The State of Operational Technology Security: A Sector Lagging Behind
As cyber defenders focus on securing operational technology (OT) and industrial control systems (ICS), a significant challenge emerges: the scarcity of actionable data. Unlike their IT counterparts, OT operators often lack comprehensive logging capabilities, which hampers incident response efforts. According to Rob Lee, CEO of cybersecurity firm Dragos, post-incident analysis in OT is nearly impossible without prior data collection and monitoring mechanisms in place. He emphasized that the transient nature of data in OT means that if data is not captured during an attack, it may be lost forever.
Recent incidents highlight the severity of this data deficiency. A major blackout that affected the Iberian Peninsula in April 2025 raised suspicions of a cyberattack, yet investigators later concluded that it was not the case. As Lee noted, official reports on the incident are only starting to emerge, nearly six months after the blackout. This exemplifies the extended timelines often required to ascertain the root causes of operational disruptions in the OT realm.
The North-American Electricity Reliability Corporation (NERC) has recognized this issue, recently introducing a new rule, CIP-15-01, which mandates internal traffic monitoring for critical electric utility environments. However, the rule comes with a phased implementation schedule, set to take effect in 2028, indicating that many grid operators are currently unprepared for such monitoring. Lee remarked that this delay could hinder timely responses to malicious activities.
The landscape of OT security reflects a generational gap compared to traditional IT security practices. Bryson Bort, a former U.S. Army veteran and founder of the ICS Village, observed that many OT operators still lack visibility over the ICS devices in their networks. This lack of visibility impedes operational teams from effectively managing cybersecurity risks as they struggle to identify the assets at stake.
Dale Peterson, a consultant and founder of S4, noted that the overall deficit of publicly available data on OT cyberattacks creates an inflated perception of their threat level. He explained that while data exists on IT incidents, this information is often not shared due to concerns over legal liability and reputational damage, especially among companies affected by data breaches or ransomware attacks. The gap renders it challenging for the sector to build defensible security architectures.
Efforts are underway to facilitate better data sharing among OT stakeholders. Tatyana Bolton of the OT Cybersecurity Coalition emphasized the need for a centralized, anonymized approach to exchange information about OT attacks. She pointed out that existing information-sharing frameworks, such as sector-specific ISACs, should be fully leveraged rather than creating new channels that may remain underutilized.
As nation-state adversaries increasingly position themselves within critical infrastructure networks, the urgency for improved data gathering and analysis in the OT space cannot be overstated. Without comprehensive monitoring and information sharing, operators risk facing insurmountable challenges in confirming whether cyberattacks have directly impacted their systems. The evolving landscape underscores a pressing need for a concerted effort to enhance both the visibility and resilience of OT environments.
In exploring potential adversarial tactics related to OT security weaknesses, it is crucial to consider the MITRE ATT&CK framework. Techniques such as initial access, which allows adversaries to infiltrate systems, and persistence, which enables them to maintain access after initial exploitation, are likely employed during attacks on OT systems. Understanding these tactics will be essential for organizations seeking to bolster their defenses against the increasing complexities of cyber threats targeting their operational technology.
