Why So Many OT Cyber Attacks Go Unreported. And Why That’s a Problem for Critical Infrastructure.

Most OT cyber threats that target critical infrastructure (power, water, manufacturing) never make the news. They don’t get disclosed. Sometimes, they aren’t even recognized.

This persistent underreporting isn’t just a data gap. It’s a risk amplifier – a force multiplier that leaves CISOs blind to real threats, makes security planning reactive instead of proactive, and ultimately puts physical systems at risk.

Why? Because underreporting causes:

Blind spots across the industry: Without shared incident data, threat intel remains incomplete. That means attack methods get recycled while defenders stay in the dark.

Missed warning signals: Trends that should trigger preventive action (like repeat targeting of certain PLCs or entry via IT) go unnoticed across sectors.

Distorted risk models: If breach numbers appear low, executives and regulators assume controls are working. Investments shift to perceived risks, not real ones.

Delayed response maturity: You can’t improve incident response when you don’t know what incidents actually happen. Lessons stay local instead of becoming systemic.

False sense of security: Without visibility into failures, organizations overestimate their readiness, and underestimate attacker capability.

The result: physical infrastructure remains exposed, while threat actors adapt faster than the systems designed to stop them.

By the Numbers

Only 76 cyberattacks with physical consequences were publicly reported in 2024 (Waterfall 2025 report). But researchers state clearly: the actual number is certainly far higher.

The number of sites impacted by those attacks increased 146%, yet disclosures rose by just 5%.

In 2021, three U.S. water utilities were hacked.  None were publicly reported until months later via government briefings.

90% of attacks that led to physical consequences didn’t directly touch OT systems—they were triggered through disruptions in IT systems that OT depends on.

According to anecdotal evidence from Siga’s Critical Infrastructure customers, underreporting is far more common than most CISOs realize, especially in sectors like water, energy, and defense.

Why It Matters

CISOs can’t protect what they can’t see. And in the OT world, what’s visible is only a sliver of the actual threat surface. When incidents go unreported, the consequences ripple outward:

Prevents sector – wide learning: If no one shares what went wrong, others can’t prepare for similar threats.

Conceals patterns and vulnerabilities: Attackers reuse the same methods. Without visibility, defenders can’t spot recurring behaviors.

Distorts executive and regulatory risk assessments: If incident counts look low, boards and regulators may falsely assume current protections are working—leading to complacency or underinvestment.

Real-World Example: Microsoft Azure Australia East Data Center Outage
In August 2023, the Azure data center in Australia East experienced a significant outage. A voltage dip caused all five cooling chillers to shut down, leading to overheating of servers and disruption of cloud services.

The event was classified as an engineering failure. There was no official indication of cybersecurity involvement, and no breach was reported. However, the incident raised concerns within the OT security community because the failure pattern—five independent chiller systems failing simultaneously—had an extremely low probability of occurring by chance during an unmitigated voltage sag.

The scenario highlights a deeper issue: if such an event had been the result of a targeted cyberattack on sensor-level infrastructure, it likely would have gone undetected. Current OT systems often lack the authentication and visibility needed to distinguish between technical faults and malicious interference. This underscores a critical gap in how OT incidents are reported and investigated.

What’s Driving the Underreporting

Reputational risk: Publicizing an OT breach may lead to investor panic, media scrutiny, or legal exposure, driving some companies to opt for silence.

Regulatory inconsistency: Different sectors have different rules. Many OT incidents don’t meet the formal threshold for reporting—or fall through jurisdictional cracks.

Detection blind spots: In OT, logs rarely go deep enough. If sensor data is spoofed or process behavior is manipulated, traditional cybersecurity tools simply won’t see it.

The Connection to Level 0 Cybersecurity

Most attacks don’t go unreported just because of policy. They go unreported because they’re invisible until something breaks.

That’s not just a disclosure problem. That’s a detection problem.

Level 0 cybersecurity addresses this by monitoring the raw physics of the system itself—flow rates, vibration, voltage, pressure—at the sensor and actuator level. It doesn’t depend on software logs, network alerts, or packet captures. It watches how the physical system behaves in real time.

Had Level 0 monitoring been in place at Microsoft’s Australia East data center—or those unreported water utility breaches—abnormal process behavior could have been detected and verified early, regardless of whether anyone ever disclosed it.

The Bottom Line

The underreporting of OT threats makes it harder to defend critical infrastructure.
But the real problem isn’t lack of transparency – it’s lack of visibility.

CISOs need to look below the network layer. Because what’s happening in the pipes, pumps, valves, relays, and chillers can’t be spun or buried.
It’s either working, or it’s not.

And if it’s not, you need to know why, Before it’s too late.