Bob Ackerman is Managing Director & Founder of AllegisCyber Capital.
The threat to America’s critical infrastructure is no longer theoretical—it’s happening now. Nation-state adversaries, led by China, are actively pre-positioning within the operational technology (OT) systems that control manufacturing lines, power generation and industrial processes. Beyond being critical infrastructure, these systems are primary revenue engines for many Fortune 500 companies.
“CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors. … And what we’ve found to date is likely the tip of the iceberg,” warned then-CISA Director Jen Easterly in a 2024 congressional testimony. The 2025 Annual Threat Assessment confirms that “China has demonstrated the ability to compromise U.S. infrastructure through formidable cyber capabilities that it could employ during a conflict with the United States.”
Yet despite these risks, most Fortune 500 boards lack the operational technology expertise needed to provide adequate oversight. Research shows that only 12% of S&P 500 companies had at least one director with an information security background. Even fewer can be assumed to have specific OT security knowledge.
The Revenue Impact Reality
When operational technology systems are compromised, the business impact is immediate, severe and measurable:
• Production Shutdowns: Every hour of OT downtime equals direct revenue loss.
• Quality Failures: Compromised systems may produce defective products, triggering recalls and liability exposure.
• Supply Chain Cascades: OT incidents ripple through interconnected suppliers and industry sectors.
• Extended Recovery: Restoration can take weeks to months, requiring costly alternative arrangements.
The 2021 Colonial Pipeline ransomware attack shut down the largest refined products pipeline in the United States for several days, creating fuel shortages and demonstrating how OT disruptions cascade through the economy. Norsk Hydro, a major renewable energy and aluminum producer, suffered production shutdowns across multiple facilities due to an OT-targeted cyberattack, resulting in $70 million in estimated losses.
Unlike IT systems that can often continue operating with degraded performance, OT systems typically have binary outcomes: They work, or production stops entirely. A compromised programmable logic controller can shut down an entire manufacturing line. A disrupted SCADA system can force an oil refinery offline.
The Nation-State Strategic Timeline
Intelligence assessments consistently point to Chinese preparations for potential Taiwan action around 2027. Former FBI Director Christopher Wray’s warning to Congress was unambiguous: “The PRC has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist.”
The scale of the threat has grown dramatically—from five nation-state groups targeting industrial infrastructure in 2018 to over 20 such groups in 2024, according to Dragos co-founder and CEO Robert M. Lee’s congressional testimony. A February 2024 assessment of the “Volt Typhoon” campaign revealed Chinese state-sponsored hackers embedded within critical infrastructure networks, positioning for maximum disruption of business operations during potential future conflicts.
This represents asymmetric warfare for the digital age, where a relatively small number of hackers can potentially neutralize the world’s most advanced economy by weaponizing its own digital infrastructure.
Five Questions Boards Need To Answer Now
1. Do we know what operational technology we have and how critical it is to our revenue?
Most boards can’t answer this basic question. Require comprehensive mapping of all OT assets—from manufacturing control systems to building management—and their direct connection to revenue generation. Without this visibility, you’re governing blind.
2. Who on our board can evaluate operational technology risks?
If the answer is “no one,” you have a governance gap that puts shareholder value at risk. Consider adding board members with OT expertise or establishing a dedicated technology risk committee. Both IT and OT need to be regular agenda items in board and executive meetings so budget allocations reflect a holistic view that includes both IT and OT security requirements. CISOs should have OT-specific knowledge or partner with OT leadership—typically the vice president or head of operational technology/engineering—to co-present and address domain-specific risks to operations, safety and compliance.
3. How would we know if our production systems were compromised right now?
Mandate regular third-party OT security assessments and establish clear incident reporting protocols. If you can’t detect compromise, you can’t defend against it.
4. What would happen to our business if our main production facility went offline for a month?
Run tabletop exercises that simulate OT security incidents. Most business continuity plans ignore operational technology attacks. Understand your recovery costs, alternative arrangements and insurance coverage gaps before you need them.
5. How are we turning operational resilience into competitive advantage?
Companies with superior OT security maintain more consistent production and command premium pricing. Are you positioning operational resilience as a differentiator with customers and investors, or just treating it as a cost center?
The Fiduciary Imperative
The convergence of nation-state threats, regulatory requirements and business dependencies creates an urgent imperative for board-level action on operational technology security. Unlike traditional cybersecurity issues that primarily affect data and systems, OT security directly impacts the core business functions that generate shareholder value.
Boards spend enormous amounts of time overseeing financial risks and market risks, but neglect the systems that create revenue. With nation-state adversaries specifically targeting these revenue-generating systems, this governance gap has become an existential risk that boards can no longer afford to ignore.
Operational technology security has become a fiduciary imperative. The protection of revenue-generating industrial systems now requires the same level of board attention as any other critical business risk. The time for reactive governance has passed. Whether Fortune 500 boards like it or not, they are now a part of a larger global conflict that may determine the shape of the 21st century. The stakes are only as high as the continued functioning of American society.
The information provided here is not investment, tax or financial advice. You should consult with a licensed professional for advice concerning your specific situation.
Forbes Finance Council is an invitation-only organization for executives in successful accounting, financial planning and wealth management firms. Do I qualify?