Critical Infrastructure Security, OT Security, Security Strategy, Plan, Budget

Budget crunch putting cybersecurity for industrial systems at risk

control panel in factory

(Adobe Stock)

Organizations are not allocating enough money to operational technology (OT) and embedded device security, according to a new report from the SANS Institute and critical infrastructure cybersecurity vendor OPSWAT.

Released Tuesday, the 2025 ICS/OT Cybersecurity Budget Report found that while attack volumes and sophistication keep rising, budgets for OT security are not keeping pace.

“Effective critical infrastructure defense requires a strategic investment in ICS/OT-specific security training, ensuring that those responsible for monitoring ICS [industrial control system] controls have a deep understanding of control system networks,” said Dean Parsons, principal instructor and CEO, as well as principal consultant of ICS Defense Force at SANS, which specializes in cybersecurity training.

“One of the most concerning findings in the report is that while cybersecurity budgets have increased, much of the investment remains focused only on traditional business support systems such as IT, leaving ICS/OT environments, the business itself, dangerously under-protected. After all, in an ICS organization, the ICS is the business.”

The findings are significant as ICS and OT networks for critical infrastructure are increasingly being seen as high-value targets for state-sponsored threat actors.

Ideally, OT and IT should be air-gapped, completely isolated from each other without a direct network connection. In practice, however, staffing cuts and the rise of remote management tools has meant that for many organizations, IT and OT are closely interconnected at a number of points.

This, in turn, leaves OT systems at the mercy of their IT counterparts which face the internet and threat actors. An attacker can compromise a public-facing IT device such as a PC or application server, then move laterally through other devices on the network until they can jump the bridge onto the OT network.

That scenario is playing out in the real world more often than not. According to the SANS study, 58% of those surveyed said that their OT and ICS incidents began with the compromise of the IT network.

OT administrators often find they have no say in budget allocations, as the report found that only 27% of chief information security officers (CISOs) and chief security officers (CSOs) had control of their budgets.

The majority of respondents said the organization's security budget was divvied up by its Information Technology side of the operation. As a result, OT is often left underfunded and security needs go unaddressed due to a lack of resources; less than half of respondents said they allocate even 25% of their budgets to safeguarding critical infrastructure.

“The presence of IT professionals in ICS/OT cybersecurity highlights the convergence of IT and operational technology skillsets, with IT roles expanding to include ICS/OT responsibilities," Parsons explained.

“Although this can enhance security strategies, it may pose safety risks without an optimal approach.”

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Related

Suspected Chinese-linked hackers set sights on Taiwan

After achieving initial access by targeting vulnerable internet-exposed web and application servers, UAT-5918 utilized tools previously associated with Volt Typhoon and Flax Typhoon to facilitate lateral movement, credential and data theft, and further compromise.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Business Continuity Plan (BCP)Cost Benefit Analysis

You can skip this ad in 5 seconds