A joint report by industrial cybersecurity firm Dragos and professional-services firm Marsh McLennan places worst-case annual global financial exposure from operational technology (OT) cyberattacks at $329.5 billion, as manufacturers, energy providers, and critical infrastructure operators face simultaneous pressure from a widening threat landscape and tightening regulatory regimes. Published in August 2025, the report represents one of the most comprehensive attempts to quantify OT cyber risk using real-world insurance claims data.
Background
OT environments - encompassing industrial control systems (ICS), SCADA systems, programmable logic controllers (PLCs), and the networks connecting them to enterprise IT - have historically operated with limited cybersecurity oversight. As IT/OT convergence accelerates under Industry 4.0 digitalization programs, that separation has effectively dissolved. According to an Omdia and Telstra International study of more than 500 technology executives, 80% of manufacturers reported an increase in security incidents across their IT/OT environments. The same study found 75% of reported incidents were classified as cyber-to-physical attacks, where IT breaches spread laterally into OT systems.
The financial toll is mounting. Affected manufacturers face downtime costs between $200,000 and $2 million per attack, depending on severity, according to Omdia and Telstra International. Over the past seven years, ransomware attacks on manufacturing companies caused downtime estimated at $17 billion in aggregate. The industrial sector also recorded the largest increase of any sector in average data breach cost in 2024, rising by $830,000 per incident.
Details
The Dragos-Marsh McLennan report reveals that indirect losses account for up to 70% of OT-related breach costs, a dimension many organizations fail to incorporate into risk models. Business interruption costs alone, in a worst-case scenario, would exceed $172 billion. According to Dragos VP Mark Stacey, organizations tend to concentrate cybersecurity spending on IT networks while assuming OT functions remain protected by proximity.
The threat actor landscape has intensified alongside financial exposure. According to the Dragos 2025 OT Cybersecurity Report, ransomware attacks in the industrial sector spiked 87% year-over-year in 2024, making it the top ransomware target for four consecutive years. The number of ransomware groups impacting OT/ICS rose 60% in 2024. Separately, Honeywell reported a 46% surge in OT-targeted ransomware in early 2025. Nation-state actors add a further dimension: University of Maryland professor David Mussington told Industrial Cyber that U.S. agencies assess with high confidence that PRC-sponsored Volt Typhoon actors are "pre-positioning on IT networks specifically to enable disruption of OT functions across energy, communications, transportation, and water sectors."
On the regulatory front, the EU's NIS2 Directive, effective since October 17, 2024, extended mandatory cybersecurity obligations to more than 160,000 organizations across 18 critical sectors, including manufacturing, energy, water, and transport. Non-compliance carries potential fines of up to €10 million or 2% of global annual turnover, with executives facing personal accountability, including temporary suspension from office. As of 2025, detailed NIS2 security requirements have been published by several EU member states, with implementation actively underway. In parallel, the U.S. continues updating NIST Special Publication 800-82 for industrial control systems, while ENISA has published mappings linking NIS2 obligations to ISA/IEC 62443, ISO/IEC 27001, and the NIST Cybersecurity Framework.
The Dragos-Marsh McLennan analysis identifies incident response planning as the highest-value control available to OT operators. Organizations with comprehensive OT-specific incident response planning can achieve an average risk reduction of 18.46%, according to Marsh McLennan's modeling. The report also identifies defensible network architecture and continuous monitoring as the two other controls most strongly associated with measurable risk reduction. SANS Institute Certified Instructor Dean Parsons advocates implementing ICS-specific controls - including network visibility, secure remote access, and risk-based vulnerability management - as the most effective path to both NIS2 compliance and operational resilience.
Fortinet's 2025 State of Operational Technology and Cybersecurity Report shows progress remains uneven: 52% of organizations now place OT security under the CISO, up from just 16% in 2022, and 46% of organizations reached Level 4 OT security maturity in 2025, leveraging automation, orchestration, and threat intelligence. However, those lagging in maturity continue to absorb disproportionate losses.
Outlook
Regulatory pressure is set to intensify across multiple geographies. The EU's Cyber Resilience Act begins enforcement in December 2027, requiring secure-by-design product development and tighter supply-chain oversight for ICS components. NIS2's 24/72-hour incident reporting requirements are already forcing legacy OT operators - many of whose systems were built without logging or alerting capabilities - to accelerate monitoring investments. With 60% of organizations reporting OT security incidents in 2025 according to Dragos, analysts and regulators expect capital allocation toward OT-specific security operations to rise substantially through 2026.
