OT Security needs metrics. I originally wrote more metrics, but we have almost no metrics. We includes asset owners, governments, vendors, industry groups, … We shouldn’t be funding anything that doesn’t include a hypothesis and a metric that will provide data that tests that hypothesis.
The problem is the few metrics we have are as likely to be more mythology than real metrics, and the analysis of those mythologic numbers or real metrics is often too simplistic.
The impetus for this article is Mike Holcomb’s post last week, “95% of cyber security budgets go to IT. Only 5% goes to protect ICS/OT.” (BTW: Mike puts out a lot of helpful and free OT security training videos for those new to the field. Check out his YouTube Channel.) I often hear this or a similar stated statistic and asked for the source. Mike’s source was a couple of talks he heard Rob Lee give.
I asked Rob. He said it was based on his personal experience, which is a valid data point. If Mike’s post had said Rob Lee’s estimate based on his experience is 95% IT / 5% OT the readers could evaluate the estimate.
Let’s keep going down the chain. Dillon Lee of Dragos pointed me to a SANS 2025 ICS/OT Cybersecurity Budget: Spending Trends, Challenges, and the Future report. Here’s their data:
In terms of budget distribution, 41% of respondents allocated 0–25% of their overall budgets to ICS/OT security, and 40% allocated 26–50%, indicating a moderate investment approach by the majority. Meanwhile, 10% allocated 51–75%, and only 9% allocated more than 75%, illustrating that few organizations prioritize higher investments in ICS/OT security, potentially increasing operational and safety risk.
If you take the midpoint of each range this would lead to 34.25% of the cybersecurity budget assigned to OT. This seems high, but maybe not considering the sample bias. These are people who are active in the OT security community and involved with SANS.
The numbers we hear that began as a story, estimate, or illustration can become cannon. Another example is 85% of the US critical infrastructure is privately owned. This was accepted and is still driving US public policy, and it is not close to correct.
As a starting point we need to review the source, and sometimes the methodology, before accepting or repeating the metric. After that is deciding what we can learn from the metric.
What Do We Learn From The Metric?
Let’s say the 95% IT / 5% OT cybersecurity spending metric is correct. This doesn’t necessarily mean this is a misallocation of resources across all critical infrastructure, a sector, or individual asset owner.
- The number of IT cyber assets may be well over 20x of the OT cyber assets.
- The cyber related risk per cyber asset might be much higher for IT than OT.
- Significant budget to address OT cyber risk might be in Operations for safety, protection, resilience, etc.
The key question is: Are there OT cybersecurity projects required to reduce OT cyber risk to an acceptable level that are not being funded?
The answer to this key question for many asset owners is yes.
The problem isn’t that too much money is being misspent on IT cybersecurity (even if this is often true it’s not the problem). The problem is the OT cybersecurity project has not been presented to executive management in a convincing way. Where they understood the risk, how your proposed project will reduce this risk, and how you will measure this risk reduction. #metric