80% of CNI organisations facing huge OT downtime costs from cyber attacks

Almost a quarter (23%, in fact) of the most severe OT downtime incidents now cost businesses upwards of £1 million, with 6% of them exceeding the £5 million mark. Among manufacturing and CNI organisations that experience downtime, around 80% report losses of between £100,000 and £5 million.

These financial losses are not limited to rare ‘worse case’ scenarios, but are becoming a common outcome of incidents affecting essential services and industrial operations. As cyber attacks on typical IT environments are now commonplace, the threat posed to OT systems is increasing, particularly so as geopolitical tensions rise, with 64% of IT decision-makers now fearing nation state attacks.

“This fear reflects a shift in terms of how cyber threats are being used, not just for data theft and monetary gain, but also to disrupt operations and apply strategic pressure against critical services such as energy, transport and manufacturing,” urged Rob Demain, CEO at e2e-assure. “For OT environments, the impact of this threat is more immediate and tangible than in IT. Industrial systems underpin physical processes, meaning that any successful breach can interrupt operations, halt production or affect safety.”

Nation state actors often exploit common entry points such as phishing or compromised credentials before moving into OT systems, increasing the risk of prolonged disruption if organisations are unable to detect and remediate activity on a swift basis.

Remediation gaps

These concerns are supported by the research findings, which show the average time from compromise to detection is 52 days. This affords attackers considerable time to move through networks and access critical systems before being identified.

Protracted recovery points towards a growing ‘remediation gap’ in industrial cyber security. While 31% of organisations can now detect breaches within 12 hours, fully resolving them remains a significant challenge, with one in every ten large-scale enterprises taking over a year to remediate major incidents.

“Our research shows that organisations are making progress in how quickly they can detect incidents, but that progress is not yet carrying through to remediation and the gap between detection and resolution is leaving OT environments exposed for extended periods,” added Demain. “In OT environments, where cyber-physical systems directly support operations and essential services, delays in resolving any incidents can have lasting operational and financial consequences.”

The research also highlights a ‘disconnect’ between perceived and actual risk with nearly half (45%) of decision-makers citing that they’re least concerned about insider threats, while 44% place less importance on visibility into OT network activity. These areas are often where incidents persist undetected, particularly so when remediation takes months or even longer.

Common entry points 

Worryingly, cyber incidents are also becoming more frequent, with many organisations experiencing four or more attacks each year. The most common repeat attack types include phishing (17%), malware and ransomware (16%), insider threats (15%) and credential theft or account compromise (15%).

These figures indicate that attackers continue to rely on established methods, particularly e-mail and compromised access, rather than more complex techniques.

Supply chain compromise is also a key factor for mid-sized organisations, with 21% reporting four or more incidents linked to suppliers or third parties. CNI organisations report similarly high levels of repeated supply chain compromise and credential theft, both at 21%, showing how trusted access points are frequently being used to gain entry.

Beyond this, organisations are increasingly concerned about longer-term impacts, such as reputational damage (25%) and brand or revenue loss (20%), which are now seen as greater risks than any immediate financial impact. Workforce challenges are also becoming more prominent, with 37% of smaller organisations employing between 1,500 and 2,499 members of staff citing employee loss (ie staff turnover) after major incidents as a key concern.

Positively, around 32% of organisations are using detection platforms originally built for IT and adapted for OT, showing that many are extending existing tools to cover industrial environments. However, only 28% report using custom-developed OT-specific detection capabilities.

“While adaptation is a positive step,” concluded Demain, “the relatively lower adoption of tailored detection suggests more organisations could benefit from approaches designed specifically for the characteristics of OT systems.”