New Press

IndustrialCyber - Why OT security remediation stalls after assessment and what manufacturers are doing to move programs forward

Written by Corsha | Jun 9, 2026 4:00:00 AM

In manufacturing environments, a technical assessment of OT (operational technology) environments is the point at which managers shift from identifying risks to reducing them. At this stage, staff members can identify specific hazards and turn them into a ranked list of tasks to make systems more stable over time. As those gap analyses are conducted, they reveal the same weaknesses and missing controls, including unmanaged remote access, weak network segmentation, legacy assets, inadequate visibility, and fragmented governance. Oftentimes, on delivery of the last report, remediation measures can fall victim to the harsh reality of security recommendations being up against operations, budgeting, and production concerns.

Across organizations, the process follows a pattern where they finish gap analyses that point out the same types of risk, and they observe that the program to fix those issues loses momentum within a few months.

The issue is seldom about a lack of understanding. Manufacturing executives have come to realize that cyberattacks may interrupt manufacturing processes, put employees at risk, and impact business continuity. According to Deloitte, OT system–related investment decisions are often made on the factory floor by leaders within operations, with less involvement from corporate IT and security departments. This can lead to a myriad of different technologies, often with different security control capabilities, that will likely need to be integrated and then managed using existing IT network infrastructures.

As industrial environments connect to more networks, organizational risks multiply. During April 2025 and March 2026, industrial organizations were the target of approximately 30 % of global ransomware activity. This shows that attackers are directing more of their efforts toward operational environments, but many organizations still find it difficult to turn risks they have identified into projects that receive money or results that people can measure.

Practically, reasons vary by organization size and manufacturing subsector. Large companies frequently use procedures that take a long time to decide on actions – this happens because executives from departments for engineering, finance, operations, and cybersecurity must agree. In mid-sized factories, executives have a limited amount of money at their disposal. Due to this, they must choose whether to spend funds to make security stronger or to buy more machines for production. For industries with a continuous process, the main goals are that operations are reliable and that they fix problems to keep people safe, but discrete manufacturers often work to protect their intellectual property, build production efficiency, and bolster supply chain resilience.

Due to those situations, people must think about complex problems. To explain why a company should spend money on fixes is difficult because the benefit is that bad events do not happen. What happens when security mandates compete with production targets? How do plant managers determine what is ‘good enough’ when ideal programs remain unfunded? And what structural changes distinguish organizations that successfully move from assessment findings to sustained risk reduction?

Understanding why OT security projects stall requires looking beyond technology. Operators normally come up with solutions for such situations using governance frameworks, budget control, accountability, and compromise. Manufacturing firms should develop a comprehensive cyber management strategy that involves both the IT and OT systems to be able to detect and manage any cyber attack.

Why OT security remediation projects derail

Industrial Cyber reached out to industrial cybersecurity experts to examine at what point in the remediation process projects most commonly lose momentum. They also identify the factors that typically contribute to those setbacks.

Anusha Iyer, founder and CEO of Corsha, observed that pretty universally across customers, projects consistently lose momentum during the scoping and budget phase. “The proximate cause is almost always fragmented ownership between IT and OT teams. When it is unclear who owns the budget and the specific success outcomes, design and deployment inevitably stall.”

“The most common stall point is the gap between report delivery and the first funded remediation action,” Peter Jackson, a principal industrial consultant at Dragos, told Industrial Cyber. “In my experience, the most common cause is translation failure: the assessment output is written in technology risk language, while the people who control the budget and schedule speak operational and business risk language. Nobody does the conversion, so the report sits.”

Reynaldo Gonzalez, principal cybersecurity architect at Cummins, told Industrial Cyber that projects most commonly lose momentum immediately after the assessment phase when organizations transition from identifying risks to assigning ownership.

“Assessments often identify the right issues, but many organizations lack a clear RACI model defining who is responsible and accountable for remediation,” Gonzalez explained. “Findings frequently span cybersecurity, engineering, operations, network teams, and vendors, yet no single owner is empowered to drive execution. The result is that assessment reports gain consensus but fail to gain accountability.”

Claudio Sangaletti, corporate head of infrastructure and communication at PERSÁN, told Industrial Cyber that the reality is that projects typically lose traction in the gap between assessment and remediation planning, the moment when technical findings must be converted into budget line items.

“Assessments generally have sponsors, deliverables, and deadlines, while remediation, too often, has none of that: no clear owner, no right funding, no accountability, no urgency,” according to Sangaletti. “If you haven’t agreed on who owns remediation and how decisions get made before the assessment even begins, findings rarely go anywhere. They become just SharePoint documents.”

OT security funding under scrutiny

The executives address how the approval process for OT security spending differs from that for IT security spending within their organizations and assess the impact of those differences on project timelines and implementation speed.

“While IT security spend is typically centralized across an enterprise these days, we see OT spend heavily decentralized across individual plant budgets, forcing security initiatives to compete with routine maintenance, modernization, or equipment upgrades,” Iyer assesses. “Navigating this fragmented, site-by-site approval process routinely adds months to the discovery, procurement, and deployment lifecycle.”

Jackson identified that IT security spending has been in a decade-long normalization. “Zero trust, defense in depth, endpoint protection, etc., are budget line items that CFOs and boards accept without much debate. OT security spend is often treated as a project, not a program, which means it has to compete for capital budget, justify ROI, and survive procurement cycles that can run six to eighteen months. The delta is usually measured in years, not weeks.”

“IT security investments are typically evaluated through an enterprise risk lens and follow established governance and budgeting processes,” according to Gonzalez. “OT security investments must also consider operational continuity, safety, reliability, and production objectives. One challenge is that OT initiatives are sometimes driven by IT-centric approaches that do not fully account for industrial realities.”

As a result, he added that organizations spend additional time validating that proposed solutions will not introduce operational risk. “The cost is often measured in months of delay between identifying risk and implementing mitigation.”

“We can see that IT security spending typically follows a standard path: CISO approval, an established budget, and enough flexibility to move quickly when something urgent comes up,” Sangaletti determined. “But OT is a different story. Getting funding approved often means involving plant management, operations, and the CFO for every single initiative. That can add three to six months of delay, with a significant portion of that time spent just translating technical risk into language that resonates across every different organizational layer.”

Weighing security mandates versus plant priorities

When a plant manager pushes back on a centrally mandated security project, the executives look into the arguments being made and consider effective ways to address those concerns.

Recognizing that it’s true industrial environments are so independently managed today, Iyer said that while convergence and bringing security posture under centralized control are good, it takes a journey.

“The journey starts with getting folks at each facility on board and bought-in to the problems the project will solve and forward benefits it will bring for the project to be fully successful,” she mentioned. “The counterargument for all of these is that the risk of cyberattack on under-protected industrial control systems is ever-present, and the impact can be existential to the plant. Sharing the solution allows shared burden, shared improvement, and shared learning.”

Highlighting that plant managers can be asked to endorse, fund, resource, or manage a security initiative, Jackson observes that resistance can emerge at any of those levels, depending on how the project has been funded, planned, structured, and executed.

“When I’m brought in to help recover or manage a situation, the first question is to understand the points of friction. If the security team hasn’t adequately engaged stakeholders, the plant manager has a defensible complaint,” he added. “If there is a lack of understanding or buy-in, that’s one problem. In practice, I’m usually doing both things at once – educating and evangelizing the plant manager, and reframing or restructuring the project/initiative to address the legitimate parts of the resistance. Ultimately, security done to a site rather than with it almost always ends up as pushback.”

Gonzalez said the most common concern is that the project may pose a risk to production.

“Plant leaders are accountable for safety, quality, and uptime, so any change creates uncertainty,” he underscored. “The best response is to acknowledge those concerns and demonstrate that security is intended to reduce operational risk, improve resilience, and protect production rather than disrupt it. The conversation becomes much more productive when cybersecurity is framed as a business continuity initiative rather than a compliance exercise.”

Sangaletti thinks that plant managers often do not rely on security changes for a simple reason: downtime is their enemy. “They follow the very old lemma: if a system has run without issues for years, why touch it? Furthermore, their incentives focus on uptime, throughput, and OEE, with no bonus for a security project that goes smoothly.”

He added that the reframe that tends to work is shifting the choice from ‘change versus no change’ to ‘controlled intervention now versus uncontrolled disruption later.’ “We need to show them that when an incident hits an unprepared environment, the recovery is always harder, longer, and more expensive.”

Making case for remediation investment

The executives focus on framing strategies that have proven most effective in securing remediation investment approval from operations and finance leadership.

Iyer highlights two distinctly different paths to achieving effective outcomes. “Remediation and cybersecurity initiatives usually seem to be driven for two reasons: #1 – security is a blocker to connectivity, data, and modernization, or #2 – security is an insurance policy against catastrophic downtime.”

She added that “When we frame it as an insurance policy against catastrophic downtime. By tying the security investment directly to the financial cost of a production outage per hour, it transitions from a technical security request into a clear business continuity decision.”

“The most effective framing connects the ask to something the approver already owns and cares about,” Jackson said. “Not ‘we need to upgrade this system’ – instead: ‘this system has no vendor support, no spare parts pipeline, and if it fails, we estimate two weeks/months of degraded operations or full downtime. Here is the cost of that, here is the cost of a planned replacement, here is the schedule.’”

He added that operations and finance leaders respond to operational consequences in their language, not in generic security risk terms.

Gonzalez finds operational resilience is the most effective framing. “Rather than focusing on vulnerabilities or threat statistics, connect cybersecurity investments to reducing downtime, improving recoverability, protecting worker safety, and preserving production. Operations and finance leaders are more likely to support investments when cybersecurity is positioned as a business resilience initiative rather than a technology project.”

“I will say that the most effective framing for leadership does not talk about threats. Instead, it discusses their possible liability and dependency. Remember that finance will only respond well to numbers: reduced revenue, NIS2 penalties, and contractual obligations to customers,” Sangaletti said. “At the same time, operations will respond to a different language, in which security debt becomes a possible production stop. Bringing both perspectives together and adding a clear cost-of-delay calculation is often what finally moves a budget request out of the waiting queue and into approval.”

What happens when budgets shape security decisions

The executives evaluate how organizations determine what is good enough when the ideal program is not funded, and how those decisions are documented and justified.

“When a customer cannot fund a comprehensive, enterprise-wide program, we guide them toward a phased, risk-based approach,” Iyer detailed. “We prioritize securing the most critical safety and production systems first to achieve baseline resilience. We then assist them in documenting the unfunded gaps in their corporate risk register, requiring formal executive sign-off for the accepted risk.”

Jackson says that good enough is defined by documented, agreed risk tolerance – not by what the security team thinks is ideal. “The process is: identify the gaps, understand the operational impacts, consider trade-offs or compensating controls, and get the right stakeholders to sign off on what gets done and why. That sign-off is the documentation, using organizationally native processes. That documentation needs high-level approval to be sticky and avoid designs being relitigated later.”

“In OT environments, good enough does not mean implementing the quickest or most familiar solution. It means achieving meaningful risk reduction while preserving safety, operational resilience, and long-term sustainability,” Gonzalez indicated.

He called upon organizations to prioritize solutions that align with the realities of industrial operations and support a scalable architecture over time. It is also important not to confuse compliance with resilience. Decisions should be documented through governance, architectural reviews, roadmaps, and risk acceptance processes that clearly define residual risk and the rationale behind the chosen approach.

“If we want to determine what is ‘good enough,’ we require, first of all, a formal risk management process: documented residual risk, mitigations in place, a named owner, and clear conditions for review,” Sangaletti observed. “The real test here is whether our controls are not only defensible against regulatory scrutiny but also capable of managing our real-world processes. If we discover they’re not, we must escalate in writing.”

He added that documentation isn’t just good practice here; it will preserve accountability, keep risks visible, and ensure they stay on the radar when the next budget cycle comes around.

Future-proofing OT security programs

Finally, the executives explore the organizational changes necessary for OT security projects to keep pace with a rapidly evolving threat landscape.

Iyer listed several changes that could help OT security projects move faster. First, organizations need a way to quickly measure the value of security projects without disrupting production. Such an approach would allow for more comprehensive evaluation of platforms and strategies, though it would require investment in staging environments.

She also called for dedicated, centralized OT security budgets and aligned KPIs across security and plant operations. Until security is decoupled from competing plant-level operational budgets and supported by unified executive accountability, projects will continue to move more slowly than the adversaries they are intended to defend against.

Finally, Iyer stressed the need for strong configuration management and robust backup and restore procedures across industrial networks and equipment. She pointed to cloud-native environments as an example, noting that organizations are able to modernize rapidly because they have established workflows for versioning and restoring software, and even infrastructure as code. The same level of operational discipline, she argued, is both achievable and necessary in industrial environments.

Emphasizing shared risk ownership, Jackson said that right now, in many organizations, security risk sits with the CISO, operational risk sits with the COO, and neither budget nor accountability crosses that boundary cleanly.

“The organizations I’ve seen move fastest are the ones that have built a governance model (even an informal one), where both functions co-own the problem, co-fund the solution, and have a shared definition of what acceptable looks like,” he added. “That alignment doesn’t happen overnight, but once it’s in place, the execution pace changes significantly.”

Gonzalez determined that organizations need to treat OT cybersecurity as a business resilience function rather than a technology initiative. “Many programs stall because ownership is fragmented across cybersecurity, engineering, operations, and finance. The organizations that move faster establish shared accountability, align funding with risk priorities, and empower cross-functional teams to make timely decisions.”

He added that OT cybersecurity becomes more effective when it is viewed as part of operational excellence and resilience rather than a standalone security program.

Sangaletti said that, in his opinion, building real organizational change requires at least the following three steps.

“First, a dedicated OT security budget that is decoupled from plant production costs, so security decisions aren’t constantly competing with operational priorities. Second, a risk accountability that extends beyond the security team to operations leadership, where the actual exposure lies. Third, a joint procurement process that treats OT vendors as what they are: supply-chain risk. But the reality is that ultimately, none of this will move without executive ownership.”

He concluded that OT incident impacts need to be clearly understood as business continuity events and not technical problems for the IT department to sort out.