Critical Infrastructure’s Cyber Blind Spot: The Dangerous Gaps in OT Security Training

In the depths of a mining pit, an engineer monitors a colossal autonomous truck, while miles away, a technician fine-tunes the control systems of a water treatment plant. Both are surrounded by powerful, internet-connected machines - prime targets for cybercriminals. Yet, according to a new report, these frontline defenders are woefully underprepared to spot or stop a cyberattack. The problem? A widespread failure to deliver meaningful, role-specific operational technology (OT) cybersecurity training.

Cyber Defenses Built on Sand

The latest study by Australian OT security firm Secolve paints a stark picture of cybersecurity readiness in the nation’s most vital industries. Surveying senior professionals from energy, water, manufacturing, mining, oil and gas, and supply chain sectors, the report uncovers a systemic neglect of practical, ongoing OT cybersecurity education.

The numbers are alarming: nearly a quarter of respondents have never undergone OT-specific training, while another fifth received it only once - during onboarding. Even then, most training is generic, often borrowed wholesale from traditional IT programs. The result? Workers in physically hazardous, digitally complex environments are being given the same cybersecurity advice as office staff.

“It’s utterly nonsensical,” says Secolve CEO Laith Shahin. “Training a mining engineer and a desk worker the same way is like not training them at all.” The report warns that this “one-size-fits-none” approach leaves critical infrastructure open to attack, especially as industrial environments become increasingly connected and targeted by cybercriminal groups.

Immature Culture, Real-World Consequences

The immaturity of OT cybersecurity is more than a theoretical risk. Only 55% of leaders trust their frontline staff to spot and report suspicious activity. Essential threats - such as unauthorized remote access and infected USB drives - are well-known, but most organizations lack robust procedures or the confidence that staff can respond effectively.

The root of the issue, according to the report, is an over-reliance on compliance-driven, IT-centric training at the expense of scenario-based, role-specific education. Shahin advocates for continuous, gamified learning integrated into daily safety routines - a far cry from the outdated, box-ticking exercises currently in place.

As the digital and physical worlds merge on factory floors and in the field, the stakes are rising. Without urgent reforms to OT cybersecurity training, Australia’s critical infrastructure could remain exposed to the world’s most determined cyber adversaries.