Lviv, Ukraine. Arkansas City, United States. Drum, Ireland. In each case, hackers broke in through exposed IT systems and found operational technology (OT) environments wide open: a pump controller or heating utility linked directly to the business network with no segmentation in sight. As sophisticated threat groups worm their way into critical infrastructure and lay the groundwork for physical disruptions, corporate boards need to get serious on OT security risk. If they don't, tightening security regulations like the UK's Cyber Security and Resilience Bill will force their hand.
OT Attacks are on the rise
Dragos’ 2025 OT/ICS Cybersecurity Report identified two new OT cyber threat groups and monitored an 87% increase in ransomware activity compared to the year prior. Meanwhile, Palo Alto Networks’ The State of OT Security found that almost 70% of industrial firms had an OT cyberattack last year.
Cybercriminals excel at sniffing out weak points, and businesses are providing them pathways into critical infrastructure. That includes connecting more Supervisory Control and Data Acquisitions (SCADAs) and Incident Command Systems (ICSs) to IT and cloud networks, even when they weren't designed for that environment and lack Secure by Design thinking, segmentation, or risk controls.
To learn Warren’s full thoughts, read the full article in Dark Reading: https://www.darkreading.com/ics-ot-security/boards-fix-ot-security-regulators
For a short summary, read on:
Unlike a stolen file or locked server, OT compromises can have irreversible physical consequences. They put health, safety, and even lives at risk. That makes OT security even more of a board-level issue than security has already become.
In critical national infrastructure (CNI) sectors like healthcare, telecoms, and energy, state-sponsored Volt Typhoon group have gone undetected in the energy grid for nearly 12 months. In that time, the group could have made a lateral move across to ICSs and wreaked havoc on water treatment plants, water wells, or substations.
That illusion of safety is often reinforced by surface-level audits or ISO certifications. But ticking a few boxes isn’t the same as being secure. The board might feel protected, when the people closest to the risk know otherwise. In fact, while nearly 85% of board members believe they’re aligned with their CISO (Chief Information Security Officer), only 65% of CISOs agree. That disconnect can lead to major blind spots, and, just as often, misallocated budgets.
Governments are already acting on this. Across Europe, for example, we’re seeing tighter rules and stronger enforcement. Take the updated NIS2 directive. It expands the scope of the original Network and Information Security rules, and it arrived after ENISA found a 25% rise in the cost of cyber incidents had only been met with a 0.4% uplift in cyber budgets. Cyberattacks are a macroeconomic risk for services-based economies, and so national governments are linking digital resilience to GDP protection, pushing accountability to the top of the organisation chart.
Boards need to move before they’re pushed. That means closing the gap between IT and OT, building real visibility into critical systems, regularly testing incident response plans, and treating legacy infrastructure with the urgency it demands. It won’t be easy, but with the scale of today’s threats, doing nothing is the far riskier option.
If you’re exploring your OT security capabilities and looking to understand your risk factors, read more about our cybersecurity services or get in touch to speak with an expert.