Despite this, infrastructure operators have been underinvesting in OT security. Based on Lee’s anecdotal experience, about 95% of cyber spend is focused on IT, and just 5% on OT. The latter also have distinct operational demands: Systems often must run continuously for years, require redundancy, and depend on precise, millisecond-level responsiveness.
Cybersecurity mindsets must account for OT’s unique physical environments, long hardware lifecycles, and evolving threats, said Lee. These dictate different practices, technologies, and policy responses. “Regulators and policymakers must recognize these critical distinctions when setting policy,” he said.
He warned: “Let’s be clear: The timeline to take action against this growing threat is short, and the consequences of failure could, and likely would, be people dying.”
