Billions at Risk from Exposed OT Systems Demand Urgent Action

This August, two independent studies made one thing clear—the risks facing Operational Technology (OT) are growing faster than most organisations can contain.

One industry report warned that the potential global financial impact of OT cyber incidents could stretch into the hundreds of billions annually, driven largely by indirect costs like production shutdowns, cascading failures, and supply chain disruption. At the same time, new academic research found nearly 70,000 OT devices directly exposed to the public internet, many running outdated firmware with critical vulnerabilities.

For operators of critical national infrastructure, these findings are a stark reminder that the weak points are already visible, and attackers know exactly where to look.

Weaknesses Hiding in Plain Sight

The research highlighted systemic issues:

• Legacy protocols (ModbusTCP, EtherNet/IP, S7) still transmitting unencrypted data.
• SCADA and HMI systems openly accessible online.
• Outdated firmware with known vulnerabilities left unpatched.

These aren’t exotic zero-day attacks. They’re open doors, waiting to be exploited.

At the same time, the financial modelling underlines the scale of what’s at stake. Even “typical” OT disruptions can cost billions each year, but in high-impact scenarios, losses could multiply several times over—affecting not only the operator, but entire regions and industries.

Identity Gaps Are the Real Risk

The most striking detail across both studies is that these aren’t simply technical problems—they’re identity problems.

• Exposed systems are rarely protected by strong authentication.
• Shared, static, or reused credentials make lateral movement trivial.
• Remote contractors and offline operators often connect without auditable verification.

Attackers don’t need advanced exploits when authentication gaps already give them the keys.

From Exposure to Resilience

The path forward is clear: plug the exposure gap by securing identity and access at the OT level.

Effective OT authentication:

• Works in fully or partially offline environments.
• Issues time-limited, session-specific credentials that can’t be reused.
• Blocks lateral movement between devices.
• Provides a verifiable audit trail even in disconnected facilities.

By embedding identity controls into every access point, operators can shrink risk exposure dramatically—transforming billions in potential losses into manageable, preventable threats.

Securing the Future of OT

August’s findings show that OT systems remain the soft underbelly of critical infrastructure. Whether through devices sitting unprotected on the internet or the staggering costs of large-scale disruption, the consequences of inaction are now measured in billions, not millions.

Technology budgets, policies, and awareness campaigns all help—but without robust authentication at the OT level, the same blind spots remain.

In OT, identity is security. Closing those gaps is not optional—it’s the frontline defence for national resilience.