The global energy sector faces an unprecedented cyber threat that could generate up to $329.5 billion in losses in an extreme scenario. This estimate comes from the 2025 OT Security Financial Risk Report published by Dragos Inc., the global leader in cybersecurity for operational technology (OT) environments. The study, conducted by Marsh McLennan’s Cyber Risk Intelligence Center, represents the first statistical analysis quantifying the financial risks of OT cyber incidents. Indirect losses, often overlooked in traditional models, affect up to 70% of OT-related breaches, with $172.4 billion attributed to business interruptions alone.
Critical vulnerabilities exploited at scale
Recent incidents confirm the severity of these financial projections. The ransomware attack against Halliburton in August 2024 generated $35 million in direct losses and forced the partial shutdown of systems at this $23 billion valued company. RansomHub, the group allegedly responsible for this cyberattack, demonstrated malicious actors’ ability to paralyze global oil giants. In January 2024, the FrostyGoop malware struck a Ukrainian municipal energy company, depriving more than 600 apartment buildings of heating for two days during sub-zero temperatures. This attack illustrates how Modbus TCP industrial control systems can be compromised with immediate physical consequences for civilian populations.
American water infrastructures have become prime targets for state-sponsored groups. The Cyber Army of Russia Reborn (CARR), linked to the Russian GRU military intelligence’s Sandworm group, caused a water tank overflow in Muleshoe, Texas in January 2024. The intrusion was facilitated by a password unchanged for ten years, revealing basic negligence in critical infrastructure security. The cities of Abernathy, Hale Center, and Lockney suffered similar attacks, demonstrating a coordinated campaign against American water distribution systems.
A geopolitical escalation with major economic consequences
Analysis of 2024 data reveals a qualitative transformation in OT cyber threats. While the number of attacks increased only marginally, from 72 in 2023 to 76 in 2024, the physical impact exploded with 1,015 disrupted sites versus 412 the previous year, a 146% increase. Nation-state attacks with physical consequences tripled, driven by Chinese, Russian, and Iranian campaigns. Three new malware strains specific to industrial control systems (ICS) were discovered in 2024, equaling half the total discovered during the previous fourteen years.
The Forescout report reveals that industrial automation protocols have become preferred attack vectors. Attacks on these protocols climbed from 71% to 79% between 2023 and 2024, with Modbus dominating at 40% of incidents, followed by Ethernet/IP at 28%. Threat actors increased their presence by 93% in the energy sector, 71% in manufacturing, and 55% in healthcare. This exponential progression is accompanied by increased sophistication in attack methods and unprecedented physical disruption capability.
Quantified security controls to reduce exposure
The Dragos report identifies three priority OT cybersecurity controls with their potential for financial risk reduction. Incident response planning enables average risk reduction up to 18.5%. Defensible architecture can reduce exposure by 17.09%, while ICS network visibility and monitoring offer protection up to 16.47%. These percentages, based on tens of thousands of simulations and a decade of breach data, provide executives with concrete metrics to justify OT cybersecurity investments.
Regulatory implications intensify with the European NIS2 and CER directives coming into force in late 2024, imposing cybersecurity measures on more than 400,000 companies. In the United States, the Transportation Security Administration (TSA) issued binding directives for the pipeline sector following the 2021 Colonial Pipeline attack that disrupted 45% of the East Coast’s fuel supply. Energy companies must now quantify their cyber risks to meet Securities and Exchange Commission (SEC) reporting requirements, notably the 8-K rule on cyber incident disclosure. This regulatory evolution transforms OT cybersecurity from a technical cost center into a financially measurable strategic imperative, redefining investment priorities for the global energy sector.
