Imagine a sprawling factory floor where aging control systems hum along day after day. The engineers on site share a common refrain: “If we don’t touch it, it won’t break.” It’s an understandable mindset in Operational Technology (OT) environments—after all, keeping production running 24/7 is often priority number one.
The introduction of anything new, whether a software update or a security tool, is approached with extreme caution for fear of disrupting operations. The logic is simple: leave the system alone and avoid causing an outage.
But in today’s industrial landscape, this comfort in doing nothing can be dangerously shortsighted. While reliability and uptime are essential, ignoring cybersecurity can actually increase the risk to that very reliability. We’ve seen OT networks that have run for decades without a single security assessment or update—environments where no one has looked at the network traffic or device logs in years.
Such hands-off approaches often stem from well-intentioned goals (like keeping “outsiders” out or preserving stability), but they leave critical systems operating in a blind spot of security. If you don’t know what’s happening in your environment and you never improve your security posture, you’re effectively gambling that nothing bad will ever happen.
In this fourth installment of our industrial cybersecurity series (following “Legacy OT Systems: Why Hackers Love Them”, “The Dangerous Myth of the Air Gap”, and “OT Patching: Why Updating Industrial Systems Is a Cybersecurity Nightmare”), we examine why a passive “do nothing” approach to OT security is itself a major risk.
We’ll explore how long-ignored industrial systems accumulate hidden threats, how poor communication between IT and OT teams exacerbates the issue, and why lack of visibility makes “no news” far from good news. Most importantly, we’ll discuss how focusing solely on uptime and delaying security can backfire—potentially causing the very downtime everyone fears.
The bottom line: when it comes to OT security, doing nothing isn’t the safe choice – it’s an invitation for trouble.
The “If We Don’t Touch It, It Won’t Break” Mindset in OT
In industrial operations, caution is more than just a virtue – it’s a necessity. OT engineers and plant managers have long abided by the adage “if it isn’t broken, don’t fix it,” especially when any change could ripple into physical consequences. Unlike the IT world, where rebooting a server or updating software is routine, in OT even a minor tweak can have real-world impact.
A poorly timed system restart or untested update could halt a production line, spoil a batch of product, or even put lives at risk. It’s no wonder that any new introduction to an OT environment – a patch, an upgrade, or a security tool – is approached with extreme caution.
This mindset comes from hard-earned experience. No CEO or plant director wants to be the one who stops a running oil refinery or factory “to fix” something that doesn’t appear to be broken. And many legacy OT systems have been running “just fine” for decades.
The result? A culture of sticking with the status quo. If a PLC or HMI has been humming along since 1995, many teams figure it’s best to leave it untouched rather than risk an outage. In practice, this often means cybersecurity upgrades get put on the back burner indefinitely. Better to do nothing (and keep everything stable), the thinking goes, than to make a change that might cause downtime.
The intentions behind this approach are understandable. Uptime, safety, and reliability are non-negotiable in industrial control systems. Operators rightly prioritize processes that keep the lights on and the product flowing. They maintain rigorous change-management and safety protocols for any operational adjustments. However, the “don’t touch it” philosophy doesn’t hold up against modern cyber threats.
In an era where attackers are actively probing even the most obscure systems, doing nothing effectively means leaving doors unlocked because you’re afraid to check if they’re open. Avoiding all change might prevent immediate disruptions, but it also means critical security weaknesses remain unaddressed – silently accumulating over time.
Long-Ignored Systems: Hidden Threats Lurking Unseen
One consequence of the hands-off approach is that OT environments can go largely unexamined for years or even decades, allowing security issues to quietly accumulate. We’ve walked into plants where the control network had never been audited or monitored for threats. In these cases, the assumption was that as long as everything kept running, there was nothing to worry about. But beneath the surface, those networks were anything but pristine.
When systems run untouched for ages, they inevitably fall behind on patches and security updates. Legacy HMIs and engineering workstations might be running outdated operating systems with well-known vulnerabilities.
Default passwords that were set in the 1990s might still be in use. If no one is watching network traffic or analyzing log data, an intruder could slip in and stay for months without drawing attention. Essentially, a long-ignored OT environment becomes a breeding ground for cyber threats, ripe for any attacker patient enough to poke around.
Real-world incidents illustrate this risk. In one notable case, a European water utility’s SCADA server was found infected with cryptocurrency-mining malware, which had been slowing down its operations. How did it happen? The compromised system was an HMI computer running Windows XP – an operating system that reached end-of-life in 2014. Because the utility had avoided updates “for stability,” that HMI hadn’t been patched in years.
At some point, malware snuck in (likely through a malicious website or USB drive) and quietly began consuming resources. The only reason it was discovered was because an outside team finally took a look. Imagine how many other OT networks might harbor similar unwanted surprises simply because nobody has ever checked.
Meanwhile, attackers are increasingly aware that these unpatched, unmonitored systems exist. Cyber adversaries today have a robust understanding of ICS/OT environments and are actively finding ways to exploit them. They know many industrial sites run “set it and forget it” equipment with minimal oversight. In fact, security researchers have observed a surge in exposed OT devices and even malware tailored specifically to exploit them. For attackers, an out-of-date PLC or an ignored historian server is low-hanging fruit: an easy way in with little resistance.
The longer an OT network goes ignored, the more time attackers have to map it, find weaknesses, and potentially plant malware or backdoors.
In short, “no news” is not good news in an OT environment that hasn’t been assessed in years. The lack of visible problems could simply mean problems are hiding. By doing nothing, organizations may unknowingly be allowing threats to fester until they eventually manifest as a major incident.
The IT/OT Communication Gap: When Silos Leave Security Gaps
Another factor that can perpetuate a “do nothing” stance is the disconnect that often exists between corporate IT security teams and the OT engineers in the plant. In many organizations, these groups operate in silos – sometimes with entirely separate reporting structures, budgets, and priorities.
The result is that nobody fully “owns” OT security, and critical issues can fall through the cracks. IT professionals may be hesitant to touch OT systems they don’t fully understand, and OT personnel may be equally determined to keep IT folks (and their scanning tools) away from sensitive industrial equipment. This lack of coordination can be devastating for security.
In some cases, OT teams intentionally keep external observers or IT auditors out of their networks, fearing that outsiders poking around will inadvertently cause downtime. The intent is to protect operations, but it also means that established IT security practices – like routine vulnerability assessments, incident response drills, and continuous monitoring – never make it into the OT environment.
Meanwhile, the IT department might assume that “OT has it covered” or treat OT risks as someone else’s problem. The unfortunate truth is that when everyone stays in their lane, key security tasks often don’t happen at all. (For example, patching might get skipped because IT isn’t allowed to do it and OT isn’t equipped to).
This communication gap isn’t just anecdotal – it’s reflected in industry surveys. One report found that 61% of organizations see a disconnect in how cybersecurity risk is perceived between OT/ICS teams and other parts of the business. In other words, the folks running the industrial control systems often don’t speak the same language as the corporate IT security office or senior management when it comes to threats.
That disconnect can lead to misunderstandings and inaction. For instance, if OT engineers don’t convey the vulnerabilities they’re worried about (or choose to hide them to avoid scrutiny) and IT security staff don’t tailor their tools to OT needs, the organization ends up with blind spots. Misconfigurations, unpatched systems, and other problems can slip by simply because the right people aren’t talking to each other.
Bridging this IT/OT divide is critical. It requires both sides to recognize that security in industrial operations is a shared responsibility. When IT and OT teams collaborate – sharing data, aligning on risk assessments, and jointly planning changes – security improvements can be made without derailing operational goals. Conversely, if the silos persist, attackers will find it all too easy to exploit the lack of collective defense.
Lack of Visibility: You Can’t Secure What You Can’t See
Perhaps the biggest danger of “doing nothing” is that it leaves organizations flying blind. Security is fundamentally about visibility – knowing what devices are in your environment, what’s happening on your network, and what normal behavior looks like. If you aren’t collecting any data from your OT systems, how will you spot an anomaly or an intruder?
Unfortunately, many industrial organizations have historically had little to no visibility into their OT cyber activity. They might not even have an up-to-date inventory of all the PLCs, HMIs, drives, and other devices running in their plants. As the saying goes, “you can’t protect what you don’t know exists.”
Statistics bear this out. One survey found that 65% of organizations have only limited visibility into their control systems, only 22% have the level of visibility needed to defend against modern threats, and 7% have no visibility at all.
In other words, at the majority of industrial sites, security teams lack a clear picture of what’s on the OT network and what it’s doing. In such conditions, detecting a stealthy attack is nearly impossible.
Malware could be siphoning data or a hacker could be pivoting through a control network, and you’d have no idea – because the tools and telemetry to notice simply aren’t there. It’s the equivalent of trying to guard a facility while blindfolded.
Lack of visibility also means lack of situational awareness when something does go wrong. By the time a serious incident becomes evident (say, a production line suddenly malfunctions or a key piece of equipment stops working), it may be far too late to quickly identify the cause. Was it a component failure? A cyber attack? Without network logs, device data, or system alerts to consult, your incident responders are left guessing – which wastes precious time in a crisis.
On the flip side, organizations that invest in OT visibility – asset discovery, network monitoring, endpoint telemetry – often find that just illuminating the shadows reveals issues they can fix proactively. It could be as simple as discovering an unauthorized device plugged into the network, or spotting unusual traffic from a controller that merits investigation.
Doing nothing deprives you of these early warning signs. It’s an unfortunate truth that in many OT environments, “no news” often just means no one is watching. And what you’re not watching can absolutely hurt you.
Uptime vs. Security: Striking the Right Balance
The tension between operational uptime and security often feels like a zero-sum game. OT personnel might say, “We can’t afford downtime for security changes,” while security professionals warn, “If we don’t address these vulnerabilities, we’ll get hit eventually.”
The truth is, both uptime and security are critical to an industrial organization’s success – and focusing on only one can put the other in jeopardy. The challenge (and opportunity) is to find a balance where security improvements are made in a way that does not recklessly endanger reliability.
It’s worth remembering that ignoring security doesn’t guarantee uptime – it only guarantees that when an incident happens, you’ll be unprepared and possibly hit much harder. We’ve seen this time and again in high-profile cyber incidents.
The infamous NotPetya malware outbreak of 2017, for example, forced several major companies to halt operations entirely. One global shipping firm lost an estimated $300 million in revenue and recovery costs after its systems were crippled. In the OT world, there have been cases of ransomware attacks that led to week-long production shutdowns or safety systems being compromised. These scenarios are every plant manager’s nightmare: the very downtime and chaos that “doing nothing” was supposed to avoid, coming to pass in a far more damaging way.
The message is clear: security and uptime are not opposing goals in the long run. Good security is what ensures reliable uptime. Yes, any changes to industrial systems must be handled with care – ideally tested offline, scheduled during maintenance windows, and executed by people who understand the process environment. But with proper planning, organizations can strengthen security without “breaking” their operations.
For instance, deploying passive monitoring or anomaly-detection sensors doesn’t require taking controllers offline. Segmenting networks and tightening access controls can often be done gradually, during planned downtimes, to minimize disruption. Even routine maintenance periods can double as opportunities to safely install patches or firmware updates (after thorough testing).
In modern OT cybersecurity, a popular mantra has become “look, but don’t touch” – meaning use methods that observe and analyze your industrial environment without interfering with it. By leveraging approaches like this, companies can gain deep visibility and early threat detection without jeopardizing the operational continuity they cherish.
The risk of doing nothing far outweighs the temporary inconvenience of doing something in a controlled manner. In fact, industry experts warn that critical infrastructure can no longer afford to treat cybersecurity as optional – proactive defenses are now table stakes for safe and reliable operations.
By embracing a balanced approach, organizations can have the best of both worlds: keep the plant running smoothly and keep it protected against modern threats. It’s not an easy path, but it’s a necessary one to avoid the much greater danger of a catastrophic breach or breakdown down the line.
Conclusion: Inaction Is Not a Safe Strategy
It’s understandable why many OT professionals have stuck to the “do nothing” approach – it comes from a place of wanting to protect uptime and safety. But as we’ve outlined, doing nothing is actually the riskier bet in today’s threat landscape.
A plant that hasn’t been touched in years might feel stable, but it’s likely teetering on a foundation of unknown vulnerabilities and unseen threats. The good news is that you don’t have to choose between security and reliability. By taking thoughtful, well-planned actions, you can greatly improve your security posture and maintain the rock-solid operations you need.
It’s time to replace the false sense of security that comes from “ignoring the problem” with real, informed confidence that comes from visibility and proactive defense. Start with small steps – an assessment of your OT network, a passive monitoring pilot, or a joint drill where IT and OT teams practice responding to an incident together. You’ll find that strengthening security doesn’t mean shattering your processes. On the contrary, it will reinforce the resilience of your operations against accidents and attacks alike.
If your organization has been hesitant to step up its OT security, now is the time to act. You don’t have to face the challenge alone, either. Our team at Insane Cyber specializes in helping industrial operations boost security without disrupting what matters most. We’ve designed our solutions with “look, don’t touch” principles to give you deep insight into your environment without putting it at risk. Schedule a demo of our Valkyrie platform to see how you can achieve the visibility and threat detection your OT network has been missing. Let us show you how a smart, minimally invasive approach can uncover hidden issues and provide peace of mind.
Don’t wait for a crisis to force your hand. By taking action now – even incremental action – you’re investing in the long-term safety, reliability, and success of your industrial operations. In OT security, the greatest risk is assuming there is none.
(This article is part of our series on industrial cybersecurity. Be sure to check out the previous installments: “Legacy OT Systems: Why Hackers Love Them,” “The Dangerous Myth of the Air Gap,” and “OT Patching: Why Updating Industrial Systems Is a Cybersecurity Nightmare,” for further insights.)
