Topics:
Operational technology (OT) cybersecurity budgets are often directed toward surface-level defenses while deeper architectural flaws persist. What do we mean by surface-level defenses? A few examples that come to mind are perimeter firewalls without deep packet inspection, one-time network assessments or asset inventories, and default or weak access controls after commissioning of the control systems. This approach to budgeting for OT cybersecurity reflects a broader misalignment between perceived security investments, leaving critical infrastructure exposed and distorting ROI on security spending.
Instead, we recommend an approach where security is inherent in design, and systemic changes are made that reduce risk and harden legacy technology. This article will cover these recommendations in detail, and in the context of how current reactive approaches are insufficient to effectively secure critical systems.
Even with an increase in OT cybersecurity spending across critical sectors, including utilities, manufacturing, and logistics, the allocation of these budgets often reflects a reactive posture rather than a strategic one. According to ABI Research, global OT cybersecurity investment is projected to grow by nearly 70% between 2023 and 2028, primarily driven by escalating threats and regulatory pressure. However, much of this investment continues to favor surface-level defenses such as perimeter firewalls, passive detection tools, and compliance-driven patching, while foundational architectural risks remain unaddressed. A 2025 SANS Institute survey found that more than half of organizations cited compliance obligations as a primary driver of OT security investment, often at the expense of long-term resilience. This trend suggests that spending is frequently optimized for audit readiness rather than operational integrity.
This misalignment is further exacerbated by what might be called "threat-chasing economics," a budgeting mindset that prioritizes the latest detection technologies over systemic design improvements. While intrusion detection and anomaly monitoring are essential, they are often deployed in environments that still lack basic segmentation, secure-by-default protocols, or fail-safe engineering principles. The result is a security posture that appears mature on paper but remains brittle in practice. As Wetzels et al. argue, insecure-by-design features in OT systems, such as unauthenticated protocols and hardcoded credentials, render even the most advanced detection tools insufficient. Until OT leaders shift their investment strategies from visibility to verifiability, the illusion of security will continue to mask deeper architectural liabilities.
Although there is growing awareness of cyber threats, many OT environments remain fundamentally insecure due to legacy design decisions that prioritized availability and interoperability over security. Wetzels, dos Santos, and Ghafari examined 45 actively deployed OT product families from 10 major vendors. They found that every system exhibited at least one minor vulnerability, ranging from unauthenticated protocols and hardcoded credentials to the lack of cryptographic validation. These flaws are not the result of misconfiguration or patching delays; they are rooted in the architecture itself.
The authors further discuss that such insecure-by-design features allow attackers to manipulate operational parameters, execute arbitrary code, or disable devices entirely, often without triggering alarms. This systemic fragility undermines even the most advanced detection and response tools, rendering them reactive rather than preventative.
However, regardless of the severity of these architectural flaws, many OT leaders hesitate to invest in long-term remediation. A combination of perceived complexity, operational risk, and vendor aversion often drives this reluctance. According to Ehrenreich, the legacy assumption that OT systems are isolated or air-gapped continues to influence budget decisions, despite remote access and IT solutions in OT environments becoming the norm. Moreover, the lack of clear guidance on how to retrofit security into legacy systems, without disrupting safety, reliability, or availability, creates a paralysis of prioritization. As a result, organizations default to incremental controls rather than systemic redesign. Until leadership reframes insecure-by-design not as a technical inconvenience but as a strategic liability, budget inertia will continue to favor short-term optics over long-term resilience.
While cybersecurity spending has increased across industries, the logic behind how those funds are allocated often reflects a short-term focus rather than a systemic risk reduction approach. Kianpour, Kowalski, and Overby conducted a meta-review of 28 cybersecurity economics studies and found that most investment models remain rooted in simplified assumptions, prioritizing measurable, near-term returns over long-term resilience. This tendency is reinforced by compliance-driven budgeting cycles, where deadlines and audit checklists often dictate spending priorities more than threat modeling or architectural risk assessments. As a result, organizations may invest in tools that demonstrate visible activity, such as dashboards or alerts, while neglecting less tangible but more impactful investments, including protocol hardening, secure engineering practices, and lifecycle risk modeling.
This misalignment is particularly acute among small and medium-sized businesses (SMBs), which often lack the in-house expertise to critically evaluate competing security narratives. According to Rubinstein, many SMBs perceive cybersecurity as a cost center rather than a strategic enabler, delaying investment until after a breach occurs. The vendor and analyst ecosystem compounds this challenge by flooding the market with conflicting claims, buzzwords, and product-centric messaging. Without trusted guidance or a clear framework for prioritization, SMBs are left vulnerable to misallocating limited resources, often overinvesting in detection tools while underinvesting in foundational controls. This dynamic not only weakens their posture but also introduces systemic risk across the broader supply chain.
The financial consequences of insecure architecture extend far beyond the initial breach. Poor segmentation, legacy protocols, and unauthenticated device communications act as structural accelerants, escalating what might have been containable incidents into full-scale operational crises. According to IBM and the Ponemon Institute, the average global cost of a data breach climbed to $4.88 million, with critical infrastructure sectors experiencing some of the sharpest increases. The industrial sector alone saw breach costs spike by $830,000 over the previous year, mainly due to its heightened sensitivity to downtime and fragile system design.
Notably, 70% of organizations reported significant or very significant business disruptions following a breach, and only 12% had fully recovered by the time of the study, often requiring more than 100 days to do so. These are not anomalies; they are predictable consequences of weak architecture. As CISA stressed in its "Secure by Design" guidance, when security is bolted on instead of built in, organizations face exponentially higher recovery costs and a longer mean time to recovery (MTTR).
Beyond direct response costs, the absence of architectural integrity inflates long-term liabilities. Flat networks, legacy OT systems, and unscalable defenses raise red flags not just for internal risk teams but for insurance underwriters. The 2024 study found that organizations suffering from high security complexity or skills shortages incurred costs of up to $5.74 million, nearly $1 million above the global average. Regulatory penalties worsen this exposure, particularly under mandates such as NIS2 and HIPAA, which assess whether security failures resulted from negligence in system design and implementation. Perhaps most damaging, however, is the erosion of stakeholder trust. As Romanosky cautions, reputational damage can far exceed technical remediation costs when breaches are tied to preventable design failures. In an era where operational confidence is a board-level metric, insecure-by-design systems are not just a technical liability; they are a strategic one as well.
For OT leaders, the path forward begins with recalibrating their strategic lens, from a detection-first posture to a design-first mindset. While detection and monitoring solutions remain essential, they cannot substitute for security fundamentals built into the architecture itself. Leaders must treat system design as an enduring control surface, not just a configuration phase. This means prioritizing segmentation by default, enforcing secure communication protocols, and minimizing implicit trust between assets. Rather than chasing anomalies across insecure networks, organizations should focus on shrinking the attack surface at its roots. As CISA (2023) emphasizes in its Secure by Design principles, preventing exploitation by addressing architectural exposures is far more effective than detecting it after the fact.
Reallocating budgets to support long-term remediation and legacy hardening is critical. Many OT environments remain dependent on unpatched systems and vulnerable field devices because remediation has been deemed operationally impractical for a long time. However, postponing investment in these areas only compounds downstream risks and costs. OT leaders must advocate for phased, risk-informed modernization efforts, prioritizing remediations with the highest impact on operational continuity and adversary dwell time. Budgeting models should account for technical debt and include architecture refresh cycles, not just tooling updates. Without sustained investment in architectural repair, organizations will continue to incur outsized costs from preventable incidents and operational fragility.
Equally important is the development of cross-functional security capabilities. Most OT cybersecurity failures are not just technological; they are systemic. Addressing them requires alignment between ICS engineers, IT security teams, and operations leadership. Investing in role-specific training that contextualizes cybersecurity within industrial safety and reliability frameworks can bridge the persistent communication gap between engineering and security disciplines. Programs such as role-based threat modeling, digital twin simulations, and secure-by-design engineering boot camps are more impactful than generalized awareness modules. Security maturity in OT environments does not solely hinge on the tools in use; it also hinges on who is using them and whether they understand the consequences of insecure design.
Finally, OT leaders must begin shifting market expectations by demanding lifecycle-secure products from their vendors. The persistence of insecure-by-design features reflects not only technical debt but also procurement apathy and a lack of accountability. Leaders can influence upstream change by incorporating security requirements into vendor selection criteria, insisting on secure development practices, and favoring platforms that support long-term patching and authentication enforcement. Embracing open standards and transparent security disclosures will also help reduce dependency on proprietary, opaque systems that impede visibility and validation. Elevating product security to a procurement-level concern sends a powerful message: insecure design is no longer a tolerable default; it is a disqualifier.
OT leaders face a mounting challenge: the illusion of cybersecurity maturity built on surface-level controls is no substitute for real, structural resilience. The persistence of insecure-by-design OT systems, the economic distortions of compliance-driven spending, and the growing cost of architectural neglect all point to a critical misalignment between investment and impact. Cybersecurity cannot continue to operate as an optics-driven cost center; it must become a lever for operational integrity and competitive trustworthiness.
To get there, organizations must shift from detection-first reflexes to design-first strategies. This is not about spending more, but about spending more intelligently, investing in architecture remediation, cross-disciplinary training, and lifecycle-secure technologies that close systemic risk gaps. Reprioritizing in this way not only strengthens security posture but also improves recovery speed, reduces liability, and enhances stakeholder confidence. In an era where operational failure is reputational failure, strategic investment in secure design is no longer optional; it is a leadership imperative.
Dan Ricci is founder of the ICS Advisory Project, an open-source project to provide DHS CISA ICS Advisories data visualized as a dashboard to support vulnerability analysis for the OT/ICS community. He retired from the U.S. Navy after serving 21 years in the information warfare community.
