In the world of operational technology - the hardware and software that control physical equipment - these systems are becoming increasingly connected, which is shifting the stakes for a cyber event in many organisations from digital loss to physical devastation.
When cyber risk is inseparable from physical harm, a line of code is no longer just data; it is the command that opens a dam, shuts down a power grid, or overrides the safety sensors in a chemical plant. Anticipating the security and budgetary needs of operational technology equipment is a big part of my job as the KPMG partner in the UK who heads OT security. We work with oil and gas majors, utility providers, and industrial manufacturing companies around the globe.
Historically, OT like industrial control systems (ICS) were "air-gapped," meaning they were physically isolated from the internet. Today, the drive for efficiency has bridged this gap, connecting factory floors to corporate networks. While this confers benefits - it allows for real-time monitoring of equipment—it also creates pathways for attackers to reach high-stakes physical assets. The result is that for OT, the priorities have to be safety and availability. A cyberattack can manifest in several dangerous ways:
Cyber-physical system (CPS) and OT attacks have surged in recent years, shifting from simple digital disruption to large scale physical consequences. For example, the number of physical sites suffering operational impairment due to cyberattacks increased by 146% in 2024, rising from 412 sites in 2023 to 1,015 sites the following year. Ransomware attacks targeting industrial organisations spiked by 87% over the same period.
By 2025, ransomware was present in 44% of all breaches, up from approximately 32% the previous year.
A recent example of the inseparable link between cyber and physical risk occurred in late December 2025, when Russia-linked threat actors (attributed by some experts as the state-sponsored Sandworm group and by others as another group known as Berserk Bear), targeted Poland's energy infrastructure.
The attack focused on approximately 30 distributed energy sites, including two combined heat and power plants and systems managing renewable energy sources like wind and solar farms. Polish officials alleged the goal was a deliberate attempt to cause a widespread blackout and destabilise the country during a period of extremely cold weather, which could have led to lethal consequences for the civilian population.
The attackers deployed a novel data-wiping malware (called DynoWiper) and gained access to OT systems by leveraging exposed network devices and vulnerabilities. They successfully disabled communications equipment, in some cases "bricking" the devices beyond repair. Poland's robust defence systems and effective incident response helped the country prevent the attack from causing any major power outages or widespread physical harm. However, the incident highlighted the significant vulnerability of modern, interconnected energy systems. It should be viewed as a major warning shot for all NATO members.
IT-OT convergence is a popular buzzword these days for driving efficiency. But connecting the two worlds is often dangerous. Convergence focuses on connectivity, often at the expense of security. And it’s a central reason for the increase in OT attacks. Typically, these occur when a threat actor gains entry through a standard corporate IT network and "pivots" into the industrial control systems that manage physical machinery. Sometimes our post-incident forensic reviews reveal that the attackers didn’t seem interested in the safety angle at all - until they accidentally stumbled into the OT side.
To address these escalating risks, we take a defensible approach which moves beyond a simple connection of IT and OT to a structured, resilient architecture. Organisations should focus on proactive defence, asset protection, and rapid recovery. This evolution treats operational resilience and safety as the foundations for defence rather than secondary concerns.
To move from a risky connected state to a defensible operating model, we provide specialised services that bridge the gap between digital security and physical safety. And we do this in a variety of ways.
Instead of just connecting devices, a defensible model uses tools to discover and monitor all OT assets in real-time, identifying anomalies before they cause physical harm. For instance, we deploy nonintrusive, passive monitoring tools (like Armis or Radiflow) to map the entire OT ecosystem without disrupting industrial processes.
We’ve supported many organisations in developing a "live" digital twin of their hardware. We don't just hand over a list of IP addresses; we provide a prioritised risk register that tells clients exactly which PLC is vulnerable and which anomaly requires immediate physical inspection.
Network segmentation helps ensure that if a hacker breaches the IT corporate email, a defensible architecture prevents lateral movement to prevent a jump to the OT controls. Using O-PAS and OTSynapse (KPMG’s proprietary tool), we work with clients to develop a blueprint for a secure, modular future. This is what they need to achieve a defensible, micro-segmented architecture. actionable recommendations aligned to the selected compliance standards.
A key element in marshalling resources is deciding how to invest. That’s where cyber risk quantification (CRQ) comes in. When juggling a large portfolio of OT security projects, CRQ can be the difference between guessing and investing. In the physical world of OT, "high risk" is too vague; you need to know if a project will prevent a £10M outage - or a catastrophic safety event.
CRQ is helping leaders think strategically about risk reduction. It can help them understand their critical assets by decomposing losses against specific risk scenarios aligned to value streams within the organisation. It can also help them present the investment case to company decision-makers by explaining that the investment will enhance how the technology is networked and ensure that it’s properly protected. And the leaders are not just thinking about the enterprise’s backend offices. They’re starting to think about using this approach to understand where to spend on equipment like wind turbines, gas turbines, and pipelines.
CRQ points out how vulnerable those assets would be if they weren’t upgraded and maintained. It can show the difference between a default configuration that isn’t monitored, and a hardened environment with 24/7 monitoring, in both reducing the likelihood and impact of any cyber event. This approach is threat-driven. It looks at threats in financial terms and can help leaders make sensible decisions on where to enhance security in the client’s operational environment.
Equally important is what it doesn’t require. Instead of looking at the technology and, out of fear, trying to determine how to secure everything, CRQ helps leaders prioritise maybe 20% of their operational assets where investment is most needed, and then leave off other equipment because it isn’t critical or as exposed as they’d thought.
What makes this easier in the UK than it might be in other places is that money is sometimes readily available. One of my clients, a water company, is going to get a 100% asset uplift for maintenance and performance every four to five years. In the UK, we get the funding through the government. (It’s also subsidised through a comparable format in the U.S. and Australia). What happens as part of this multimillion-dollar upgrade, in addition to checking the waterways and the wastage, is considering the company’s security needs.
Whether or not the funding is available, how we embed security should be part of any uplift. What we don’t want to be doing is delivering the updated programme, and then thinking two years later about strapping on a load of security.
In this context, it’s not a hard sell. Security by design is just common sense. The asset owners and operating officers who are in charge require this perspective already. All we should need to do is suggest, encourage, and validate.
This article is part of the Reinventing Cyber Budgeting publication. It's a joint publication by KPMG and TAG Infosphere, written for CISOs, risk leaders and executives who are being asked to do more – with less – and need a better way to explain, justify and defend cyber investment decisions. Read the full report here.
