SANS 2026 Report: Cybersecurity Skills Crisis Puts Industrial Infrastructure at Measurable Risk

The OT Security Skills Crisis: Shocking Numbers

The SANS 2026 OT/ICS Cybersecurity Report quantifies what many plant managers already sense: the industrial sector does not have enough people who understand both operational technology and cybersecurity. The headline figure is stark — 68% of industrial organizations lack a dedicated OT security team. These facilities rely on IT security staff to protect systems they were never trained to defend.

This gap exists against a backdrop of escalating threat activity. Manufacturing now absorbs 28% of all cyberattacks globally, making it the most targeted sector ahead of finance and healthcare. Attackers have shifted toward living-off-the-land techniques, exploiting legitimate remote access tools like TeamViewer and RDP sessions already present in OT environments rather than deploying custom malware. Traditional signature-based detection is nearly blind to these methods.

Why OT Security Differs From IT

The distinction is not academic. IT security prioritizes confidentiality — keeping data from leaking. OT security prioritizes availability and safety — ensuring physical processes continue operating without harming people or equipment. Rebooting a compromised IT server takes minutes. Shutting down an industrial furnace or chemical reactor due to a security incident can cost millions and create genuine safety hazards.

OT environments run protocols like Modbus, OPC UA, and EtherNet/IP that are invisible to conventional IT security tools. Network segmentation strategies that work in data centers do not translate directly to plant floors where real-time communication between PLCs, HMIs, and SCADA servers must be maintained with deterministic latency.

Recommendations: How to Bridge the Gap

SANS recommends a practical three-phase approach. Phase one: train existing control engineers in cybersecurity fundamentals rather than trying to teach IT security specialists about industrial processes. The rationale is sound — understanding physical operations takes years of domain experience, while foundational security skills can be acquired in months.

Phase two: adopt IEC 62443 as a unified security framework that spans both IT and OT domains. Phase three: deploy OT-native monitoring tools capable of parsing industrial protocols and detecting anomalous command sequences that IT tools would miss entirely.

What This Means for Engineers

The skills gap is now a measurable breach risk factor. If your facility is among the 68% without dedicated OT security personnel, the most effective near-term action is upskilling your automation engineers. They already understand the process, the protocols, and the consequences of disruption. Adding security awareness to that foundation creates defenders who can distinguish a legitimate PLC configuration change from a malicious one — a distinction that pure IT security analysts cannot reliably make.