Breaking Legacy OT Reporting Amid Rising Threats

Quick Summary

• The “2024 SANS ICS/OT Cybersecurity Report,” authored by SANS Institute, spotlights a broken culture of reporting in operational technology (OT) security, where outdated governance is stuck in neutral even as threat actors accelerate.
• 54% of organizations admit their OT cybersecurity reporting runs through outdated, ad hoc manual processes — with only 20% using automated solutions. Meanwhile, 34% of incident responders aren’t even sharing findings to leadership, and a mere 15% bring lessons learned back to the OT/ICS frontline.
• Despite ransomware and state-sponsored threats hitting operational networks, industries like energy, manufacturing, and chemicals cling to fragmented governance, leaving critical blind spots.
• If you’re still treating OT incident reporting as a compliance afterthought, you’re already behind — CISOs must force direct reporting, automate the flow of actionable intel, and finally break out of the “fire drill” cycle of self-inflicted risk.

Bureaucracy Got Us Here: Manual, Outdated Reporting in a Hyperactive Threatscape
If you needed another reminder that “security theater” is still alive and well in OT, the SANS Institute just handed it to you. The 2024 SANS ICS/OT Cybersecurity Report, covered in detail in the original article, puts numbers to what operators already feel: threat activity is outpacing the entire OT/ICS security reporting apparatus, and the tools we’re using to keep up are analog, fragmented, or simply not used at all.

Let’s spell it out. Of the organizations surveyed — spanning energy, manufacturing, chemical, and critical infrastructure — a laughable 20% use automated threat reporting platforms. The rest? Fifty-four percent are stuck elbow-deep in spreadsheets, email threads, or straight-up ad hoc reporting. That’s not “underserved.” That’s unsupported. It makes the usual guidance about “improving situational awareness” sound like satire.

It gets worse. Thirty-four percent of incident responders don’t even elevate their findings to operations management or senior leadership — the people with the power to move the needle. And just 15% bring those lessons back to the team that needs them most: the frontline engineers and OT/ICS techs. So incidents vanish into the ether. This isn’t just an operations problem; it’s a willful ignorance problem, codified by years of legacy governance that treats OT reporting as “belt-and-braces” compliance, not a lever for risk mitigation. When was the last time a root-cause analysis on a near-miss started a “rethink” in your org?

Why Is Governance Lagging While Threats Lap Us?
This isn’t about tools — it’s about courage, priorities, and organizational honesty. While external threats have evolved from malware to sophisticated ransomware operations and nation-state cyber sabotage, our OT security accountability remains stuck in a Board report from 2007.

Legacy governance gets exposed when you mash up complex supply chains, vendor sprawl, and the operational pressure to “keep systems running, no matter what.” Nobody wants to halt production because of a possible breach — until the breach locks the plant doors for real. This is exactly why sectors like energy, chemicals, and discrete manufacturing have become prime playgrounds for ransomware operators. Their reporting is slow, fragmented, and steered by regulatory minimums, not operational reality.

The report exposes a disconnect: those tasked with OT security lack the direct reporting lines and data-sharing required to make a real difference. Instead, “incident reporting” devolves into check-box exercises for compliance, not meaningful inputs for hardening your ICS, remediating real weak spots, or testing recovery plans.

And, let’s be brutally clear: automated reporting platforms aren’t the endgame. But if you’re prioritizing manual spreadsheet reconciliation over real-time notification, you’re losing before the first phishing email lands. Ransomware and adversary campaigns depend on these delays and disconnects. Even the best endpoint tech won’t save you when your most critical event data trickles upward by quarterly memo.

If this all feels familiar, it should. We’ve seen it in every sector dragging their feet on legacy system patching or dancing around governance reform. The weakest link is almost always in visibility, communication, and somewhere — someone — deciding “let’s keep this quiet and just fix it.” If you’re still working around the reporting dysfunction, you’re not managing risk; you’re betting your OT environment on silence.

Break the Cycle: Forcing Actionable Intelligence Upstream and Down
Here’s what needs to change — now:

First, CISOs must demand direct reporting for OT incidents. That means senior leadership, board-level committees, and frontline engineering all hear the same root-cause findings. No excuses. No “we’ll escalate only if asked.” Formalize it, automate it, and bake it into every post-incident playbook.

Second, kill the pretense that manual reporting suffices in a landscape where digital kinetic attacks can halt production lines in minutes. Invest in automated, contextualized threat reporting tools that bridge the IT-OT divide — not for compliance, but for real, operational resilience. The tools exist; the problem is willpower. Protecting OT from modern threats starts with knowing you’ve actually seen and shared the threat.

Third, build a feedback loop. The report’s most egregious stat? Just 15% of incident learnings reach the engineers and operators. You need more than a lesson learned database — you need briefings, cross-functional drills, and incident retrospectives that fix real control gaps, not just satisfy your legal team.

Finally, if you’re in an industry where “operational uptime” is gospel, ask yourself which is worse: a temporary shutdown for a cyber response drill, or an unplanned, week-long outage from a ransomware attack that nobody saw coming because the facts never made it out of your OT basement? If you think your legacy tools will protect you, remember how obsolete infrastructure made NHS a target — and look in the mirror.

The bottom line for every CISO and OT security lead: stop treating incident reporting like a perfunctory compliance routine. Force direct reporting lines. Automate the context and delivery of operational intelligence. And for your own sake — consider that every spreadsheet-powered investigation you bury is a live round handed to your next attacker. When reporting fails, so does everything else. Wake up, shake up your governance, and treat OT threats like the boardroom existential risks they actually are.