In a comprehensive analysis of tabletop exercises conducted by a cybersecurity firm in 2025, alarming insights emerged regarding the efficacy of incident response strategies within the operational technology (OT) sector. The data indicated that a staggering 88% of participants in these exercises struggled to recognize potential threats effectively. The challenges did not end there; 94% of the participants found it difficult to contain incidents, while 82% had trouble activating their incident response plans. These findings suggest significant gaps in preparedness and awareness in dealing with cybersecurity incidents.
Moreover, during actual engagements, it was discovered that a considerable proportion of incident response cases—approximately one-third—were initiated not through alerts generated by security products, but through operators recognizing something amiss in their systems. This highlights a critical vulnerability: in many instances, the essential data needed to investigate these anomalies had not been collected in advance. Without a robust data collection framework, organizations face significant hurdles in identifying and mitigating potential threats effectively.
Adding to these challenges, a recent report from Dragos revealed that 82% of OT asset owners do not possess well-defined criteria for determining when an operational anomaly should prompt a cybersecurity investigation. This lack of clarity poses a substantial risk, as it may lead to unaddressed vulnerabilities that could be exploited by malicious actors. Furthermore, the research uncovered that 81% of evaluated environments exhibited poor segmentation between IT and OT networks. This inadequacy allows for potential lateral movement by attackers within OT networks, often utilizing legitimate system tools undetected, as evidenced by 56% of penetration tests conducted.
Lee, an industry expert, commented on the overarching approach to cybersecurity within the OT environment. He emphasized the misguided focus on perimeter defenses, stating, “We’ve told our community to build a big glass house, but the moment that perimeter is breached, good luck.” This remark underscores a critical point: while a robust perimeter defense is essential, it is equally crucial to develop comprehensive strategies for detection and response once an intruder has gained access to the network. Currently, a disproportionate amount of security guidance—around 90%—is concentrated on perimeter defense strategies like patch management, password policies, antivirus solutions, access controls, and secure mode access. In stark contrast, less than 10% of these guidelines address detection and response once intruders are inside the network.
The implications of these findings are profound. Companies operating within the OT sector may be unwittingly creating vulnerabilities by prioritizing perimeter security at the expense of internal threat detection and response mechanisms. As cyber threats evolve, attackers are becoming increasingly adept at breaching defenses and exploiting any gaps in security. The statistics presented by Dragos advocate for a paradigm shift in the approach to cybersecurity within OT environments. Organizations need to adopt a more holistic view that includes both stringent perimeter defenses and robust internal monitoring and response strategies.
Moreover, the lack of well-defined parameters for investigating operational anomalies suggests that many organizations are operating in a reactive rather than proactive manner. This highlights the necessity for OT asset owners to prioritize the establishment of clear criteria and incident response protocols. By doing so, they can improve their overall security posture and enhance their ability to detect and respond to threats in real-time.
To conclude, the insights from the 2025 tabletop exercises and subsequent assessments by Dragos present a clarion call for the OT sector. Organizations must recognize the evolving nature of cyber threats and adapt accordingly. By investing in both perimeter defenses and internal detection capabilities, companies can better prepare themselves for the inevitable challenges posed by cyber adversaries. Ensuring that the necessary data is collected and that response plans are effectively activated will be crucial in safeguarding critical infrastructure in an increasingly complex cybersecurity landscape.