AIS Research Insights

← Back to Library Language:

Identifying and Filling Gaps in Operational Technology Cybersecurity

Abbatemarco Nico, Hans Brechbühl

This study identifies critical gaps in Operational Technology (OT) cybersecurity by drawing on insights from 36 leaders across 14 global corporations. It analyzes the organizational challenges that hinder the successful implementation of OT cybersecurity, going beyond purely technical issues. The research provides practical recommendations for managers to bridge these security gaps effectively.

Problem As industrial companies embrace 'Industry 4.0', their operational technology (OT) systems, which control physical processes, are becoming increasingly connected to digital networks. This connectivity introduces significant cybersecurity risks that can halt production and cause substantial financial loss, yet many organizations struggle to implement robust security due to organizational, rather than technical, obstacles.

Outcome - Cybersecurity in OT projects is often treated as an afterthought, bolted on at the end rather than integrated from the start.
- Cybersecurity teams typically lack the authority, budget, and top management support needed to enforce security measures in OT environments.
- There is a severe shortage of personnel with expertise in both OT and cybersecurity, and a cultural disconnect exists between IT and OT teams.
- Priorities are often misaligned, with OT personnel focusing on uptime and productivity, viewing security measures as hindrances.
- The tangible benefits of cybersecurity are difficult to recognize and quantify, making it hard to justify investments until a failure occurs.

Host: Welcome to A.I.S. Insights, powered by Living Knowledge. I’m your host, Anna Ivy Summers. Today, we're digging into a critical issue for any company with physical operations. We're looking at a new study from MIS Quarterly Executive titled "Identifying and Filling Gaps in Operational Technology Cybersecurity". In short, it explores the deep organizational challenges that stop businesses from properly securing the technology that runs their factories and industrial sites. Here to break it down for us is our analyst, Alex Ian Sutherland. Alex, welcome.
Expert: Great to be here, Anna.
Host: Alex, let's start with the basics. We all hear about IT, or Information Technology. What is OT, Operational Technology, and why is it suddenly such a big concern?
Expert: Of course. Think of OT as the technology that controls the physical world. It’s the hardware and software running everything from robotic arms on an assembly line to the control systems in a power plant. Historically, these systems were isolated, completely disconnected from the internet. But now, with Industry 4.0, companies are connecting them to their IT networks to get data and improve efficiency.
Host: And connecting them opens the door to cyberattacks.
Expert: A very big door. The study highlights that this isn't a theoretical risk. It points to a 100-150% surge in cyberattacks against the manufacturing sector in recent years. And an attack on OT isn't about stealing customer data; it’s about shutting down production. The study found a successful breach can cost a company anywhere from 3 to 7 million dollars per incident and halt operations for an average of four days.
Host: That’s a massive business disruption. So how did the researchers in this study get to the root of why this is so hard to solve?
Expert: They focused on the people and the organization, not just the tech. They conducted a series of in-depth focus groups with 36 senior leaders—people like Chief Information Officers and Chief Information Security Officers—from 14 major global corporations in manufacturing, energy, and logistics. They wanted to understand the human and structural roadblocks.
Host: And what did these leaders say? What are the key findings?
Expert: They found a consistent set of organizational gaps. The first is that cybersecurity is often treated as an afterthought. One security leader used the phrase "bolted on afterwards," which perfectly captures the problem. They build a new system and then try to wrap security around it at the end.
Host: Why does that happen? Is it a technical oversight?
Expert: It’s more of a cultural problem, which is the second major finding. There’s a huge disconnect between the IT cybersecurity teams and the OT plant-floor teams. The OT engineers prioritize uptime and productivity above all else. To them, a security update that requires shutting down a machine, even for an hour, is a direct hit to production value.
Host: So the two teams have completely different priorities.
Expert: Exactly. One director in the study described a situation where his factory team saw the central security staff as people who were just "reading a policy sheet," without understanding "what's really going on" in the plant. This leads to the third finding: cybersecurity teams in these environments often lack real authority, budget, and support from top management to enforce security rules.
Host: I can imagine it's difficult to get budget to prevent a problem that hasn't happened yet.
Expert: That's the final key finding. The study participants said the tangible benefits of good cybersecurity are almost invisible. It’s a classic case of "you don't know it's working until it fails." This makes it incredibly hard to justify the investment compared to, say, a new machine that will clearly increase output.
Host: This is a complex organizational puzzle. So, for the business leaders listening, what are the practical takeaways? Why does this matter for them, and what can they do?
Expert: This is the most important part. The study offers three clear recommendations that I'd frame as key business takeaways. First: you have to bridge the cultural divide. This isn't about IT forcing rules on OT. It’s about creating mutual understanding through cross-training, and even creating new roles for people who can speak both languages—technology and operations. The goal should be "Security by Design," baked in from the start.
Host: So, build bridges, not walls. What's the second takeaway?
Expert: Empower your security leadership. A Chief Information Security Officer, or CISO, needs real authority that extends to the factory floor, with the budget and C-suite backing to make critical decisions. One executive in the study recounted how it took a cyberattack simulation that showed the board how an incident could "bring us to our knees" to finally get the necessary support and funding.
Host: It sounds like leadership needs to feel the risk to truly act on it. What’s the final piece of advice?
Expert: Find the win-win. Don't frame cybersecurity as just a cost or a blocker. The study found that collaboration can lead to unexpected benefits. For instance, one company installed security monitoring tools, which had the side effect of giving the engineering team incredible new visibility into their own processes, which they then used to optimize the entire factory. Security actually became a business enabler.
Host: That’s a powerful shift in perspective. To summarize, then: the growing risk to our industrial systems is fundamentally an organizational problem, not a technical one. The solution involves bridging the cultural gap between operations and security teams, empowering security leaders with real authority, and actively looking for ways that good security can also drive business value. Alex, this has been incredibly insightful. Thank you for joining us.
Expert: My pleasure, Anna.
Host: And thank you to our listeners for tuning into A.I.S. Insights. Join us next time as we continue to explore the ideas shaping business and technology.

Operational Technology, OT Cybersecurity, Industry 4.0, Cybersecurity Gaps, Risk Management, Industrial Control Systems, Technochange