DeNexus Blog - Industrial Cyber Risk Quantification

What the Homeland Security Committee “Threat Snapshot” Means for Critical Infrastructure — and Why OT Cyber Risk Quantification Is Now Essential

Written by DeNexus | Nov 14, 2025 1:47:12 PM

The Cyber Threat Landscape Facing OT Operators Has Changed 

The U.S. House Committee on Homeland Security’s Cyber Threat Snapshot (Oct 2025) provides one of the clearest signals yet that critical infrastructure operators are entering a new era of persistent, high-impact cyber threats. 

The report identifies sharp increases in: 

  • State-sponsored campaigns (PRC, Iran, Russia, North Korea) 
  • Pre-positioning inside critical infrastructure networks 
  • Zero-day exploitation across core networking equipment 
  • Ransomware and extortion campaigns targeting utilities and industrial firms 
  • AI-enabled intrusion techniques accelerating attacker capability 
  • Visibility gaps caused by lapses in federal information-sharing authorities 

For operators in energy, water, manufacturing, telecom, and transportation, the implication is clear: 

Traditional OT security approaches cannot keep pace with the scale, speed, and business impact of today’s threat actors. 

 

Why This Report Matters for Critical Infrastructure 


OT networks face a perfect storm of conditions described directly in the report: 

  • Legacy control systems with limited patching 
  • High-value physical processes that adversaries want to disrupt 
  • Increasing connectivity to IT networks and cloud systems 
  • Vendor access paths and remote maintenance channels 
  • Limited security resources compared to enterprise IT 
  • Rising geopolitical tension that increases targeting of Western infrastructure   

The report confirms what many CISOs and OT security leaders already feel: 

Threat volume is increasing, threat sophistication is increasing, and the margin for error is shrinking. 

This is precisely why quantifying OT cyber risk — not just identifying vulnerabilities — is now essential. 

 

Why OT Cyber Risk Quantification Is Now Essential 

 Historically, OT risk has been communicated using qualitative labels: 

  • High 
  • Medium 
  • Low 

But these labels do not help boards, CFOs, or regulators understand: 

  • Financial exposure 
  • Operational downtime cost 
  • Safety and regulatory impact 
  • Insurance implications 
  • Return on cybersecurity investment 

Cyber Risk Quantification (CRQ) solves this gap by converting OT cyber threats into business-aligned, financial metrics such as: 

  • Expected Loss 
  • Value at Risk (VaR) 
  • Scenario-driven impact modeling 
  • Cost-benefit ROI of controls 

This allows executives to not only understand their exposure — but to justify the right investments with evidence. 

 

How DeNexus Helps OT Operators Address the Report’s Key Threats 


DeNexus’ DeRISK platform provides a data-driven approach to industrial cyber risk quantification and vulnerability management. 

Below is how DeRISK directly maps to the threats highlighted in the Homeland Security Committee report. 

  1. Manufacturing and Industrial sectors are Top Targets

Threat Identified: Nation-state and opportunistic criminal networks are targeting manufacturing, energy, transportation, and other industrial sectors. 70% of cyber attacks involved critical infrastructure. 

DeRISK Response: 

  • Specifically designed for industrial control systems (ICS) and operations technology (OT) infrastructures 
  • The only CRQM platform with specific financial models for manufacturing losses such as waste materials, contractual penalties, startup and recovery costs. 
  • Supports telemetry from leading ICS/OT cybersecurity solutions (e.g., Nozomi, Claroty, ForeScout, Tenable, …) 

 

  1. State-Sponsored Pre-Positioning in OT Networks

Threat Identified: Long-term access inside critical infrastructure networks by PRC, Russian, Iranian actors. 

DeRISK Response: 

  • Models different loss types from actors having access to ICS/OT systems 
  • Quantifies financial loss of facility downtime 
  • Identifies which assets have highest value-at-risk 
  • Guides segmentation, mitigation, and monitoring priorities 

 

  1. Ransomware & Extortion Targeting Infrastructure

Threat Identified: Ransomware affecting utilities, municipalities, and industrial operations. 

DeRISK Response: 

  • Quantifies downtime costs and potential extortion values across plant sites 
  • Demonstrates ROI of backup, disaster recovery, and other mitigation strategies 
  • Models cascading operational disruptions or contractual obligations 

  

  1. AI-Enhanced Attacks and Emerging Tradecraft

Threat Identified: 1 in 6 breaches driven by AI-enabled techniques. 

DeRISK Response: 

  • Updates likelihood models with current threat intelligence 
  • Accounts for elevated probability of exploitation as threat actor activity increases 
  • Reduces dependence on lagging information-sharing channels, by using data-driven threat intelligence 

 

How OT CRQ Works Inside DeRISK 

  

Step 1 — Define Scope of OT Assets and Security Controls 

Upload list of cyber assets including ICS/SCADA, PLCs, network infrastructure, etc. Provide maturity of cybersecurity program to identify strengths and weaknesses. 


Step 2 — Identify Vulnerabilities & Exposure 

Upload CVE telemetry from vulnerability management systems; also network zones and firewall access lists 


Step 3 — Calculate Likelihood (Threat Frequency Modeling) 

Incorporates cybersecurity controls (aka., effectiveness of safeguards), vulnerabilities, along with global attack trends from external sources to estimate the number of attacks and their probability in the current cybersecurity design 


Step 4 — Calculate Impact in Real Business Terms 

Input financial attributes about the company and facility, which is used to estimate the potential for downtime, extortion, equipment damage, and more. 


Step 5 — Compute Expected Loss & VaR 

In a single attack scenario, one access vector, one path through the environment, and its potential impact is simulated. This is repeated millions of iterations to evaluate all access vectors, all loss types, to produce financially quantified, board-ready risk numbers including low-probability high-impact events. 


Step 6 — Prioritize Controls Based on ROI 

Simulate different projects and risk mitigation scenarios. Identify which delivers the best return on investment. Shows where investment reduces the most risk. 

 

Step 7 — Align Cyber Risk with Enterprise Risk 

 Communicate cyber risk in financial metrics that CFOs, boards, and insurers understand and can align with other risks to the enterprise. 

 

What This Means for Critical Infrastructure Leaders 

The Homeland Security report confirms that: 

  • Threats are becoming more systemic 
  • Attackers are becoming more aggressive 
  • OT networks are becoming more targeted 
  • Information-sharing gaps increase exposure 

 Quantifying OT cyber risk is no longer optional — it is the new standard for security governance, insurance, and regulatory accountability. 

 

Take the Next Step: See Your OT Risk in Financial Terms 

Discover how DeNexus can help you quantify and prioritize cyber risk across your OT environment. 

Request a Demo of DeRISK QVM 



Explore DeRISK CRQ 
View full post