The risk landscape for Operational Technology is increasing every day, and traditional controls are falling behind. Ransomware groups now specifically target manufacturing. Nation-state actors probe critical infrastructure. Your 15-year-old PLC was never designed for any of this.

The risk landscape for Operational Technology (OT) is increasing day by day, and for most asset owners, the controls have not kept up. This is not a vendor scare story. It is the reality of where attackers are spending their time in 2024.

What is actually changing

Three shifts have happened in the last few years, and together they explain most of what we see in incident reports today.

1. Manufacturing is now the #1 ransomware target

For years, ransomware groups went where the money was easiest: hospitals, law firms, city governments. They have worked out that manufacturers pay faster because every hour of downtime is directly measurable in lost production. According to Dragos’s 2022 and 2023 Year in Review reports, around 70% of all ransomware attacks on industrial organisations hit the manufacturing sector. Metal products, automotive, and electronics/semiconductor are at the top.

2. The air gap is gone, even where we pretend it isn’t

During assessments, I still hear “oh, our plant is air gapped.” And during the same assessment, we find:

• A Windows machine pulling antivirus updates from the internet “for a few minutes on Tuesdays.”
• A vendor laptop plugged into the ICS network for remote diagnostics.
• An engineer’s phone acting as a hotspot next to the HMI.
• A historian pulling data to the corporate BI system via a “one-way” firewall that happens to have a return path for acknowledgements.

Every one of these invalidates the air gap. The Stuxnet lesson, that USBs and transient devices bypass isolation, is older than most engineers in the field, and we are still learning it.

3. Adversaries know OT uptime is leverage

Because critical infrastructure operators are measured on availability, once a device is compromised, attackers know they have time. They do not smash and grab. They map the network, identify safety-critical assets, understand the process, and then act when it is most painful. This is a fundamentally different threat model from IT.

Why legacy controls are falling behind

Most OT networks were designed to best practice. The best practice available in 2008. That is not a criticism; it is the nature of OT lifecycles. A PLC commissioned in 2012 will still be running in 2032. A 25-year device lifecycle means today’s best practice has to defend devices designed before today’s threats existed.

What was once reasonable (a flat network, no authentication on internal protocols, shared engineering workstation credentials) is now a liability. And you cannot rip and replace. So what do you do?

Five strategies that actually reduce risk today

Dragos and other practitioners converge on roughly the same five actions:

1. ICS-specific incident response plan.Not an IT IR plan with the word “OT” added. A plan that tells the shift supervisor what to do at 2 AM when the HMI locks up.
2. Defensible architecture.Segmentation aligned to IEC 62443 zones and conduits, with a real IDMZ between Level 3 and Level 4.
3. Visibility and monitoring.You cannot defend what you cannot see. OT-specific passive monitoring is the single highest-ROI tool most plants do not have.
4. Secure remote access.Jump hosts, MFA, session recording, time-bounded access. Remote access is how most modern OT incidents start.
5. Risk-based vulnerability management.Not “patch everything.” OT cannot. But “prioritise by exposure and consequence, and mitigate what you cannot patch.”

The uncomfortable takeaway

The threats are rising, but the controls are known. What is missing in most organisations is not technology. It is ownership, budget, and a clear mandate. Someone at the executive level has to decide that OT cybersecurity is a business risk and fund it accordingly.

If that is the conversation you need to have, we can help you prepare the business case. Talk to RelyBlue about OT risk quantification.