Imagine getting a report card with words like “insufficient,” “misaligned priorities,” and “fragmented defenses.” That’s the current state of industrial control system (ICS) and operational technology (OT) cybersecurity, according to a new report from OPSWAT and SANS Institute. Despite rising cyberattacks targeting critical infrastructure, cybersecurity budgets remain inadequate. The obvious result of insufficient ICS/OT cybersecurity budget is that essential services are left more vulnerable to cyber attacks.
Critical Infrastructure Under Attack
The 2025 ICS/OT Cybersecurity Budget Report reveals alarming statistics. Over 50% of surveyed organizations experienced at least one ICS/OT security incident in the past year. The most common attack vectors included IT compromises (58%), internet-accessible devices (33%), and transient devices like vendor laptops (27%).
This data underscores a growing problem: IT and OT environments are more interconnected than ever, creating new opportunities for cyber threats to infiltrate critical systems. Attackers are exploiting this overlap at an increasing rate, often using IT networks as a gateway to disrupt OT operations.
Budgets Are Growing—But Not Fast Enough
While 55% of organizations reported an increase in ICS/OT cybersecurity budgets over the past two years, industrial cybersecurity funding remains a major issue. A significant portion of spending is directed toward technology investments, but critical operational resilience measures are often overlooked.
The report highlights that only 27% of organizations place ICS/OT security budgets under the control of CISOs or CSOs, leaving many decisions in the hands of IT departments or executives who may not prioritize ICS-specific risks. We’ve said it before, as the report does, IT is not cybersecurity. This misalignment results in fragmented defenses and overlooked vulnerabilities.
IT as a Primary Attack Vector
The report identifies IT compromises as the most frequent initial attack vector, responsible for 58% of ICS/OT breaches. This number highlights the urgent need for integrated security strategies that address IT and OT vulnerabilities. Many organizations fail to recognize that protecting business IT systems alone is insufficient—security strategies must extend to ICS/OT environments.
Underfunded Protections Leave Systems Exposed
Despite growing awareness of OT cybersecurity risks, insufficient budgeting results in ineffective protection. Less than half of organizations allocate even 25% of their cybersecurity budgets to the defense of ICS and OT. This lack of dedicated funding exposes critical infrastructure—such as power plants, water treatment facilities, and manufacturing systems—to cyber threats.
A Call for Smarter Investment Priorities
Key recommendations:
- Better budget alignment with ICS/OT-specific risks – Cybersecurity leaders must oversee spending decisions that address threats.
- Increased investment in ICS/OT cybersecurity training – A significant gap exists in specialized workforce skills. More funding should go toward the training of the professionals needed to secure ICS environments.
- Stronger defenses against IT-originated threats – Organizations must integrate IT and OT security strategies to prevent cross-domain attacks.
- Adoption of high-ROI security measures – Critical investments should focus on network segmentation, visibility tools, and incident response tailored to ICS/OT environments.
Why Leadership Matters in Cybersecurity Budgeting
One of the report’s most concerning findings is the lack of dedicated ICS/OT security leadership. While cybersecurity budgets are growing, IT departments still control many decisions rather than ICS/OT specialists. The survey found that only 27% of security budgets are managed by CISOs or CSOs, and in many organizations, budgetary control is split between IT and OT teams.
Organizations must prioritize appointing security leaders who understand the unique challenges of securing industrial environments.
The Future of ICS/OT Cybersecurity
The report urges companies to:
- Reevaluate budget allocations to ensure ICS/OT cybersecurity gets the funding it needs.
- Adopt specialized ICS security controls that align with operational risk management.
- Foster collaboration between IT and OT teams to create an integrated defense strategy.
- Invest in ICS/OT cybersecurity training to develop a skilled workforce to address emerging threats.
Typically, we’d drop a conclusion or summary here, but Dean Parsons, Principal Instructor at SANS Institute, sums it up best: “The evolving threat landscape in ICS/OT demands more than just deploying security tools. Organizations must make strategic investments in training, leadership, and operational resilience to protect critical infrastructure.”
Other News: Dragos Announces Partnerships to Enhance OT Cybersecurity Incident Response(Opens in a new browser tab)
