Operational technology has become a prime target for cyberattacks, and the stakes are growing. These are the systems behind factories, power grids, and transit networks. When they fail, the disruption spreads well beyond the IT department. Attacks on OT can stop production and endanger lives.
A recent report from Dragos and Marsh McLennan put real numbers to that risk, estimating that OT-related cyber incidents could expose nearly $330 billion globally each year under a worst-case model. It’s a sobering reminder that OT disruptions carry staggering financial consequences.
“If your SOC manages IT/OT data, that number should send chills down your spine,” said Chad Cragle, Chief Information Security Officer at Deepwatch. “And if you're a CISO responsible for that data, you’re probably only getting 2.5 hours of sleep each night.”
The Financial Toll of OT Cyber Events
The Dragos analysis breaks down that exposure into a wide range of potential losses. In an average year, OT-related incidents could create $12.7 billion in business-interruption claims, or $31.1 billion in broader OT-related cyber risk. But under a rare, large-scale disruption, the numbers spike. The report modeled a 1:250 chance event, or about a 0.4% likelihood in any given year, where business-interruption losses alone could hit $172.4 billion, with total global exposure climbing to $329.5 billion.
Those figures represent not only direct damage but also the larger economic drag of downtime. Most of the financial pain is coming from the indirect costs—canceled orders, missed shipments, contracts, penalties, and regulatory fees. The authors note that the indirect costs will typically exceed the direct losses as revenue increases. For larger companies, the "blank check" nature of business interruption becomes the principal risk.
Why OT Security Is Lagging Behind IT
One reason the potential losses are so high is that many organizations still assume IT defenses extend to OT. They don’t. Firewalls and endpoint tools designed for email and databases rarely apply to programmable logic controllers or industrial sensors. That blind spot leaves critical systems exposed.
The gaps show up in visibility and data collection. Nearly half of the organizations Dragos assessed lacked full monitoring of their OT networks. Without telemetry data, intrusions can persist unnoticed, and when anomalies appear, teams may not have the right playbooks to respond without causing further disruption.
The attack surface itself also looks different. IT incidents usually mean stolen data or service outages. In OT, the consequences extend to damaged equipment, environmental harm, or worker safety. Treating OT as just another extension of IT is a dangerous assumption.
Risk Factors That Shape Exposure
Not every region or industry has the same exposure. North America and Europe experience the highest OT event rates, reflecting the concentration of industrial assets and stricter reporting practices.
Manufacturing is the most exposed sector overall, with subsectors like chemical production, pharmaceuticals, and food and beverage facing breach likelihoods that are well above average. The report shows, for instance, that chemical manufacturing has a 1.49% likelihood of a breach in a given year, compared to 0.71% for manufacturing overall. Utilities also stand out: electric power operators face breach likelihoods of 2.17% in North America.
Company size is another risk factor. Larger firms with higher revenues not only have broader attack surfaces but also see indirect costs climb faster than direct losses. Smaller firms may fly under the radar, but their limited budgets often mean weaker OT defenses. Both face real but different risks.
Closing the Gaps: How Organizations Can Reduce OT Cyber Risk
The study highlights where organizations can reduce exposure most effectively. Incident response planning has the biggest payoff, associated with an 18.46% risk reduction when properly executed. Defensible architecture follows at 17.09%, while network visibility and monitoring deliver a 16.47% reduction. Risk-based vulnerability management and secure remote access round out the top five, each reducing risk by more than 12%. In practice, that means building and testing OT-specific response plans, deploying real-time monitoring, and designing architectures that make lateral movement harder for attackers.
“The fastest way for many organizations to achieve this is by partnering with a Managed Detection and Response (MDR) provider,” Cragle said. “MDR expands your SOC with 24/7 monitoring, proactive threat hunting, and quick containment, all vital in OT, where every minute of downtime costs money and can threaten lives. Combined with OT-specific tools, MDR offers the speed, expertise, and scale needed to reduce detection times, coordinate responses, and keep operations running smoothly under pressure.”
Governance is the other missing piece. Deciding how to fund and enforce OT security is leadership’s responsibility. Boards and executives must weigh OT disruption alongside financial and regulatory risks and hold their organizations accountable for building resilience. Without out commitment from the top, even the best technical controls won’t close the gap.
The Bigger Picture
The financial stakes alone should put OT security on every board agenda. Directors and executives need to treat OT disruption as a direct threat to revenue, reputation, and long-term continuity.
That means planning for resilience. Insurance can absorb some losses, but it won’t restore customer trust. Resilience planning—backup production processes, contingency agreements with suppliers, and playbooks for safe-mode operations—helps companies keep functioning when attacks hit. Industry-wide collaboration, including threat intelligence sharing, is equally vital to keep attackers from repeatedly exploiting the same weaknesses.
Most of all, OT security has to be recognized as a core element of business continuity. These are the systems that keep goods moving and power flowing. If they go down, the business goes with them. Treating OT security as optional or secondary is no longer an acceptable risk.
