For years, operational technology (OT) security has occupied an uncertain corner of the boardroom agenda, being acknowledged in principle, but rarely interrogated with the same forensic rigour applied to financial risk or supply chain exposure, write Rob Demain, CEO of e2e-assure.

It has been treated as an engineering problem: something for plant managers and control system specialists to manage away from the scrutiny of finance directors and non-executive boards.

However, new data makes the financial stakes impossible to ignore. Among manufacturing and critical national infrastructure organisations that have experienced cyber-induced downtime, around 80% report losses of between £100,000 and £5 million per incident. The most severe incidents exceed £5 million. In the very real example of the Jaguar Land Rover attack of 2025, costs are estimated in the billions. This illustrates the consequences of security failures in environments that keep the country’s lights on, its production lines moving, and its supply chains intact.

It speaks to a wider structural failing. The OT security landscape is still largely operating on borrowed tools. Approximately 32% of organisations are still relying on IT-adapted security technologies in OT environments. While this shortcut might have made pragmatic sense a decade ago, when OT and IT networks were largely separate, it has created critical blind spots as infrastructure converges. Only 28% of organisations have deployed detection capabilities purpose-built for industrial environments. The remainder are, in effect, monitoring their production floors with instruments that were never designed to understand them.

This matters because OT environments are fundamentally different from enterprise IT in ways that conventional security tooling cannot adequately address. A SIEM platform calibrated for IT traffic does not natively understand the communication protocols that govern industrial control systems and cannot distinguish between an anomalous command sequence that represents an operational change and one that represents a threat actor moving laterally through a control network. In a data centre, a false negative is costly. On a production floor, it can mean cancelled output, equipment damage, or even a risk to personnel safety.

The research further shows that recovery is not quick following an incident, with one in ten large enterprises taking over a year to remediate. In an OT context, where every day of downtime can translate directly into lost production, broken contractual commitments, and wider supply chain disruption, a year-long recovery becomes an existential threat.

The upcoming Cyber Security and Resilience Bill (CSRC) extends mandatory security requirements across critical infrastructure and their supply chains, meaning organisations that haven’t invested in OT-specific security capabilities will find themselves navigating both regulatory exposure and operational vulnerability simultaneously. Those organisations that will weather incidents most effectively go beyond compliance and build genuine operational resilience.

What does genuine resilience look like in an OT environment? It starts with detection capability that understands the production floor with tools that work with industrial protocols, asset behaviour baselines, and that can tell the difference between a safe operating state and a compromised one. It requires that monitoring be continuous, not periodic, because threats do not observe maintenance windows. And critically, it demands that incident response plans account for the reality that in many OT environments, simply isolating or shutting down an affected system is not a viable option. You cannot pull the plug on a blast furnace or isolate a water treatment process the way you would a compromised file server.

This is where the gap between IT-adapted and OT-native security becomes operationally decisive. The question incident responders must be able to answer is not just “what has been compromised?” but “what can we safely do about it, right now, without making the situation worse?”

Boards and finance directors have historically left that question to their engineering teams. The data now makes clear that it belongs in the boardroom. And that the organisations that treat OT security as a matter of production continuity, not merely compliance, are the ones best placed to answer it.

Learn more: https://e2e-assure.com/

Click here for more news: https://designsolutionsmag.co.uk/category/news/