Industrial firms can see cyber threats. Acting on them is another matter.

Industrial firms can see cyber threats. Acting on them is another matter.

Industrial firms are investing more in cybersecurity than ever before, yet breaches continue to rise. Something is clearly broken.

When attackers gained access to the control systems of Norway's Lake Risevatnet Dam, they didn't steal data or demand ransom. Instead, they opened the water release valves. For four hours, discharge increased by nearly 500 liters per second before operators regained control. While no one was hurt, the attack laid bare a dangerous gap that better monitoring alone cannot close.

Over the past five years, industrial organizations have poured money into operational technology (OT) security. Nearly 9 in 10 increased their OT security budgets by more than 10% last year, according to TXOne Networks' global survey of industrial security leaders. Detection has undoubtedly improved, with nearly half of incidents now identified within 24 hours.

Yet 60% of organizations still suffered a breach in 2025, and the European Union Agency for Cybersecurity reports that OT-related incidents now account for a substantial share of total cyber activity.

Companies are spotting threats faster, but they are still getting hit, suggesting the issue is no longer one of visibility but of execution.

From Visibility to Action

While organizations can now identify vulnerabilities across their environments, doing something about them remains a hurdle. Many still rely on IT-centric risk scoring models that bear little resemblance to industrial reality. These systems flag hundreds of issues as critical without distinguishing between a low-impact workstation and a controller tied to a safety system, creating noise rather than clarity.

Even when priorities are clear, industrial environments resist easy intervention because taking a production line offline to apply a software patch often results in lost output, financial strain, or increased safety risk.

This hesitation creates a growing backlog of known vulnerabilities. While 90% of organizations report running frequent updates, only a fraction achieve broad patch coverage across their assets.

When the fix comes too late

The operational cost of fixing these issues may feel too high, but the consequences of inaction are far worse. In 2025, attackers exploited long-standing vulnerabilities in widely deployed systems supporting Singapore's critical infrastructure. Containing the fallout required a coordinated national response involving over 100 defenders across multiple agencies for nearly a year.

At the same time, the vast majority of attacks originate outside the industrial environment and cross over into it. Ransomware groups such as Qilin and Akira continue to exploit the lateral pathways between corporate IT networks and operational technology, capitalizing on vulnerabilities that defenders know about but haven't prioritized.

Who owns OT security?

Unclear ownership compounds these technical challenges. OT security typically falls into a gray area between IT teams, who understand cyber threats but not industrial processes, and engineering teams, who understand operations but not cybersecurity. As a result, accountability is fragmented.

Even where dedicated OT security roles exist, personnel are often stretched thin. One individual may be responsible for dozens or even hundreds of systems, each with different requirements and constraints. The challenge is as much organizational as it is technological.

How some companies are pulling ahead

Some organizations are beginning to close the gap, and their approach tends to follow three lines.

First, they prioritize based on operational impact rather than technical severity. The governing question is simple: which systems, if disrupted, would stop production or create a safety hazard? More than half of security leaders now frame their priorities this way. It cuts through the noise and concentrates resources where disruption would actually hurt.

Second, they accept that not every system can be patched. For legacy or always-on environments, the focus moves to reducing exposure. Network segmentation is one of the most effective controls here, ensuring a corporate network breach doesn't automatically become a production incident.

Finally, they are building dedicated OT security capacity. The number of companies with large OT security teams has increased significantly, reflecting a growing recognition that industrial cybersecurity cannot be run as a side project by the IT department.

What comes next

The industry has made real progress in spotting threats, but visibility is only the first step. Companies must now focus on execution by prioritizing operational risks and securing systems without taking production offline. Ultimately, the organizations that succeed will be the ones that can move past simply monitoring threats and start doing something about them.

This story was produced by TXOne Networks and reviewed and distributed by Stacker.