In late December 2025, a cyberattack disrupted parts of Poland’s energy sector, affecting around 30 wind, solar, and combined heat and power facilities. Attackers exploited weak or default credentials and deployed destructive malware on internet-exposed systems, showing a clear intent to disrupt operations. While the incident was contained before major outages occurred, it highlights the growing cyber risk to operational technology (OT), especially in renewable and distributed energy environments. OT cybersecurity is now an essential pillar of operational resilience.
OT systems like industrial control systems, Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLCs), and field devices, are now deeply interconnected with information technology networks, cloud environments, and remote access. While this connectivity improves efficiency and visibility, it also expands exposure to cyber threats that can disrupt far more than data. Unlike IT incidents, OT incidents can directly impact physical processes, business continuity, and human safety.
Five Key OT Risk Management Challenges and How Portfolio Companies Can Fix Them
The hardest part of managing OT cyber risk isn’t fixing problems. It is knowing where they are in the first place. And that’s the core problem many portfolio companies face with OT risk. OT environments often aren’t being consistently assessed or tracked by portfolio companies, and private equity (PE) sponsors typically have even less visibility across their portfolios. What makes this more concerning is that PE firms want to support their portfolio companies with the right resources, tools, and expertise, but without clear visibility, it’s hard to know where to focus.
Data from ACA’s Vantage for Cyber assessments reinforces this gap: 79% of portfolio companies show elevated risk in OT, compared to 59% in other areas such as Application and Product Security, People and Processes, and Protection. OT risk is both more prevalent and less understood.
In this section, we’ll break down the key OT challenges portfolio companies and PE firms need to be aware of and outline practical actions they can take to start reducing that risk.
| No. | Challenge | Description | Corresponding Prioritized Action(s) |
|---|---|---|---|
| 1. | Governance Ambiguity | OT risk sits between functions (IT/OT/Operations), leaving no single accountable owner; risk decisions become implicit rather than intentional. | • Defined Roles and Governance: assign a clear OT risk owner, establish cross-functional governance, and regularly update leadership on risk posture. |
| 2. | Weak Access Controls | Shared credentials, inconsistent authentication, and broad vendor/third-party access increase risk of unauthorized entry into critical systems. | • Strong Access Controls: implement least privilege, require multi-factor authentication for remote/vendor access, monitor internal and third-party access. |
| 3. | Inadequate Monitoring and Detection | Traditional tools struggle with industrial protocols; active scanning can disrupt operations; threats are detected only after physical or operational impact. |
• OT‑Focused Threat Monitoring: use OT‑aware tools, incorporate OT threat intelligence, and triage response procedures. • IT/OT Integration: design and enforce IT/OT integration controls to securely manage connectivity, access, and data exchange between IT and OT environments. • Network Segmentation: implement network segmentation to isolate critical OT assets from less sensitive systems. |
| 4. | Limited Preparedness for OT Incidents | Most incident response plans are written for IT, not industrial environments. Roles are unclear and OT scenarios aren’t tested, leading to unplanned decisions during incidents. | • OT-Specific Incident Response (IR): tailor IR to OT; run tabletop exercises and simulations focused on safety and continuity. |
| 5. | Legacy Infrastructure | Decades-old OT systems often run unsupported operating systems/firmware and can’t be patched easily without downtime, leaving known vulnerabilities in place while balancing safety and uptime. |
• Patching Policy: have an OT patching policy defining what to patch, when to patch, and how to test updates safely. • Compensatory Security Controls: where patching is not feasible, reduce risk through compensatory controls such as network segmentation, deny‑by‑default firewall rules, zero‑trust port and protocol filtering, controlled remote access via jump hosts, and practical air gapping or one‑way data transfer for critical systems. • Structured Risk Assessments: conduct periodic OT risk assessments to identify, evaluate, and prioritize risks impacting safety, availability, and critical operations. • Accurate OT Asset Inventory: maintain an up‑to‑date inventory of OT assets, including classification by criticality and risk. |
Operational technology cyber risk is real, but it’s manageable with the right visibility. ACA Vantage for Cyber gives both PE sponsors and portfolio companies a shared, independent view of OT risk by identifying recurring issues across the portfolio and tracking remediation over time. This alignment enables coordinated action and measurable improvement. Portfolio companies using ACA Vantage for Cyber for more than a year reduced elevated risk from 57% to 34%, showing that with structure and insight, OT challenges can be meaningfully reduced.
How ACA Vantage Quantifies Risks
ACA’s portfolio oversight solution, ACA Vantage for Cyber, can provide ongoing visibility into your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage.
ACA Vantage for Cyber combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha®, and our exclusive “RealRisk” risk assessment methodology.
ACA will help you to:
- Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 firms on oversight
- Save time with instant access to assessment results and the status of related remediation efforts
- Keep stakeholders informed and direct resources where they are needed most
- Uncover your firm’s investment risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies
Take the first step toward stronger operational technology resilience.