With the changing threat environment, industrial and operational environments are under greater pressure than ever to reconcile operational effectiveness with effective cybersecurity. OT (operational technology) asset owners are increasingly looking to cyber risk quantification to address the challenges of keeping their critical infrastructure safe without sacrificing productivity. With the increasing sophistication of cyber threats, conventional risk assessment methods are no longer adequate.
Industrial companies are now embracing new methods to assess risks, giving top priority to consequence-based engineering to understand the possible effects of cyber attacks on operations, safety, and revenues. The price of underestimating or incorrectly valuing cyber risk can be catastrophic. Monetary loss, business downtime, and brand damage are just a few of the results of complacency. Executives stress that forward-thinking risk quantification is necessary to validate cybersecurity investments, obtain budgets, and prove value to leadership. By quantifying cyber risk in financial terms, organizations can allocate resources wisely and achieve executive sponsorship for key security initiatives.
New cyber risk quantification trends are influencing the way industrial organizations measure the success of their cybersecurity programs. Top metrics, including probable downtime expense, safety hazards, and regulatory fines, now form the core basis for program success assessments. As the danger increases, consequence-based approaches are in greater demand, allowing these critical organizations to prioritize high-impact events and invest resources where they will have the biggest impact.
Ultimately, cyber risk quantification is not merely a technical exercise but a strategic necessity. For OT asset owners, it closes the gap between business and cybersecurity objectives, guaranteeing resilience in an increasingly interconnected and exposed industrial environment.
Cybersecurity challenges, operational efficiency in industrial risk assessments
Industrial Cyber consulted cybersecurity experts to identify the main challenges industrial enterprises encounter when assessing cyber risks in industrial settings. They also explore how these organizations balance maintaining operational efficiency and meeting their security requirements.
Harshul Joshi, a principal at PwC and lead of the OT Cyber Security Practice for critical U.S. infrastructure, told Industrial Cyber that key challenges organizations face include correlating cyber asset impact due to adverse situations. For example: a breach; ransomware; downtime, etc., to operational output. “Very few organizations have the maturity with regards to the creation of KPIs that show accurate quantification of cyber risks.”
He added that according to PwC’s Digital Trust Insights report, measuring and quantifying cyber risks is essential for prioritizing investments and allocating resources efficiently, only 15 percent of organizations surveyed are doing this to a significant extent, indicating a gap in operational efficiency.
“Enterprises often lack the information and knowledge necessary to model and quantify risk. What’s missing ranges from assets, vulnerabilities, and network topology to site-level business data and a list of security controls in place,” Jose Seara, founder and CEO of DeNexus, told Industrial Cyber. “This problem is exacerbated in OT networks. Internal telemetry from cybersecurity tools deployed internally is essential for high-fidelity cyber risk quantification. Operating and securing industrial systems are two distinct functions that benefit from close collaboration to maintain operational efficiencies while feeding the risk quantification process with reliable data.”
Gerry Kennedy, CEO of Observatory Strategic Management, told Industrial Cyber that the primary challenges in quantifying cyber risks in industrial environments include divergent risk models with IT risk assessments focused on confidentiality, integrity, and availability (CIA Triad), whereas OT prioritizing safety, availability, and reliability (SAR).
He added that industrial enterprises struggle to align these models in a way that captures both cybersecurity and physical operational risks.
Addressing data type identification and value assignment, Kennedy observed that industrial environments contain multiple data types, each with a distinct value for the supply chain. However, he noted a challenge as the “quantification of cyber risk requires assigning financial and operational impact values to each data type. Without clear metrics, organizations struggle to balance protection against financial constraints.”
“Cyber risk is different for industrial environments than for IT,” Joe Weiss, an industrial cybersecurity expert told Industrial Cyber. “Not only does the cyber risk need to be addressed inside industrial facilities, but the cyber risk also extends to nearby and even distant facilities and residences that could be affected by chemical releases, electric outages, loss of fuel and water, and possibly for extended periods of time. Moreover, these risks exist whether from malicious or unintentional causes.”
Focus on changes in cyber risk assessment amid rising threats
The executives examine how methodologies for assessing cyber risks in industrial settings have evolved over the past two years and identify emerging trends in response to increasing threats.
“Most of the organizations in critical infrastructure sectors (For example: energy; manufacturing; aerospace and defense, etc.) use frameworks such as NIST 800-82; IEC 62443, and others and have fine-tuned them to fit their own requirements,” Joshi said. “Additionally, over the past 2-3 years, we have seen OT attacks that proliferate via IT landscape, as well as OT attacks utilizing vulnerabilities in the OEM ecosystem and attacks leveraging supply chain weaknesses, too.”
He pointed out that in response to escalating threats, some companies are implementing tools for greater visibility of OT assets and mapping technology dependencies, which are crucial for improving operational efficiency. “However, according to our Digital Trust Insights report, only 31% of organizations have implemented these actions.”
In addition, Joshi mentioned that some companies have leveraged generative AI and other emerging technologies as a way to enhance operational efficiency by improving threat detection and response capabilities. “That said, integration can be a challenge and proper governance is paramount.”
Seara identified that in the past, cyber risk assessment often started with spreadsheets and methods not supporting continuous risk evaluation or easy collection of data from remote industrial sites. “The deployment of modern cybersecurity solutions (firewalls, endpoints, threat detection) on industrial networks is getting more common, producing real-time data on the cybersecurity posture of those networks.”
He added that the volume of risk signals on operational systems combined with the emergence of AI has allowed cyber risk quantification to evolve from offering static assessment ranking risks in green/yellow/red to detailed risk and financial models that bring cyber risk to the same level of analysis and management as other enterprise risks. “With more sophisticated and dynamic models, security leaders can use trusted quantification models to orchestrate their budget, prioritize projects, and refine resource allocation.”
From an insurance perspective, Kennedy outlined that over the past two years, methodologies for assessing cyber risks in industrial settings have undergone a significant transformation, driven by the escalation of cyber threats, the increasing convergence of IT and OT, and the legal pressures on insurers to rethink policy forms, terms, and conditions. “The traditional underwriting models that focused primarily on data breaches and IT infrastructure vulnerabilities have proven inadequate for industrial cyber risks, leading to a fundamental shift in how insurers assess, price, and cover cyber exposures in industrial environments.”
He added that key methodological shifts in industrial cyber risk assessment include the transition from IT-centric models to OT-specific risk scoring; integration of actuarial science with industrial cyber-physical modeling; expanded policy exclusions and coverage adjustments; supply chain and third-party cyber risk assessments becoming a pricing factor; and operational resilience and business interruption coverage evolution.
Weiss noted that there is still a lack of training for identifying control system incidents as being cyber-related which means control system cyber incidents and impacts are not being recorded nor are cyber incident response plans being initiated.
Cost of Complacency: Impact of underestimating industrial cyber risks
The executives offer insights into the financial and operational consequences of underestimating or inaccurately assessing cyber risks in industrial environments.
Joshi highlighted that for all the critical infrastructure sectors including but not limited to energy; manufacturing; chemicals etc., most if not all revenue generating activities happen on the plants. “Any adverse cyber impact will have a direct correlation with regards to their output and hence direct impact to the financial bottom line. For example, any breach can have an upstream impact: it can cause oil and gas firms to stop their drilling operations; for a manufacturing plant, it can lead to a complete shutdown and render them unable to produce and ship goods, etc.,” he added.
“Underestimating or overestimating risks results in inefficiencies and blind spots in planning and managing a cybersecurity budget, capitalizing the balance sheet, procuring adequate insurance protection, or all the above,” Seara mentioned. “Security leaders may pursue costly initiatives that are unjustified, given their poor return in risk reduction, while other cyber threats go unaddressed. When cyber risks are undervalued, companies can incur severe financial consequences, facing insufficient insurance coverage to recover losses from an incident and needing to rely on their financial reserves to cover the shortfall.”
Kennedy identified that the failure to accurately quantify cyber risks in industrial environments has severe financial and operational ramifications, not only for the industrial enterprises themselves but also for the insurance carriers that underwrite these risks. “As cyber-physical threats continue to escalate, the ambiguity within traditional insurance contracts has exposed significant gaps in coverage, loss quantification, and risk transfer mechanisms, warranting a fundamental rethink of industrial cyber insurance models and cost structures.”
He also pointed out that the ambiguities within current insurance contracts have led to a realization that industrial cyber risks must be reassessed from the ground up. Insurers and policyholders alike must shift to a new paradigm.
Weiss noted that deaths/injuries and bankruptcies have occurred.
Examining effect of consequence-based engineering on industrial cyber risk
The executives address the impact of consequence-based engineering and security strategies on cyber risk quantification, as well as the emerging trends in its adoption within industrial environments.
Joshi said that cyber risk quantification using impact/consequence-based methodology outlines financial and operational impact as it correlates to cyber outages. “It allows cybersecurity leadership to present to the Board and C-suite the business impact as it relates to financial and operational output.”
“Consequence-based engineering/security shifts development priorities toward protecting and preventing incidents or disruptions in critical cyber-physical systems,” Seara said. “This approach focuses on real scenarios. Cyber risk quantification can drastically improve the inputs to such an approach by identifying the most significant exposures faced in a specific industrial environment.”
From an insurance loss control standpoint, Kennedy indicated that consequence-based engineering and security represent a paradigm shift in how industrial cyber risks are quantified, assessed, and mitigated. “Unlike traditional vulnerability-based risk models, which focus on preventing breaches, consequence-based security prioritizes the potential impact of a cyber event on physical processes, human safety, and financial stability.”
Kennedy added that for insurers, this shift has significant implications for underwriting, pricing models, and policy structuring. “However, one of the greatest challenges remains underwriting knowledge deficiencies, many underwriters lack expertise in industrial control systems (ICS), operational technology (OT) environments, and the true systemic consequences of cyber-physical attacks.”
“As a nuclear engineer, I was doing the equivalent of CIE for many years,” Weiss said. “CIE requires a complete understanding of the process being analyzed including all equipment. That is still not happening.”
Cyber risk quantification boosts cybersecurity investments, leadership support
The executives focus on how industrial organizations use cyber risk quantification to justify cybersecurity investments, secure budgets, and demonstrate value to leadership.
“Cyber risk quantification will equip with an accurate financial and operational impact that will allow CIO/CISO to justify uplifting as well as sustaining security budgets. It also allows businesses to hedge their capital investments and/or their M&A investments, as they relate to cyber threats,” Joshi said. “Involving CISOs in strategic planning and decision-making can improve operational efficiency by aligning cybersecurity strategies with business objectives. That said, according to our report, fewer than half of executives reported that their CISOs were involved to a large extent in these activities.”
Seara detailed that cyber risk quantification enhanced with what-if analysis of risk mitigation projects under consideration yields a data-driven plan for cybersecurity: projects are prioritized based on their actual impact on the risk posture of a site (or several sites) and progress can be tracked over time, demonstrating excellent cyber risk governance.
He added that the output of cybersecurity solutions can be very technical, and translating those into business terms such as value at risk or expected annual loss allows security leaders to engage their business partners and the board more easily while showing the value of cyber risk quantification.
“Cyber risk quantification has become a critical tool for industrial organizations seeking to secure cybersecurity budgets, justify investments, and align risk management with business objectives,” Kennedy said. “However, it is essential to recognize that these models are just tools, not absolute truths. The involvement of key personnel beyond financial reporting, including risk managers and accounting teams, is mission-critical to challenge assumptions and uncover biases in risk quantifiers.”
He added that a major flaw in current CRQ methodologies is that many are designed primarily for compliance purposes, either to satisfy insurance requirements, regulatory bodies, or boardroom expectations. “This creates an inherent bias in how risks are quantified, often leading to exaggerated or overly conservative risk estimates that may not accurately reflect operational realities.”
Highlighting cyber risk quantification in assessing cybersecurity programs
The executives analyze the importance of cyber risk quantification in assessing the effectiveness of an industrial cybersecurity program and identify the key metrics that organizations should prioritize.
Joshi mentioned that cyber risk quantification provides tangible insights into the state and maturity of cybersecurity programs. “In addition, some of the KPIs that cut across domains of cyber governance, identification, protection, detection, response, and recovery help leadership understand cyber controls with regard to security layers.”
He added that organizations in industrial cybersecurity programs should zero in on key KPIs that are focused more on OT environment security which have a significant standard deviation compared to the IT environment. Some of the examples include patch management, identity and access management, reliance and SLAs with OEMs, etc.
Seara pointed out that there’s not one measure of the effectiveness of a cybersecurity program.
“Cybersecurity leaders need to track and monitor their portfolio of risk exposures over time and show progress through security initiatives, each with justifiable and tangible risk reduction,” according to Seara. “Tracking and addressing site-level and portfolio-level risks will lead to lower risks for the enterprise over time and better cybersecurity planning for future initiatives.”
Kennedy identified that cyber risk quantification has become a central mechanism for evaluating industrial cybersecurity programs, helping organizations prioritize risks, justify investments, and measure improvements over time. “However, the validity of these models is deeply flawed due to their reliance on oversimplified business rules, a myopic focus on SCADA-IT convergence, and a failure to account for emerging legal and economic ramifications.”
He concluded that because of these gaps, organizations should challenge existing CRQ methodologies, redefine key metrics, and expand their cybersecurity evaluations beyond compliance-driven risk scoring.
