Boards Don’t Understand OT Risk
Henry Kogan
For years most training programs have treated OT cybersecurity as a knowledge gap, assuming if engineers understood threats better or executives grasped industrial systems more deeply, risk would shrink. So, we built various training experiences such as certifications, workshops, and awareness programs. And yet breaches continue, ransomware halts production, and financial impact still blindsides leadership.
The scale of what’s being missed is staggering. A joint report from Dragos and Marsh McLennan estimates that up to $329.5 billion per year is at risk globally from OT cybersecurity incidents, with $172.4 billion of that tied specifically to business interruption claims. Even in a more typical year, average annual OT-related cyber risk is projected at $31.1 billion.¹ These figures represent the gap between what boards authorize and what operations actually absorb when things go wrong.
The issue isn’t a lack of knowledge. It’s a failure to translate that knowledge into something actionable across the business.
OT Risk Needs a Dollar Sign
OT risk exists in two completely different languages: technical reality and business impact. On one side, engineers deal with PLC vulnerabilities, lateral movement, and insecure protocols. In 2024, CISA issued 241 new advisories impacting 70 vendors, prompting 619 ICS CERT vulnerability disclosures.² On the other, executives care about downtime, revenue loss, and regulatory exposure. Consider what each language sounds like in practice: an engineer flags an unpatched Modbus device with no authentication; the board hears nothing, because no one translated that into “this is the single point of failure that could halt our $4M-per-day production line.”
Most training programs stay in one lane, deepening expertise without building connection. While the average cost of an IT data breach is $4.88 million, a single hour of unplanned downtime at a large automotive plant can cost up to $2.3 million³ — yet that calculation rarely appears in executive security briefings.
Engineers aren’t taught to quantify financial consequences, and executives aren’t given enough operational context to make informed decisions. The result is predictable: risk gets miscommunicated, misunderstood, or ignored.
More OT Training is Done the Wrong Way
Organizations often point to training completion as a sign of progress, but completion is not comprehension — and comprehension is not alignment. The SANS 2024 ICS/OT survey found that 51% of respondents are protecting OT systems without a relevant certification, while simultaneously, over 50% of organizations have reported experiencing at least one security incident within their ICS/OT environments.⁴ Those two facts existing side by side tell you something important: training volume and incident rates are not correlated the way the industry assumes.
The Jaguar Land Rover incident of 2025 is illustrative. After the Hellcat ransomware group claimed an initial breach involving theft of over 350GB of sensitive data, the crisis escalated when JLR shut down its global IT environment to contain an active intrusion — halting production for nearly a month at plants in the UK, Slovakia, China, and India, stopping the manufacture of approximately 1,000 vehicles per day.⁵ A workforce that has “completed training” still may not be able to articulate how a compromised system translates into that kind of business loss. Likewise, a board that has attended a cyber workshop may still lack the clarity to distinguish between IT and OT risk in a meaningful way. The appearance of maturity masks a deeper issue: no shared framework for understanding risk across functions.
The CrowdStrike outage of July 2024 reinforced this dynamic at scale. With roughly 8.5 million Windows systems crashing globally, OT environments faced substantial challenges — some plants halted production entirely while others experienced significant slowdowns, with cumulative financial damage estimated at $10 billion globally.⁶ That wasn’t an adversarial attack. It was a software update. And boards in affected companies had no framework to anticipate, absorb, or explain the operational fallout.
Boards Appreciate Financial-Centric Communication
Boards aren’t failing because they don’t care; they’re failing because they’re being given the wrong level of abstraction. OT risk is either presented as too technical to act on or too simplified to be useful.
In 2025, 52% of organizations place OT security under the CISO — up from just 16% in 2022 — which signals growing executive ownership. But ownership and understanding are not the same thing. While over 80% of CISOs now oversee OT, only 35% of organizations report having a mature, fully integrated IT/OT security operations model.⁷ The reporting structure changed. The shared language didn’t.
That disconnect leads to poor prioritization and misaligned investments. The most common organizational factor behind ransomware attacks on manufacturing organizations in 2025 was a lack of expertise — insufficient skills to detect and stop the attack in time — cited by 42.5% of victims, closely followed by unknown security gaps at 41.6%.⁸ Neither of those root causes is a technology failure.
Both are failures of decision-making informed by incomplete understanding of where risk actually lives. Between 2018 and 2024, manufacturers lost over $17 billion due to ransomware-related downtime — with downtime averaging 11 days per incident in 2024.⁹ That’s not a figure that emerges from technical blind spots alone. It emerges from organizations that had no shared model for translating a threat into a business response fast enough to matter.
Cyber Risk Quantification: A Bridge for Boards
What that shared model looks like in practice is Cyber Risk Quantification — not the checkbox variety that produces a risk score, but the kind that answers the questions a CFO or board member would actually ask in a crisis: How much could this cost us? What’s the likelihood it happens in the next 12 months? And what does it cost to reduce that exposure versus absorbing it?
The difference is between telling a board “we have unpatched vulnerabilities in our SCADA environment” and telling them “if our primary filling line goes down for 11 days — the current ransomware average — we lose $47 million in revenue, face $3.2 million in regulatory exposure under NIS2, and trigger contractual penalties with two Tier 1 customers.” The first statement produces nodding. The second produces budget.
Scenario-based analysis is what makes CRQ actionable rather than academic.
Consider a mid-sized food and beverage manufacturer running a legacy DCS with remote access enabled for a third-party maintenance vendor — a configuration that describes thousands of facilities globally.
A useful risk scenario doesn’t just flag the vendor access as a vulnerability. It models the blast radius: the probability of that access path being exploited based on current threat actor behavior in the sector, the production assets at risk if the DCS is compromised, the cost per hour of downtime on that line, the regulatory notification window under applicable frameworks, and the reputational impact if a contamination scare — real or perceived — forces a product recall.
That scenario, built in a language a board can interrogate, becomes the basis for a real prioritization decision: patch the access path, segment the network, or transfer the risk through cyber insurance — with each option carrying a modeled cost-benefit outcome.
This is what separates organizations that respond well from those that don’t. When a threat materializes, the companies that contain damage fastest aren’t necessarily the ones with the most mature technical controls — they’re the ones where leadership already understood what was at stake. The board had seen the scenario.
The CFO knew the downtime number. The response playbook had been stress-tested against a financial model, not just a technical one. CRQ done well doesn’t just inform the annual security strategy presentation — it becomes the shared language that collapses the distance between an engineer’s alert and an executive’s decision.
Decisions Matter, Not Just Roles
The real failure of OT training is that it’s built around roles instead of decisions. Engineers are trained to secure systems, executives to oversee risk — but no one is trained to translate between the two in a way that drives action. Adversaries targeting OT environments are progressing through the ICS Cyber Kill Chain at different speeds, with some already conducting reconnaissance and testing activities inside OT environments to understand control loops and position for future manipulation of industrial processes¹⁰ — while most boardrooms are still debating whether OT risk deserves its own line item.
What’s missing is decision intelligence: the ability to map vulnerabilities to financial impact, communicate risk in business terms, and align operational insights with board-level priorities.
The SANS ICS/OT budget survey found that only 9% of security professionals dedicate 100% of their time to ICS/OT security — meaning the people most qualified to translate technical risk to business impact are spread too thin to do it consistently.¹¹
Until training evolves to focus on that translation layer, boards will continue to misunderstand OT risk — and organizations will continue to pay for it. At CyberEd.io, we built our OT security curriculum around exactly this problem. Our programs don’t just deepen technical expertise or introduce executives to industrial concepts in isolation — they’re designed to build the translation layer itself, giving security professionals the frameworks to quantify risk in financial terms and giving leadership the operational context to act on it. That’s not a gap we’re planning to close. It’s the gap we started from.
References
¹ Dragos & Marsh McLennan – 2025 OT Security Financial Risk Report
³ Mexico Business News – automotive downtime cost analysis
⁴ SANS Institute – 2024 State of ICS/OT Cybersecurity Survey
⁵ Reporting on the Hellcat/JLR ransomware incident, 2025
⁶ Industry reporting on the CrowdStrike global outage, July 2024
⁷ SANS Institute – 2024 State of ICS/OT Cybersecurity Survey
⁸ Sophos – State of Ransomware in Manufacturing and Production 2025
⁹ Tripwire – The Growing Threat of Ransomware to the Manufacturing Sector