BlogOT SecurityInternet of Things (IoT)SecurityDigital
Blog11 minute read

OT/IoT Security - Industry Insights

Operational Technology (OT) and Internet of Things (IoT) devices are both drivers of innovation and growing attack surfaces. For critical infrastructure and OT environments, where safety, availability, integrity and compliance are paramount, the convergence of IT and OT systems introduces complex vulnerabilities. We provide a structured, evidence-backed view of the key risks, real-world impacts and strategies to safeguard critical infrastructure from OT/IoT cyber threats.

In this blog

  1. The current reality
  2. Why visibility is a business imperative
  3. Risk by location
  4. The WWT approach: Integrating IT/OT strategies
  5. Looking Forward: AI, automation and secure edge
  6. Conclusion

In today's interconnected enterprise, Operational Technology (OT) and Internet of Things (IoT) networks represent both innovation accelerators and critical risk surfaces. As industries adopt smart manufacturing, real-time logistics and intelligent infrastructure, the convergence of IT and OT environments is reshaping security, performance and governance paradigms.

The World Wide Technology team has decades of experience in network architecture, cybersecurity and digital transformation and advocates for a proactive, integrated approach to securing OT/IoT ecosystems. This insights report explores the strategic, operational and security imperatives for organizations to achieve full-stack visibility, robust segmentation and lifecycle governance of their OT/IoT networks. 

Navigant Research

 The current reality

 Key challenges in Operational Technology (OT) systems:

  • Lack of standardized network architecture and secure connectivity models.
  • Minimal cybersecurity controls outdated or unsupported firmware/system software.
  • Limited enforcement of corporate IT policies within OT environments.
  • Absence of structured monitoring, logging and maintenance practices.
  • System operators and administrators often lack cybersecurity training.
  • Time and safety-critical operations limit traditional security interventions.
  • Patching is difficult, frequently requiring planned downtime or system shutdowns.
  • Low organizational awareness of OT-specific cybersecurity risks.

The OT/IoT explosion: From legacy to smart infrastructure

OT systems, once air-gapped and purpose-built, are now increasingly digitized and connected to enterprise IT networks. Simultaneously, IoT is introducing a deluge of endpoints, sensors, actuators, cameras and embedded devices that are often unmanaged and not secure.

Key statistics: (Gartner)

  • 15.14 billion IoT devices will be installed worldwide by 2029, driven primarily by utilities and building automation systems.
  • 77 percent of industrial firms remain in the initial phases of OT security implementation, with NONE fully secured.
  • 58 percent of respondents indicate that achieving comprehensive visibility into OT devices and networks is their top cybersecurity priority.

From manufacturing and energy to healthcare and finance, this rapid growth demands a new governance model, one that combines network observability, asset intelligence and security automation.

OT risks

  • 61 percent of ICS-related vulnerabilities cause a loss of view and control, directly affecting safety.
  • $336-540k per hour is the average cost of an attacker incident on OT/IoT networks.
  • +15 percent YoY increase in OT/IoT device vulnerabilities, with finance among the top three risk sectors.
Device and padlock

 When OT/IoT cyber risks emerged in financial services

▶ Pre 2019: Foundations of Digital Modernization

  • Banks began modernizing branches (e.g., smart HVAC, access control).
  • Risks were low-profile, with limited visibility and governance.

▶ 2019–2020: Attack Surface Expands

  • Ransomware began targeting physical infrastructure (e.g., cameras, UPS).
  • Remote access tools exposed OT systems to the internet.

▶ 2021–2022: Regulatory Focus Grows

  • The average cost of downtime in high-stakes financial and OT-integrated environments exceeds $336,000 per hour, with some incidents topping $540,000.
  • Cyber insurers began factoring OT risks into premium calculations.

▶ 2023–2024: Real-World Incidents Drive Action

  • Attacks on smart infrastructure (e.g., HVAC failures, branch lockouts).
  • Critical infrastructure environments began investing in asset discovery, network segmentation and monitoring.

▶ 2025: OT/IoT = Critical Risk Surface

  • OT security is now a core part of resilience, compliance and SOC operations.

 Vulnerabilities in OT production and safety systems place organizations at significant risk

 Why visibility is a business imperative

 Operational resilience

Downtime in OT has tangible business impacts: cyber attacks to service outages. A lack of visibility into device behavior, interdependence and traffic patterns hinder root cause analysis and predictive maintenance.

 Security and compliance

OT and IoT networks are prime targets for ransomware, zero-day exploits and supply chain attacks. Visibility into device posture, communications and firmware is essential for:

  • Detecting anomalous behavior.
  • Applying micro segmentation.
  • Meeting compliance frameworks (IE; NIST, IEC 62443, ISO/IEC27001).

 Asset lifecycle management

Untracked, outdated or orphaned devices increase the attack surface. Asset intelligence — understanding device type, vendor, firmware and network location — is foundational for patching, decommissioning, and compliance audits.

Manufacturing, utilities, healthcare, mining and banks are increasingly adopting Operational Technology (OT) security in areas such as automation, critical infrastructure (e.g., HVAC, physical security), and data center management.

As OT and IT converge, critical infrastructure environments are exposed to new cyber risks that differ from traditional IT threats. Over the next 5 years, OT environments will face the following common OT cyber risks:

Ransomware in physical infrastructure

Ransomware targeting OT systems for physical security (e.g., CCTV, access controls), HVAC and UPS systems could:

  • Shut down Building Management Systems, physical security controls, ATMs or branch access.
  • Cause environmental failures leading to hardware damage.
  • Disrupt backup and power systems.

Risk Trend: Increased targeting of hybrid environments using ransomware that can cross IT/OT boundaries.

Targeted attacks on Building Management Systems (BMS)

OT networks controlling lighting, temperature, fire suppression and elevators can be exploited to:

  • Create physical disruption.
  • Induce panic or evacuations.
  • Act as a distraction for concurrent cyber attacks on financial systems.

Real-world example: Attackers disabling HVAC to trigger overheating in data centers or branch server rooms.

Undetected lateral movement from OT to IT

Unsegmented OT networks can provide a path to high-value IT assets:

  • Malware enters via an insecure IP camera or smart device.
  • Moves laterally into internal IT systems (e.g., SWIFT, customer data stores).
  • Bypasses traditional IT-focused detection tools.

Risk Trend: Use of OT as an ingress point for broader espionage or financial theft.

IoT device hijacking and botnets

Connected IoT devices (e.g., occupancy sensors, smart lighting, smart safes) can be:

  • Hijacked to form part of bot nets (e.g., Mirai-style).
  • Used to launch DDoS attacks from within the bank's network.
  • Exploited as persistence mechanisms for stealthy attacks.

Challenge: Many OT/IoT devices lack firmware security or basic patching capabilities.

Regulatory non-compliance due to OT blind spots

New regulatory frameworks (e.g., DORA in the EU, FFIEC in the US) increasingly require asset inventory, resilience and incident reporting that spans IT and OT. OT assets that are unmanaged or invisible will:

  • Lead to audit failures.
  • Invalidate cyber insurance claims.
  • Result in fines or heavy financial loss.

Supply chain vulnerabilities in embedded OT components

OT infrastructure also can include elevators, safes, biometric devices and smart vault systems, all of which may include third-party software or firmware. Risks include:

  • Backdoors in hardware from untrusted vendors.
  • Compromised firmware updates.
  • Trojanized industrial controllers.

Emerging concern: Nation-state actors embedding malware in supply chains to create latent risks.

Remote access misconfiguration

With more remote management of OT via cloud or VPNs:

  • Weak authentication or lack of MFA enables credential stuffing or brute force attacks.
  • Misconfigured remote access systems (e.g.; TeamViewer, VNC on BMS) expose critical systems to external unauthorized sources.

Attack vector: Remote access compromise leading to unauthorized manipulation of critical OT functions.

 Credential abuse in shared OT environments

OT systems often rely on:

  • Shared default credentials.
  • Weak access control models.
  • No centralized identity management.

Risk: Internal or external threat actors leveraging credentials to pivot into more sensitive systems or to remain persistent.

Lack of situational awareness (OT is a blind spot)

Critical infrastructure often lack:

  • Real-time visibility into OT networks.
  • Threat detection tools tuned to OT protocols (e.g., Modbus, BACnet).
  • Forensic capabilities in OT environments.

This makes incident detection, containment and investigation extremely difficult, especially when OT is used to "mask" or support broader attacks.

 How organizational security leaders should prepare

  1. Adopt asset discovery tools for passive monitoring of OT devices.
  2. Segment OT from IT networks using firewalls and Zero Trust principles.
  3. Train facilities and IT staff jointly on cyber hygiene in hybrid environments.
  4. Simulate real-world OT attacks in controlled labs to understand blast radius and response plans.
  5. Harden supply chain evaluation for OT vendors and embedded technologies.

 Risk by location

 Data centers, plants, distribution centers, branches and headquarters

 

Downtime costs:

  • $336k to $540k per hour for financial institutions.
  • $1M per hour in some studies for enterprise finance.

Data breach impact:

  • $8.64M: average cost of a data breach last year.

Regulatory penalties:

  • $78.5M fine for a U.S.-based bank received in 2024 for a system control failure in cyber.
  • $20M or 4 percent of annual turnover under GDPR for severe cyber protection violations.
IoT Costs: DCs, plants, branches, HQs 

 What this means for you:

  1. High-stakes risk: Downtime in DC/HQ can exceed $1 million per hour.
  2. Unified breach costs: Financial sector breaches average over $6-8 million.
  3. Heavy penalties: Regulators levy fines in the tens to hundreds of millions, especially when OT/IT control failures are systemic.

 Risk mitigation steps

  • Prioritize resiliency: OT/IT availability drives massive cost exposure invested in redundancies and rapid failovers.
  • Enhance asset visibility: Untracked OT/IoT devices = hidden risk vectors and compliance failures.
  • Implement network segmentation and Zero Trust: Barriers between OT, IT and business networks drastically reduce lateral risk.
  • Monitor OT environments: Detection tools and SIEM integration reduce incident discovery times and lessen breach impact.
  • Tighten controls: Regular audits, change management and vendor assurances can avert hefty regulatory penalties.

 The WWT approach: Integrating IT/OT strategies

WWT leverages its Advanced Technology Center (ATC), WWT Industry Solution Center (WISC) and global services teams to simulate, test and deploy solutions on a scale. Our OT/IoT strategy includes:

1) Comprehensive discovery and segmentation

  • Use of passive network discovery tooling to identify unmanaged devices.
  • Logical grouping of devices by function, criticality and network zone.
  • Policy-driven segmentation to minimize lateral movement and blast radius.

2) Zero Trust for OT and IoT

Adapting zero trust principles to constrained environments:

  • Identity-aware access control.
  • Clearly outline the goals and scope of the assessment. Identify critical asset geolocations (e.g., data centers, branch networks, production floors and headquarters), key operational processes (such as payment processing, customer access systems and physical security controls), and potential threat vectors. This can include locations and systems supporting the institution's most revenue-generating services/locations, such as core OT platforms, ATM and critical infrastructure, and systems that underpin high-frequency operations.
  • Network segmentation with software-defined perimeters.
  • Encrypted data flows and device authentication.

3) Security architecture and monitoring

  • Integration with SIEM/SOAR platforms for event correlation.
  • Implementation of behavioral analytics and anomaly detection.
  • Lifecycle patching strategies and firmware governance.

4) Simulation and testing in the ATC

The ATC OT WISC lab allows customers to:

  • Validate vendor claims and performance benchmarks.
  • Emulate real-world attack scenarios.
  • Co-develop playbooks for detection, response and containment.

 Looking Forward: AI, automation and secure edge

WWT sees the future of OT/IoT network management rooted in autonomous detection, AI-based threat modeling and secure-by-design architecture. With the convergence of 5G, private wireless and edge computing, organizations must embrace adaptive security frameworks and automated asset intelligence to stay ahead of threats and disruptions.

 Conclusion

As digital transformation accelerates across all OT verticals, Operational Technology (OT) and Internet of Things (IoT) systems are no longer peripheral infrastructure. They are mission-critical to how companies operate, serve customers and meet regulatory expectations. From smart branches/factories/cities and automation to data center power and cooling systems, these interconnected technologies present both opportunities and vulnerabilities.

The risks are tangible: prolonged downtime, regulatory non-compliance, reputational harm and financial loss. Real-world incidents and mounting regulatory scrutiny have pushed OT/IoT cybersecurity into the spotlight. Visibility, segmentation and threat detection are no longer optional, they are foundational controls for resilience and trust.

Companies must shift from reactive fixes to proactive, full-stack OT/IoT governance, ensuring these systems are treated with the same strategic priority as IT assets. This requires not just tools, but cross-functional coordination, tailored assessments and secure-by-design architecture.

WWT brings a proven methodology to help navigate this shift. Through our Advanced Technology Center (ATC), Industry Solution Center (WISC), global partnerships and deep domain expertise, we support institutions in designing, testing and securing modern OT/IoT ecosystems at scale, with confidence, and in alignment with evolving regulatory and business mandates.

In a high-stakes environment where milliseconds matter and availability is non-negotiable, securing OT/IoT is not just a technical challenge, it is a board-level priority.