Extended recovery times are driving up the overall cost of cyberattacks.

In almost every cyber incident that we heard of (and didn’t), in 2025 there was one common thread. The time taken to recover from a cyberattack has jumped significantly this year. This could be due to a combination of security challenges acting together to degrade both the timeliness and accuracy of response.

In today’s post, we do a deep dive into how extended recovery time can become a powerful driver for implementing better security measures and what can be done to improve incident recovery initiatives.

Before we dive, don’t forget to check our previous post on 5 hard OT Cybersecurity lessons 2025 taught us (And What to Do About Them) here.

Understanding the real price of an OT cyberattack

When most people think of a cyberattack, they often think of stolen data, leaked customer lists, bad press, and a ransom demand. In the world of Information Technology (IT), that is often the case. The damage, while serious, is mostly in the digital realm alone.

However, in the world Operational Technology (OT) or industrial control systems, populated by power grids, manufacturing plants, water treatment facilities, and refineries, the very definition of an attack is something else entirely. An OT cyberattack is not just about data, it is about physics.

When an OT system goes down in an unplanned manner, the primary cost isn't just the ransom demand. The real, catastrophic cost is downtime and the kinetic fallout that emerges. And in the complex world of diverse industrial control systems, downtime doesn’t simply equate to a few hours; it could instead mean days, weeks, or even months. This prolonged recovery period is the silent, budget-breaking killer that drives the total cost of an OT cyberattack into the tens or even hundreds of millions.

Consider the chart below from our research into 79 cyber incidents this year.

On an average, the recovery time for an attack involving remote OT sites is about 109 days. That is a whole lot of days. Now consider an oil and gas refinery or a power plant or even an assembly line and multiply 109 by the revenue lost per day and a disturbing picture emerges. Can we afford such downtimes?  

Why OT recovery is something different altogether

Can you simply "re-image" a blast furnace or "reboot" a chemical plant? The answer is no. Unlike an IT network, where systems can be wiped and restored from backups in minutes, OT recovery is slow, methodical, and physical for several key reasons:

•    Legacy and specialized tech: Most plants run on "black box" proprietary systems and legacy software such as Windows XP) that are decades old. These systems were never designed for modern cybersecurity or rapid recovery. Deploying a "clean" backup might be impossible.

•    Loss of visibility: Attackers don't just encrypt data; they target the Human-Machine Interfaces (HMIs) all the time. This is the equivalent of a pilot losing all their cockpit instruments while up in the air. Even if a plant is technically operable without HMIs, operators are "flying blind" and must trigger an emergency shutdown, extending the outage indefinitely.

•    Physical safety is paramount: You cannot restart a system until it is physically proven safe or that a risk of a kinetic incident is over. This means sending engineers to manually inspect thousands of valves, sensors, and turbines to ensure that the cyberattack didn't leave behind hidden physical damage that could lead to an explosion, chemical leak, or other catastrophe.

•    Complex forensics: Before you can rebuild, you have to understand how the attacker got in and what they changed in the first place. On a complex, segmented OT network, such a detailed forensic investigation can take weeks, all while the production line remains still. Some systems may not even lend themselves to such an investigation.

The ever escalating costs of downtime

When a factory that generates $100,000 in revenue per hour goes silent for just two weeks, things really go down and the math is just ruthless. That shutdown could rake up a bill of $33.6 million in lost production, and that’s just the beginning. An extended recovery period acts as a "cost multiplier," allowing these financial wounds to bleed out.

The immediate bleed: Direct costs

•    Massive production loss: This is the most obvious driver. Every minute the line is down a direct, unrecoverable loss of revenue.

•    Manual overrides and overtime: Companies are forced to pay a 24/7 army of engineers, operators, and IT staff to manually run processes (if possible), investigate the breach, and attempt recovery.

•    Emergency response and forensics: Flying in third-party incident response (IR) teams specializing in OT is incredibly expensive.

•    Physical asset replacement: If an attack manipulates a system, like by over-spinning a turbine or overheating a mixture, it can cause permanent physical damage. This turns a software problem into a multi-million dollar hardware replacement, with its own long lead times.

•    Cost of a kinetic incident: If there has been a physical impact then, the costs go up even more

The long-tail: Indirect and hidden costs

This is where extended recovery simply devours the bottom line. These costs accrue during the long recovery and linger for years after.

•    Supply chain collapse: You aren't just down; you've stopped your customers' supply chains. A 2023 attack on a parts supplier, cost them over $200 million. But it also forced one of their customers to report a $250 million loss in the next quarter because they couldn't get their parts. Your recovery time also became your customer's crisis.

•    Contractual and legal penalties: You are now failing to meet delivery deadlines for all your customers, triggering massive fines and lawsuits.

•    Reputational and market damage: Customers and investors lose faith. It can take years to rebuild the trust that you are a reliable partner.

•    Regulatory fines: In critical infrastructure, regulators are not patient. Organizations can face enormous fines from bodies like NERC, or under regulations like NIS2, for both the breach and the failure to restore services promptly.

•    Increased insurance premiums: After you file a claim of this magnitude, your cyber insurance premiums will, at best, skyrocket. At worst, you may be considered uninsurable.

•    The "human cost": The immense stress, long hours, and pressure on the IT, OT, and engineering teams during a months-long recovery leads directly to burnout and employee turnover, draining the company of its most valuable institutional knowledge.

The solution: Make prevention and resilience should run together

The hard truth is that complete prevention may not be possible. Attackers are constantly finding new ways to get in, often moving laterally from the corporate IT network into the OT environment.

The solution is not to just build higher walls (prevention) but to invest in a faster recovery (resilience). The goal must be to shrink the recovery window from months to days.

• Gain Visibility: You cannot protect or recover what you can't see. A complete, up-to-date inventory of all OT assets is the non-negotiable first step.

• Develop an OT-Specific IR Plan: An IT-centric incident response plan is useless here. The plan must involve plant engineers, safety officers, and operations managers. It must be drilled and tested regularly.

• Invest in Secure, Offline Backups: Have tested, validated, and offline "black start" backups for all critical systems (PLCs, HMIs, historians) that can be restored with confidence.

• Enforce Network Segmentation: The strongest defense is a hard line between IT and OT networks. This prevents an attacker who compromises an email account from "jumping" to the factory floor, containing the breach before it can start.

Ultimately, the true cost of an OT cyberattack isn't a single number. It's a calculation: (Cost of Downtime per Hour) times (Hours to Recover).

While you can't control every threat, you can control the recovery variable. By investing in resilience, you're not just buying a security tool; you're buying time. And in the world of OT, time is everything.

Learn more about how focused OT incident response can make a huge difference to your business.

Reach out now for a complimentary and custom incident response briefing for your leadership.