OT Security Leaders, Improve Operational Resilience with Harm Reduction

Data can drive smart decisions. It tells a truth. You can pay attention to what it’s saying and reprioritize. Or it can be recognized and put aside.

But putting it aside in business doesn’t mean ignoring it. It means finding a defensible risk model. One that works for you, your board, your shareholders, your customers, and employees.

Where do you stand in the risk model? For example, are you able to measure the impact of a cybersecurity incident where data or operations are held for a ransom? What if you can’t get your data back or access your accounting or supplier systems?

You always need to understand your operational resilience – and you need to get agreement on acceptable and unacceptable security, cyber-physical, and OT security tolerances.

 

Boards Should Help You Define Operational Security Tolerances

Boards are here to help keep important business risk that you may have put aside in check — even when business operators have budget constraints or other challenges in play. In fact, the best boards are the ones helping guide leaders towards clear, data-backed, defensible decisions. With accountability always on the table, it’s critical to define these decisions — something Gartner outlines in the recent blog “Gain Stakeholder Buy-In With These Cybersecurity Best Practices”.

“A PLA [Protection-Level Agreement] is a business decision to invest in a measurable level of protection at a defined cost,” advises Paul Proctor, distinguished analyst and vice president at Gartner. “PLAs change the nature of success and failure in cybersecurity. If a security incident occurs within the PLA’s defined tolerances, the incident is the result of a business decision, not the failure of a control.”

New data is here specifically for boards and security leaders who have to define those tolerances. The Global Industrial Cybersecurity Benchmark 2025 from Takepoint Research surveyed 240 global operational leaders and security professionals. It is really helpful information because it tells us three clear things:

1. Cybersecurity incidents don’t have a stop button
2. Cyber-physical systems require a lot of human and technology intervention
3. A majority of OT security teams are resource-constrained

The biggest resource drains are prioritizing vulnerabilities (49%) and mitigating risk (44%). At the same time, incident response is ranked in the top 3 of all time-consuming tasks by 62% of respondents.

It all adds up to more security work than can be handled. And it’s risky — especially in key critical infrastructure segments. Manufacturing and other operationally heavy industries have critical uptime business demands. CISOs in these sectors have to play nice in this sandbox.

“The high time demands of critical security tasks like vulnerability prioritization, risk mitigation, and incident response are further compounded by limited staffing,” reflects Takepoint in this research study. “While these processes require consistent, skilled attention, many organizations lack sufficient full-time OT security personnel to meet demand. This disconnect between workload and workforce not only slows response times but also increases reliance on manual workflows, underscoring the urgent need for scalable solutions, such as automation and managed services, to close the gap.”

Our research from Vedere Labs observed a 71% increase in threat actors targeting manufacturers in 2024. As part of this research, our threat analysts reviewed 17 separate incidents with new patterns emerging, including the use of custom malware with a dominant interest in data exfiltration (51%) for selling or use in a ransom attack (21%).

Forescout Research watches ransom threat groups and ransom affiliate behavior closely. See our latest findings.

Manufacturing wasn’t alone. The energy sector saw a 93% increase in threat actor activity last year — while healthcare experienced a 55% increase.

It’s not likely to slow down. Vedere Labs expects:

• A higher volume of attacks: An active ransomware-as-a-service ecosystem means attack volume is likely to be elevated.
• An increase in OT targets: As more attackers gain a deeper understanding of OT environments, an increase in attacks is expected.
• More actions influenced by geopolitics: Disruptive operations using ransomware-like tactics may become more common, especially in critical manufacturing sub-sectors.

As cloud technologies become more commonly integrated or connected to operations, attacks targeting cloud misconfigurations will expand. And there are new security implications for these innovations, including:

 

Focus on Harm Reduction to Help Become More Resilient

The business is a wooden plank seesaw. Risk is on one side and profit is on the other. Your operation on a plant floor or in a power generation center is geared toward profitable productivity but it’s always balancing safety against 365/24/7 utility.

Like debt, there’s the good kind of risk and a bad version. It’s a ratio. And every organization needs to understand its tolerance without ignoring the facts in front of them. Based on the Takepoint Research data below, nearly half or over half of organizations are exposed to the kind of risk attackers exploit with regularity through connected network assets. There are more clandestine, emerging, and complex schemes happening across many industries. And if you’re tied to critical infrastructure, well, the alarm bells have been going off from security experts for years.

Network visibility is scattered, so control of the network feels out of whack. Legacy systems are very much in your world, so they have to be maintained. Security is part of that maintenance, but it does require a heavy lift, so you need help there.

As more and more technologies connect to your network, including shadow IT and third-party vendors, the burden is mounting. Think about all the IoT sensors, analytics, automation, and remote monitoring technologies that are giving the business a ton of cost-effective maintenance bang for the buck. But they do open you up to issues if not carefully secured or are invisible to your security staff.

It’s incumbent on CISOs new to operational technology security or other cyber-physical systems security to understand the cultural gaps that you need to help connect — for everyone’s benefit.

We all know who gets blamed when things go awry.

In the end, it’s about harm reduction. Like lifestyle changes, risk reduction can become a learned behavioral response in business.

Here’s an extreme case*. KNP, a 150-year-old logistics company based in the U.K., went out of business last year after an Akira ransomware attack took control of its systems. Despite having a million pounds in cyber insurance, the company did not use multi-factor authentication in its password policies. And they lost control of important business functions.

Maybe insurance gives a false sense of security. It doesn’t reduce harm exactly. Though it is an important part of a protection toolkit or “PLA.”

*Most industrial companies aren’t going to go out of business because of a cyber attack, but it’s important to know exactly where your organization is in its security maturity. Start by benchmarking.

Show Me the Benchmarks

 

Guidance for Operational Resilience in OT

Takepoint Research advises these strategic actions for key stakeholders:

1. CISOs: Should unify visibility, asset inventory, and vulnerability management under one risk framework — and address shadow IT, a major unmanaged risk impacting over half of surveyed organizations.
2. OT Security Leaders: Should enforce segmentation, eliminate unauthorized technologies, and deploy discovery tools to map unmanaged assets.
3. Executives and Boards: Need to prioritize investment in long-term modernization to reduce technical debt and improve OT security maturity.

Vedere Labs recommends industrial operations organizations to:

• Inventory and Harden Assets: To address initial access vectors, ensure that you have a full inventory of assets in the network, including their current risk levels and known vulnerabilities. This information can be used to harden assets by:
  • Patching vulnerabilities, prioritizing internet-facing systems, especially VPNs, RDP and firewalls.
  • Using complex, unique passwords.
  • Enabling multi-factor authentication whenever possible.
• Enhance Visibility and Detection
  • Enable comprehensive logging in every asset by deploying and configuring EDR or native logging capabilities.
  • Use SIEM and threat detection solutions to detect the use of LOTL techniques and anomalous activity.
• Secure the IT/OT Boundary: Segment the IT and OT networks and monitor traffic crossing the boundary for exploitation of known vulnerabilities or anomalies.
• Address Supply Chain Risk:
  • Establish baseline security maturity requirements for critical software and service providers.
  • Monitor for breaches related to third-party tools used within the organization.
• Backup and Recovery: To mitigate the impact of data encryption incidents, maintain immutable, offline backups and test restoration procedures regularly.
• Threat Intelligence: Stay informed on emerging threat actors relevant to manufacturing, including their TTPs and targeted vulnerabilities. Beyond detection, this focused intelligence helps to develop, for instance:
  • Threat models for edge devices and OT assets
  • OT-specific incident response playbooks that can reduce mean time to respond
• Secure Emerging Technologies:
  • Perform comprehensive risk assessments before deploying new manufacturing technologies
  • Use the same security maturity requirements of critical vendors for vendors of risky new technologies
  • Consider specialized monitoring for novel attack vectors introduced by these technologies

Vedere Labs data is sourced directly from 19 million devices within our Device Cloud.

Get the Research