Your last OT security assessment produced findings. Probably a lot of them. Vulnerability counts, asset inventories, risk scores, maybe a color-coded heat map. The report was delivered. Leadership reviewed it. The security team was asked to build a remediation plan.
Then nothing happened.
The Assessment Action Gap
This is common. Only 4% of ICS vulnerabilities are actively exploited at the time of disclosure, with a median of 24 days from disclosure to public exploit1. The window for action exists. The plans to act inside it do not.
The reason is not apathy. It is a structural disconnect between how assessments are delivered and how operations actually work.
The Report That Operations Won’t Approve
A typical assessment report says: vulnerability X affects asset Y; recommended action is to apply patch Z. What it does not say is which production process depends on that asset, what happens to that process during patching, how long the outage lasts, whether the patch has been validated against the specific firmware running on that device, and who is responsible if something goes wrong.
Operations teams are measured on uptime. Manufacturing outages cost between $100,000 and $250,000 per hour, with 27% of organizations reporting costs in this range2. 65% of organizations cite fear of operational disruption as a major barrier to security rollouts2. When the cost of the fix might exceed the cost of the vulnerability, operations has a rational basis for saying no.
So assessments produce findings. Security produces recommendations. Operations reviews them and stalls. The cycle continues.
CVSS view vs OT reality
The CVSS Problem
Most programs prioritize vulnerabilities by CVSS severity. A 9.8 goes to the top. A 4.2 goes to the bottom. Severity equals urgency.
In OT, that assumption fails. A CVSS 9.8 on an HMI controlling a validated production line is not the same as a 9.8 on a development workstation. Patching the workstation takes minutes. Patching the HMI requires maintenance windows, production scheduling, validation testing, and operational sign-off, which can take weeks.
Nearly half (48%) of vulnerabilities found in OT/IoT environments in H2 2025 were rated Critical or High severity3. When everything is critical, nothing is.
What’s Missing
Assessments fail before they start because they produce findings without a path to action. The output is a list of problems. What operations needs is a plan it can evaluate: which assets to address first based on actual operational risk, what the production impact of each fix looks like, and a structured approval process that gives site teams a clear review path.
The gap between finding risks and fixing them is not a technology problem. It is a process problem. And it persists regardless of how much you spend on detection.
Sources:
- Dragos 9th Annual OT/ICS Cybersecurity Year in Review, 2026
- TXOne Networks / Omdia OT Security Survey, 2025
- Nozomi Networks OT/IoT Security Report, 2H 2025
