Cybersecurity budgets across operational technology (OT) infrastructure are firmly moving toward long-term strategy, resilience, and regulatory readiness rather than merely patching legacy systems and purchasing tools. CISOs and boards are readjusting their spending priorities to support sustainable protection across complex OT environments as ransomware and nation-state actors pose an increasing threat to critical infrastructure and industrial sectors.
The increasing realization that reactive, ad hoc defenses are insufficient is a major factor driving this change. Organizations are investing in risk-informed programs that prioritize threat detection, asset visibility, incident response planning, and business continuity. Network segmentation, secure remote access, and integrated IT/OT monitoring are three fundamental capabilities receiving more attention from investment spending. In addition to preventing breaches, the objective is to minimize operational disruption and recover quickly when they do happen.
A combination of new and evolving laws, such as the European NIS2 Directive, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and TSA guidelines, and globally recognized standards like IEC 62443, often force organizations to change how they allocate their OT cyber budgets. Compliance is no longer a choice or a consideration when making financial decisions.
Additionally, businesses are becoming more frugal by performing ROI analyses, which gauge how well safety expenditures have reduced their cyber risk posture. Cyber insurance is another aspect of budget planning that needs to be taken into consideration, as policy terms and premiums are the main determinants.
Spending on OT cybersecurity is clearly changing from reactive to strategic as the threat landscape changes, with a greater emphasis on resilience, compliance, and long-term value.
Tracking rise in OT cybersecurity spending
Industrial Cyber reached out to experts to assess how OT cybersecurity budgets have evolved over the past 12 to 18 months. They also looked at whether organizations are allocating more resources to OT security compared to IT security.
Dean Parsons, SANS Certified instructor and CEO of ICS Defense Force, told Industrial Cyber that mature organizations responsible for operating industrial control systems (ICS) and operating in ICS/OT environments understand that ICS/OT security is a matter of protecting their business. “In turn, a recent SANS Institute survey (2025 ICS/OT Cybersecurity Budget: Spending Trends, Challenges, and the Future) found that OT cybersecurity budgets have seen a clear trend over the past 12 to 18 months, with an increasing portion of investment being directed specifically toward ICS/OT environments.”
He added that organizational requirements are currently the most cited driver for control system security investments, selected by approximately 57 percent of respondents. “This is followed closely by compliance obligations, which influenced over 53 percent of current investment decisions. An emphasis on threat-driven motivations has also grown in the last 12 months, with over half of the survey respondents identifying the threat landscape as a driver as well.”
Parsons added that organizations that are not focusing on ICS/OT security or deploying the ‘Five ICS Cybersecurity Critical Controls’ are behind the curve, which could jeopardize their safety and business continuity.
Gerry Kennedy, CEO of Observatory Strategic Management, told Industrial Cyber that from the insurance perspective, there has been a clear shift: underwriters and reinsurers are increasingly flagging OT environments as the ‘hidden iceberg beneath cyber risk portfolios. The past 12 to 18 months have seen an uptick in OT-specific budget allocations, largely in response to growing awareness of silent cyber risk lurking in property, liability, and business interruption lines and increased scrutiny from carriers, many of whom are demanding OT-specific security controls before offering or renewing cyber coverage.
He added, “That said, most insureds still lag in OT funding compared to IT. The imbalance is starting to correct only because insurers are applying coverage exclusions or premium surcharges for OT-heavy operations without demonstrated segmentation, monitoring, and incident response capabilities.”
Noting that OT cybersecurity budgets have evolved, Mark Stacey, director of strategy at Dragos, said that this is due to increased direction from regulatory bodies, escalating adversary activity, publicly disclosed incidents, and the potential for safety and security given the environments at risk.
“Many organizations derive their primary revenue from OT capabilities, although historically, IT retained most of an organization’s cybersecurity budget,” Stacey told Industrial Cyber. “According to a 2025 SANS Whitepaper, 81% of industrial companies allocated less than 50% of their cybersecurity budget to OT security. Fortunately, this is trending higher as awareness improves. As more instrumentation becomes digital, offering additional connectivity, companies are recognizing the associated risk and prioritizing OT cybersecurity to protect people and the business.”
“Recent SANS survey data shows 55% of organizations have increased OT security budgets over the past two years, with 23% reporting significant increases,” James Winebrenner, CEO at Elisity, told Industrial Cyber. “This reflects growing recognition that OT environments are no longer isolated from cyber threats. We’re seeing budget control patterns vary by organization size – in large enterprises, OT often controls their security budget, while in smaller organizations, IT typically manages it.”
He added that increasingly, CISOs are being held accountable for OT risk, whether or not they own the assets, which is accelerating convergence in both budget and organizational responsibility. It’s a shift toward unified accountability and security posture management.
“The achievability of OT security is increasing every year, and with that, so do awareness and investments,” Jason Rivera, co-founder and CEO at Cabreza, told Industrial Cyber. “The more demand that can be met, the more budgets expand to support OT security initiatives, and that’s what’s happening today. But the OT security budget is still relatively smaller than IT, and there are more net-new budget allocations to build and develop new programs than increases to existing allocations. NIS2 and other regulatory efforts in the EU are also spearheading some of this growth.”
OT cyber budgets shift toward key priorities
The executives address which areas are being prioritized as organizations reevaluate their OT cybersecurity budgets, covering proactive investments such as threat detection and network segmentation, or reactive capabilities like incident response and disaster recovery. They also examine whether notable trends are emerging within specific industrial verticals.
Parsons noted that across industrial sectors, mature organizations that embrace the fact that IT security and ICS/OT security are vastly different in mission, consequences, and training requirements have a clear prioritization of proactive cyber defense. The survey responses that cite proactive capabilities are leading the way.
For example, he added that more than 50 percent of ICS organizations have already implemented one of the top ICS/OT cybersecurity critical controls. Safe, passive network traffic visibility and monitoring for engineering networks for anomaly detection aimed at early threat identification inside engineering environments.
“ICS/OT organizations behind this curve need to catch up quickly. ICS/OT network architecture is also a priority, and rightfully so, since 46% of compromises to ICS/OT networks are due to IT network threats that transition into ICS/OT environments,” Parsons highlighted. “Also, in being proactive, facilities must not overlook ICS-specific incident response plans, with a specialized focus on recovery of engineering-specific data and assets. That should include engineering data such as set points, tag or variable information, field device configurations, PLC logic code, etc., with engineering teams leading the way here.”
Kennedy observed that insurers are increasingly requiring proactive investments, particularly network segmentation, endpoint visibility, and asset inventory as part of pre-bind assessments. “Reactive capabilities (like IR playbooks or DR) still matter, but insurers will penalize clients who rely on ‘react and recover’ models alone.”
He added that key trends are emerging across different industries. In the manufacturing and energy sectors, carriers have identified vulnerabilities in legacy systems and are emphasizing the need for threat detection and network segmentation. In the water and utilities sectors, recent CISA advisories and geopolitical concerns have prompted insurers to prioritize remote access controls and incident detection.
Meanwhile, in the pharmaceutical and food processing industries, underwriters are increasingly inquiring about supply chain controls related to OT systems, due to the implications of FSMA and GMP/GxP regulations.
“As adversaries demonstrate increasing frequency and capabilities, organizations are making proactive and reactive investments in tandem,” Stacey said. “The cybersecurity journey does not need to follow a linear process, nor do investments need to be segmented on proactive vs reactive returns. Examples include disaster recovery, business continuity, and incident response plans (IRP). Should an incident be suspected or confirmed, the initial response is critical to ensuring business continuity.”
He added that penetration testing and tabletop exercises can be leveraged to design and validate the plans. Technology can be deployed to enable the reactive investigation needed. Other proactive capabilities (continuous monitoring, asset inventory, threat hunting) not only demonstrate a commitment to OT cybersecurity, offering preferential insurance premiums, but they also enable risk-based decisions during incident response.
“Importantly, proactive cybersecurity can be quantified and implemented through budgeted plans,” according to Stacey. “Responsive costs are more difficult to anticipate if the total potential impact is unknown. This is why the cybersecurity insurance market is seeing an evolution of terms, exemptions, and policies incorporating digital and physical coverage.”
Winebrenner said that organizations are increasingly prioritizing proactive investments, particularly in defensible network architecture and visibility solutions.
“According to SANS data, the top three investment areas are network architecture, ICS-specific incident response, and architectures that support visibility,” he added. “This shift toward proactive measures aligns with what we’re seeing in manufacturing and healthcare, where microsegmentation is being deployed to prevent lateral movement. These sectors understand that detecting anomalies early and containing potential compromise through identity-based policies delivers better ROI than purely reactive approaches.”
Rivera identified that this is still a mixed bag, which would be unjust to trend broadly. “There’s still a sizable delta in the prioritization (and maturity) of OT security efforts organization by organization, industry by industry, and country by country. Within unregulated sectors, especially, you can ask one OT security program question to five different asset owners and get five different responses. It’s apples to enchiladas.”
To that end, Rivera added that the organizations that invest resources into understanding their OT people, processes, and technologies know that proactive investments have higher long-term value, with reactive investments being complementary or augmenting along the way. “As the market for network segmentation and asset management control solutions (for example) matures, so does their adoption and traction.”
Is OT security training getting a bigger budget share?
The executives outline what proportion of OT cybersecurity budgets is being allocated to staff training and upskilling. They also examine whether this investment has increased over the past 12 to 18 months and identify which skills or roles are currently most in demand for OT security teams.
“Defending critical infrastructure is not just about ICS-aware tools, but people who understand both process safety and security while using ICS-aware tools,” Parsons said. “Key in-demand roles include ICS network defenders, security analysts familiar with industrial protocols (such as but not limited to Modbus and DNP3, IEC-104, OPC, etc., etc.), general engineering assets’ purpose and functionality, for the purpose of threat detection and industrial-grade incident response.”
He added that there is an emphasis on organizational requirements and compliance that implies a growing demand for internal capabilities, which typically correlates with increased internal training investment to achieve major benefits overall. While an internal team is being established, organizations should look to obtain ICS incident response retainers to augment resources in the interim.
Insurers are pushing for more budget allocation toward OT cyber hygiene and human risk mitigation, especially after a wave of social engineering claims that compromised physical systems, Kennedy said. However, he added that training still represents an underfunded slice, usually under 10 percent of the OT security budget. That is starting to change as insurers request evidence of cyber-physical tabletop exercises, cross-training between IT and OT personnel, hiring of OT-aware security architects, and ICS/SCADA incident responders.
On the skills in demand, Kennedy listed industrial network monitoring, OT protocol fluency (Modbus, DNP3, BACnet), and forensic capabilities tailored to proprietary systems.
“Similar to the growth in IT cybersecurity, OT cybersecurity has been recognized as a priority with a limited available workforce. This is demonstrated by the increase in OT-specific material available at technical and educational conferences,” Stacey remarked. “Academia is growing specialized degree and certification programs, and education is available to the OT community through federal programs. This content is created to meet the demand of organizations’ desires to educate their workforce.”
He added that incident response continues to be in high demand. The skillset required to investigate OT networks is unique and, when needed, critically important to business resiliency.
“We’re witnessing a fascinating shift in how OT security teams develop skills. The traditional network expert who memorized IP schemes and manually configured ACLs is being complemented by a new generation who approach security through automation, APIs, and identity-based architectures,” Winebrenner identified. “Today’s most successful OT security teams blend both worlds – veterans who deeply understand operational constraints working alongside professionals who architect scalable, automated solutions. This hybrid approach is crucial for microsegmentation at scale.
He added that organizations investing in cross-training between operations and security are seeing the highest returns as they build teams that can protect environments without disrupting them.
“We have to separate training and upskilling in this context. Training is acquiring new skills entirely, whereas upskilling is elevating or enhancing existing skills,” Rivera said. “I think upskilling is where the budgets will be going more, as it’s a less resource-intensive way of permeating performance improvements and closing skill gaps throughout IT/OT security programs and teams. This is where innovation has the potential to be disruptive, especially for those in security architecture and engineering roles.”
OT security budgets adjust to NIS2, CISA, global standards
The executives explore how new or evolving regulations and standards, such as NIS2, CISA guidelines, or IEC 62443, affect OT cybersecurity budgets. They analyze how regulatory pressures and compliance obligations vary across regions like North America, Europe, and Asia-Pacific.
Parsons said that regulatory frameworks specific to industrial systems, such as IEC 62443, the EU’s NIS2 directive, and CISA’s guidance in North America, are increasingly shaping how organizations allocate their OT cybersecurity budgets. “For example, 53% of the survey respondents listed compliance as a current investment driver in ICS/OT going into 2025, which will likely continue well beyond this year.”
“Regulatory frameworks like NIS2 in the EU, CISA mandates in the U.S., and IEC 62443 globally are becoming loss control tools for insurers. They will be viewed as minimum thresholds for underwriting,” according to Kennedy.
He identified that in Europe, NIS2 is significantly reshaping cyber insurance coverage. Carriers now require alignment with their directives, particularly for organizations operating in critical infrastructure sectors. A failure to demonstrate compliance may result in denied claims or even a refusal to provide coverage. In North America, while CISA’s guidance is not legally binding, it has become a de facto underwriting checklist. Organizations that choose to ignore these recommendations may face policy sub-limits, coinsurance clauses, or specific exclusions in their coverage.
Additionally, in the Asia-Pacific region, compliance remains inconsistent. Insurers factor regulatory uncertainty into their actuarial models, often leading to higher premiums or the exclusion of OT risks in jurisdictions deemed high-risk.
Stacey said that laws, regulations, directives, memoranda, and frameworks maintain direct influence over OT cybersecurity budgets. “As the threat landscape for OT increases, governments are reacting with increased requirements to protect the public. In North America, these may focus on security funding (CISA CPGs, CSF), resilience planning (SRMA, PPD-21), procurement guidance (NIST 800-82), and cyber incident reporting (OMB, FISMA, SEC). Similarly, the 2018 SOCI legislation in Australia broadened the scope of what was considered critical national infrastructure and brought OT cybersecurity to the board-level attention for the first time in many industries,” he added.
“In the U.S., CISA guidelines and sector-specific regulations are driving significant investment in OT security, with US organizations leading global spending on ICS/OT protection,” according to Winebrenner. “SANS data shows 44% of US organizations investing heavily in defensible network architectures, with 36% increasing incident response funding.”
Meanwhile, he added that U.K. organizations are preparing for NIS2-equivalent regulations post-Brexit, creating similar budget pressures. “Both regions show a shift toward viewing security as an operational necessity rather than purely compliance-driven, with microsegmentation adoption accelerating as organizations recognize its dual benefits of meeting regulatory requirements while providing operational protection.”
Rivera noted that there are more than 20 different standards, frameworks, and regulations with OT scope across the US and EU alone, and he doesn’t believe asset owners have gained any more clarity on what actions they should be taking. “The mandatory pressures like NIS2 help and spur investment more than any others, but there’s still too little clarity on what should be done, by which organization, when, and where. Until a cleaner line of rationalization occurs, I don’t think we’ll see sizable budgetary change in this domain.”
From ROI to insurance: New metrics behind OT cyber budgets
The executives examine how organizations are measuring the return on investment (ROI) of their OT cybersecurity initiatives and whether they are seeing tangible improvements in their overall security posture. They also explore how factors such as cyber insurance policies and premiums are influencing budget decisions.
“Many asset owners and operators are already beginning to observe measurable improvements that validate their investments in ICS/OT security controls—benefiting both cybersecurity and engineering teams,” Parsons said. “For instance, passive/safe ICS-specific network monitoring has improved detection of engineering changes, unauthorized configurations, and anomalies, with 48% of facilities reporting enhanced engineering troubleshooting from this single control. These ICS-aware security tools directly contribute to operational improvements such as uptime, reliability, and safety—core metrics in industrial environments.”
From an insurance standpoint, Kenny said that ROI in OT cybersecurity is now being evaluated through a risk transfer lens. Premium reductions can be offered to firms that implement segmentation, endpoint detection, and third-party risk governance tied to OT assets. However, premium reductions are less of a problem than availability…this will be more profound as the inevitable events will wake up this industry. Retention credits or deductible drops are available when clients adopt specific frameworks, and security posture improvements are being measured by insurers through pre-bind scans, vulnerability assessments, and post-loss analytics.
More importantly, he added that companies are increasingly seeing insurance renewal outcomes as a de facto scorecard of their OT investment. If organizations are unable to demonstrate a hardened OT environment, expect higher premiums, reduced limits, and more exclusions (especially for contingent business interruption and physical damage tied to OT compromise).
Stacey said that understanding the network and its baseline function can improve capital efficiency and prioritize future investments. Capabilities that reduce or manage risk, maintain better compliance, and give confidence to those accepting transferred risk.
He added that OT security companies, regulatory bodies, legal representatives, underwriters, and organizations share a mission to safeguard operations and enable business resiliency. Also, steps to improve OT cybersecurity offer cascading benefits across the organization.
Winebrenner said organizations are moving beyond compliance-based ROI measurements toward operational resilience metrics. “They’re quantifying reduced downtime risk, faster mean-time-to-respond to incidents, and insurance premium impacts.”
Rivera said that “insurance companies could be doing so much more than they are to substantially shift and shape maturity benchmarks. They just haven’t managed to do so at scale.”
“As to how organizations are assessing ROI, I think it should be measured through competency and resilience effects rather than detections, preventions, or other traditional security levers,” he concluded. “But I admittedly haven’t had as many of these conversations as I’d like to yet.”
