Fixing the OT security awareness gap

Operational technology (OT) controls the physical processes that keep critical infrastructure running. This includes everything from pumps in water treatment plants, turbines in power stations, production lines in manufacturing facilities, and the systems that transport energy and goods. When OT environments are compromised, the consequences extend beyond data breaches to production shutdowns, safety incidents, and disruption to essential services. 

Despite its importance, over half of organisations describe their OT security awareness culture as still “developing”, and just 15.5% of frontline staff report feeling very confident in detecting or reporting cyber threats. 

Secolve’s State of OT Security Awareness report surveyed 84 organisations across energy, manufacturing, water, mining, oil and gas, and critical infrastructure sectors to understand why. The findings reveal three interconnected problems: training lacks relevance to OT environments, happens too infrequently to change behaviour, and fails to build the confidence frontline teams need to act as an effective line of defence. 

A lack of relevant training 

Whilst 72% of organisations provide some form of cyber security training, only 28% tailor it to OT environments. The majority rely on generic IT-focused content, such as phishing awareness, password policies, and email security, that doesn’t address the reality of managing operational systems, such as large-scale industrial control systems, and SCADA networks. 

When asked how relevant their current training is to OT environments, more than 83% said it falls short: 

• 42.86% said it’s too abstract or IT-focused 

• 40.48% rated it as only “somewhat” relevant

This relevance gap explains why training that looks successful on compliance reports fails to change behaviour on site. Workers can’t apply what they’ve learned because the content doesn’t reflect their daily reality. 

The frequency problem 

Even when organisations provide OT-relevant training, they’re not doing it often enough to create lasting behaviour change: 

Training frequency: 

• Monthly: 12.20% 

• Quarterly: 13.41% 

• Only during onboarding: 20.73% 

• Never received OT-specific training: 24.39% 

• Annually: 29.27% 

Nearly half of the teams received training only once a year or during onboarding. This infrequent approach treats security awareness as a compliance box tick rather than a skill that requires regular practice. 

The confidence crisis 

The combined effect of irrelevant and infrequent training is evident in frontline confidence levels. Frontline teams are typically the first to notice when something doesn’t look right: unexpected system behaviour, an unfamiliar person accessing equipment, a process running outside normal parameters, or unusual alarms.  

Yet only 15.5% of operational staff feel confident in their ability to spot and report potential threats. If staff don’t recognise these signs or don’t feel safe in escalating them, critical early warnings are lost, and incidents escalate. 

The path to OT security success 

The research reveals not just problems but solutions. When we asked what improvements would most increase training effectiveness, clear priorities emerged. These approaches directly address the three core challenges: making training relevant to OT realities, increasing frequency to build lasting skills, and building the confidence frontline teams need to act as an effective line of defence. 

Make training relevant through hands-on, scenario-based learning 

When asked what would most improve training effectiveness, 65% of organisations prioritised hands-on, scenario-based learning. Replace generic IT content with scenarios that reflect actual OT environments, equipment, and workflows. 

Gamification is a growing area of educational design that includes interactive simulations and environments where people can practice decision-making, make mistakes safely, and build pattern recognition that translates to real situations. More than half of the organisations surveyed have tried gamified training, with 94% rating it as an effective training tool. 

This means using industry-specific examples, addressing actual threats like remote access vulnerabilities and third-party risks. Training should cover how industrial control systems actually work, why standard IT security practices don’t directly translate, and practical implementation like secure access controls and identifying common attack vectors. 

60% of respondents said frontline involvement in exercises would improve effectiveness. Focus on building specific capabilities: conducting risk assessments, implementing network segmentation, understanding how attackers actually compromise OT environments, and learning from actual incidents. 

Establish continuous learning  

Nearly half of organisations surveyed delivered training only once a year or during onboarding. To prevent incidents and grow staff confidence, OT security awareness training needs to move from irregular compliance box ticking to continuous learning that is integrated into regular workflows. 

Build confidence through cross-functional collaboration 

Cross-functional collaboration ranked as the second-highest priority in OT security awareness at 62%. Organisations with more mature security cultures share a common trait: IT, OT, and safety teams work together rather than operating in silos. 

IT teams understand cyber threats and security controls, OT teams understand operational constraints and system behaviour, and safety teams understand risk management and incident response. Where cyber risks are treated as operational hazards (which 75% of organisations now do to some degree), training integrates with existing safety processes rather than competing with them. 

Cyber security must be treated as an operational risk requiring collaboration through joint ownership, shared metrics, and integrated processes. For Australian organisations, this includes understanding compliance requirements under the Security of Critical Infrastructure (SOCI) Act and integrating incident response plans into broader organisational strategies. 

From developing to mature OT security culture 

The path from developing to mature OT security awareness requires addressing all three gaps: relevance, frequency, and confidence. 

Training must reflect operational realities, happen often enough to build lasting skills, and give frontline teams the confidence to act as an effective line of defence. When these elements align, organisations build teams capable of protecting critical infrastructure from evolving threats. 

Download the full State of OT Security Awareness Report for detailed findings and strategic recommendations for building a mature security culture. 

See how OT-SAT addresses these industry challenges with training modules designed specifically for OT professionals. Get in touch with our team today for a demo.