Robert Lee, the CEO of industrial cybersecurity company Dragos, warns that using IT cybersecurity measures to protect operational technology (OT) infrastructure can jeopardize industrial organizations and increase risk to these environments. His comments come amid increasing cyberattacks on OT infrastructure, which threaten critical infrastructure worldwide, including sectors like energy, water, and manufacturing.
He also assessed that CEOs need to differentiate between IT and OT cybersecurity to safeguard data and industrial operations. Recognizing that the C-suite and boards of industrial organizations are becoming more cyber-aware, Lee noted that these professionals are seeking assurance that their companies can endure the growing cyber threats posed by state actors, hacktivists, and criminal groups. He also focused on implementing specialized OT cybersecurity measures, such as ICS response plans and robust architectures, which can protect vital systems and maintain operational continuity.
“Industrial CEOs and board members are often presented with metrics generated by information technology (IT) security tools and cybersecurity budget allocations to demonstrate their company’s commitment,” Lee wrote in a post for the World Economic Forum (WEF). “Unfortunately, this approach gives a false sense of security. The operational technology (OT) that runs the revenue-producing side of the business remains exposed because IT cybersecurity cannot adequately protect it. By understanding the difference between IT and OT and the effective cybersecurity controls in these environments, CEOs and board members can make more informed decisions and better hold their teams accountable.”
Lee wrote that OT powers modern industrial systems and critical infrastructure, “significantly impacting many aspects of our lives. As of 2022, critical infrastructure provided electricity to 91% of the world’s population (7.2 billion people) and clean drinking water to 74% (5.9 billion people). Oil and gas are essential for transportation, manufacturing and power generation globally.”
Recent incidents include a slew of cyberattacks against programmable logic controllers used by water facilities, chemical plants and manufacturers that deal with fluids. The espionage threat of the Volt Typhoon continues to threaten energy, water, transportation and communications infrastructure.
Furthermore, the discovery of the FrostyGoop malware disrupted heating for more than 600 residential buildings in Ukraine, but it targets technology used by more than 46,000 internet-enabled industrial control system (ICS) devices worldwide. Organizations are also on alert for PIPEDREAM, the initial ICS malware with the ability to scale attacks across systems and sectors.
According to the World Bank’s World Development Indicators for 2023, manufacturing contributes more than 15 percent to the global gross domestic product, employs 15 to 20 percent of the global workforce and affects virtually every person on the planet through the goods and services produced.
Lee highlighted that when OT systems are disrupted, “we have outages, shortages, safety hazards, halted production and financial loss. A cyberattack on a water system can make drinking water unsafe or unavailable. Attacks on energy infrastructure can cause power outages and economic disruption. Cyber threats to food processing plants, chip manufacturers and pharmaceutical companies result in shortages, quality lapses, threats to health and life, breaks in global supply chains and damage to corporate reputation and business viability.”
He pointed out that executives are right to ask their chief information security officers (CISOs) whether their enterprise is protected, but they need to dig deeper. This comes as enterprise cybersecurity investments are typically allocated to protecting data and information systems, but not the industrial processes that operate on a massive scale and have unique systems with exacting requirements for availability.
IT cybersecurity aims to protect information and prevent unauthorized access. IT focuses on managing and processing data to ensure information availability, confidentiality, and integrity. Furthermore, these devices are typically off-the-shelf, have shorter lifespans and are easier to replace and maintain.
Lee mentioned that OT infrastructure is increasingly connected through digital transformation initiatives, but often includes vulnerable technologies that weren’t designed with cybersecurity in mind. However, OT cybersecurity protects the systems that ensure the safe and efficient operation of industrial environments. OT infrastructure monitors and controls physical processes and equipment, interacting with machinery and physical infrastructure.
Lee stated that devices used in OT are often purpose-built, have long lifespans and require specialized maintenance. Security priorities for OT have traditionally emphasized safety, reliability and real-time performance, focusing on protecting physical processes and equipment.
Businesses must use cybersecurity specific to industrial environments to protect OT systems. Because navigating the vast range of guidance can be challenging, the SANS Institute formulated the ‘five critical controls’ for OT cybersecurity to help organizations prioritize the controls that matter most and build an effective cybersecurity journey.
The controls include developing an ICS incident response plan in preparation for an attack; building a defensible architecture; gaining ICS network visibility and monitoring; using secure remote access; and conducting risk-based vulnerability management that prioritizes and mitigates vulnerabilities appropriate for industrial, high-availability environments.
Citing a recent WEF white paper that called organizations to prioritize cyber resilience as a strategic leadership issue, enabling them to protect core business objectives and promote long-term growth, Lee noted “that leads to positive news for industrial business leaders who set organizations on the right path toward OT cybersecurity. Their cyber resilience immediately increases.”
He added that while a newer discipline than IT cybersecurity in terms of established practices and widespread adoption, OT cybersecurity has inherently evolved with an emphasis on continuity and recovery of operations.
“It has always had to account for the unique challenges and high stakes associated with keeping critical infrastructure safe and functioning,” according to Lee. “Thus, OT cybersecurity incorporates strategies that protect against cyber threats and ensure that systems can withstand and quickly recover from incidents.”
Last week, the WEF published its Global Cybersecurity Outlook 2025 report that recognizes escalating geopolitical tensions and increasingly sophisticated cyberthreats pose significant risks to critical infrastructure, which depends on networks of interconnected devices and legacy systems. The ongoing conflict in Ukraine exemplifies these vulnerabilities, with critical sectors such as energy, telecommunications, water and heating repeatedly targeted by cyber and physical attacks. These attacks often focus on disrupting control systems and compromising data, highlighting the critical risks associated with OT infrastructure.