Every year, critical infrastructure operators face the same conversation: the cybersecurity budget request gets deferred because the plant has never had a serious incident, and the investment is difficult to justify in a capital allocation process dominated by tangible, visible returns. This is the logic of neglect – and it has an extremely well-documented cost.

The Numbers

IBM Security’s Cost of a Data Breach Report 2023 put the average cost of a data breach in the industrial sector at USD 4.73 million. For OT-specific incidents that cause production disruption, the costs are substantially higher – the 2021 Colonial Pipeline ransomware attack cost an estimated USD 4.4 million in ransom plus hundreds of millions in operational disruption across the US east coast fuel supply chain.

The OT Threat Landscape Is Not Hypothetical

The argument that OT systems are isolated and therefore not at risk collapsed at Stuxnet in 2010. Since then, the documented attack history is unambiguous:

  • 2015 & 2016 Ukraine power grid attacks: BlackEnergy and Industroyer/Crashoverride malware caused coordinated power outages affecting hundreds of thousands of customers. The malware specifically targeted IEC 61850 and IEC 104 industrial protocols.
  • 2017 TRITON/TRISIS attack: malware specifically designed to compromise Schneider Electric Triconex Safety Instrumented Systems at a petrochemical facility in the Middle East. The intent was to disable the safety system and allow a hazardous process condition to develop without protective shutdown – a direct attempt to cause physical casualties.
  • 2021 Oldsmar water treatment attack: an attacker remotely accessed a Florida water treatment plant’s SCADA system and increased the sodium hydroxide concentration to 111 times the normal level. Only a vigilant operator noticed the cursor moving and reversed the change before chemicals reached distribution.
  • 2021 Colonial Pipeline: a ransomware attack on IT systems caused the operator to proactively shut down OT pipeline control systems as a precaution, resulting in fuel shortages across the US east coast and a declared state of emergency.

These are not edge cases – they are a sample. Dragos reported in 2023 that 13 out of 21 tracked threat groups now have demonstrated capability to attack OT environments specifically.

The True Cost of an OT Cybersecurity Incident

When organisations calculate the cost of cybersecurity investment, they rarely calculate the full cost of the incident it prevents. OT cybersecurity incidents carry costs across multiple dimensions:

  • Direct production loss: an unplanned shutdown of a refinery processing 100,000 barrels per day at USD 5/barrel margin costs USD 500,000 per day. A one-week shutdown costs USD 3.5 million in lost margin – before recovery costs.
  • Recovery and remediation: rebuilding a compromised DCS environment, restoring configurations, re-testing safety systems, and restarting process units can take weeks or months. Colonial Pipeline’s IT remediation costs alone exceeded USD 90 million.
  • Regulatory and legal exposure: under NIS2 (EU), NERC CIP (North America power sector), and sector-specific regulations, operators of essential services face significant fines for failure to implement adequate security measures. NIS2 carries fines of up to 2% of global annual turnover for essential entities.
  • Safety consequences: the TRITON attack was explicitly designed to bypass safety systems and cause a physical process incident. The cost of a process safety incident – fatalities, environmental damage, asset destruction – is categorically different from any financial metric. Safety is not a cost category; it is a boundary condition.
  • Reputational damage: clients, regulators, and investors increasingly require documented OT cybersecurity programmes as a condition of contracts and financing. An incident makes this visible in the worst possible way.

The Investment Case

A structured OT cybersecurity programme – network segmentation, asset inventory, continuous monitoring, patch management, access control, and incident response capability – costs a fraction of a single significant incident. The investment case does not require exotic financial modelling:

  • One unplanned week of production loss at a mid-scale process plant exceeds the cost of a multi-year OT security programme.
  • A single regulatory fine under NIS2 for inadequate security exceeds the cost of implementing the security measures that would have avoided it.
  • Cyber insurance premiums for industrial operators without documented OT security controls are substantially higher – or coverage is refused entirely.

Where to Start

For organisations that have not yet begun an OT cybersecurity programme, the pragmatic starting point is an OT security assessment against IEC 62443 or NIST CSF. This produces a gap analysis, a risk-ranked finding list, and a roadmap. It does not require a large initial investment and provides the evidence base for a properly scoped budget request.

The conversation with leadership changes when cybersecurity investment is framed as risk quantification rather than cost avoidance. “We are carrying USD X million of unmitigated risk” is a different conversation from “we need USD Y for security tools.” The former is the language of capital allocation; the latter is the language of IT budgets.

The Bottom Line

Cybersecurity neglect in OT environments is not a neutral choice – it is a decision to accept unquantified, potentially catastrophic risk. The attacks are documented, the threat groups are operational, and the regulatory frameworks are tightening. The cost of adequate OT cybersecurity is known and bounded. The cost of neglect is bounded only by the scale of what the plant produces, the hazards it manages, and the supply chains that depend on it.