engagement Division, which convened government-industry collaboration on critical infrastructure risk, has been substantially reduced,” Mussington added. “The public-private advisory infrastructure OT leaders previously relied on is thinner. That strengthens the internal business case — the risk intelligence function must now be resourced internally rather than assumed from government. Frame security as operational continuity, not IT overhead.”
Most OT security programs still sit under the CISO or CIO, which means they’re embedded inside IT, Turner said. “And IT, fairly or not, is still treated like a cost center. That reporting line shapes everything, budget, priorities, and how the program is perceived. The teams that break out of that don’t do it with better dashboards. They do it by aligning directly with operations. They build relationships with the business units that actually own the risk, and they frame security in terms that those teams already use. Not CVE counts. Not patch SLAs.”
He listed the mean time to recovery, unplanned downtime and production availability. “If a refinery goes down, nobody cares how many vulnerabilities were patched. They care how fast you recover and how much production you lost.”
Turner added, “When you anchor the conversation in those outcomes, tied to specific assets and real scenarios, you’re no longer asking for an IT-style budget. You’re making a case for protecting revenue and continuity. That’s a very different conversation, and it’s one the board understands immediately.”
Rethinking industrial cybersecurity investment priorities
As industrial organizations face pressure to do more with less, the executives examine where security spending should be prioritized. They also assess how to balance investment in legacy system protection against modernization and new technology adoption.
“Operating under resource constraints is a permanent condition for industrial security programs. Disciplined prioritization often matters more than budget size,” Marzloff said. “Organizations that get this right don’t start with a technology wish list; they begin with a clear assessment of which assets, if disrupted, would create the greatest operational or financial impact.”
He added that legacy system protection and modernization aren’t opposing choices; they’re sequenced decisions driven by risk concentration. “Upgrading legacy systems isn’t always the most effective risk response; in many cases, compensating controls deliver greater risk reduction than wholesale replacement. Spending should follow exposure and risk‑based cost/benefit analysis, not vendor roadmaps.”
“Investment in security should be on par with the spending in other aspects of keeping your cyber-physical systems running safely, reliably, and profitably,” Oosterink weighed in. “No value in a secure asset that fails because maintenance fell short. Once the budget is clear, focus on visibility and integrity of critical assets, protection of safety systems.”
Mussington pushed for prioritizing by consequence severity, not asset age.
“Legacy OT systems with direct safety or production impact warrant disproportionate investment — segmentation, monitoring, and access hardening,” he added. “New technology integration introduces attack surface faster than most programs absorb; security-by-design requirements at the point of procurement are essential. The SRMA coordination structure is being executed with significantly reduced staffing, meaning sector-level threat advisories and vulnerability coordination may arrive more slowly or not at all for lower-profile sectors. Treat that as a planning assumption.”
“Start with people. It’s the highest-return investment in OT security, and it’s usually where programs get it wrong. Not just security talent, industrial talent,” Turner said. “You need people who have actually been in a plant, who understand how these systems operate, who know what a safety instrumented system is, and who can sit across from a control engineer and be taken seriously. Without that, everything else becomes theoretical. They’ll shape the roadmap in a way that actually reflects the environment, not a generic security playbook.”
He pointed out that new technology is coming “whether you’re ready or not. The real question is whether security is part of that process from the beginning, or something you try to bolt on after the fact, and that likely means getting it in the contract. We certainly can’t ignore the legacy environment, but in many cases, containment and isolation are our best hope. Certainly, resources like the CIE engineered controls catalog can help.”
“Once you have the right people and you’re plugged into how the environment is evolving, focus on consequence,” according to Turner. “Identify the assets where failure actually matters, where you’re talking about safety impact or sustained production loss, not just an IT outage. Those are your priorities. Then look for simple, visible mitigations that disrupt threats, reduce real risk, and are easy to explain. You need early wins that operators understand, and leadership can see.”
Cyber insurance forces rethink in industrial security
The executives look into how cyber insurance is evolving in the industrial sector, and whether coverage gaps, rising premiums, and insurer requirements are accelerating progress or exposing maturity gaps in OT security programs.
Marzloff said insurance should be one input in a broader risk transfer strategy, not a substitute for the controls that determine whether a claim is even covered. “In the early days, cyber insurance was a simple add-on. Today, the market has matured into a de facto regulatory force. Insurers are effectively doing what frameworks haven’t fully accomplished, forcing a real conversation about OT program maturity.”
“Underwriters are asking harder questions, requiring evidence of segmentation, asset visibility, and incident response capability, and pricing accordingly when they don’t find it,” Marzloff added. “For many industrial organizations, the gap between what they represent to insurers and what their programs can actually demonstrate is widening. Insurers now want to see alignment with ISA/IEC 62443 or evidence of a NIST CSF-based program. On top of that, coverage exclusions around war or systemic events are quietly creating significant uninsured exposure.”
Oosterink identified that the insurance market for OT is still in an early phase and insurers are quickly learning that they don’t want to foot the bill for poor industrial hygiene. “Because they are highly risk-averse, they are setting a ruthless bar for maturity. If your security isn’t up to par, you either won’t get coverage, or worse: you think you’re covered until an incident happens, and you end up bogged down in litigation over the fine print.”
Using Merck as an example, he said that they suffered massive losses after the NotPetya attack in 2017. “Only in 2024 did they settle a court case with their insurance company. It’s highly debatable if the classic model of ‘transferring risk’ works. Insurance cannot compensate for poor engineering or weak security practices.”
On insurance, Mussington said that underwriters now demand documented OT asset inventories, segmentation evidence, and tested IR plans — conditions many programs can’t yet meet. “For most organizations, the renewal process has become an unintentional security audit, exposing maturity gaps that internal reviews missed.”
Turner said that cyber insurance is becoming both a forcing function for better security and a spotlight on how broken risk modeling still is in OT. “On one hand, insurers are tightening requirements. Underwriting is more rigorous, premiums are rising, and in some cases, OT environments are being excluded altogether. Controls that used to be ‘best practice’ are now the minimum just to get coverage. That pressure is forcing some level of maturity. Asset owners are documenting environments, validating controls, and proving basic segmentation and access management.”
But he noted that it is also exposing the same fundamental problem on both sides, as neither insurers nor asset owners can reliably model cyber-physical risk. “There isn’t enough consistent data. The consequences vary wildly by environment. And the downside, especially in critical infrastructure, is difficult to bound in any meaningful way.”
As a result, Turner highlighted that coverage gaps are widening. “Policies routinely exclude the exact scenarios that matter most in OT, safety impacts, prolonged operational disruption, and nation-state activity. In practice, cyber insurance is shifting from a risk transfer mechanism to a market signal. It tells you how your exposure is perceived, but it doesn’t reduce that risk, and it definitely doesn’t replace understanding it,” he concluded.
[ad_2]
