Group Purchasing
Group Purchasing

From Dwell Time to Dollars: Quantifying the Financial Value of Faster OT Incident Recovery

From Dwell Time to Dollars: Quantifying the Financial Value of Faster OT Incident Recovery (PDF, 1.28MB)Last updated: 09 Jun, 2026
Presented by:
Donovan Tindill
Donovan Tindill

Over the last several years, the SANS State of ICS/OT Security surveys show a consistent pattern: detection and containment timelines are improving, but remediation/recovery remains the long pole—sometimes stretching into weeks or longer. In the 2025 survey, 22% of organizations reported an ICS/OT incident; half of incidents originated from unauthorized external access, and a meaningful portion required extended remediation, including cases exceeding a month and even a year in extreme outliers. Earlier SANS data similarly highlights that organizations can detect quickly, yet operational integrity restoration and remediation can be protracted. This session turns those year-over-year operational metrics into an executive-grade business case. Using cyber risk quantification (CRQ) techniques (e.g., FAIR-aligned thinking), we translate improvements in time-to-detect, time-to-contain, and especially time-to-remediate into expected loss reduction—grounded in industrial consequences such as downtime, equipment damage, regulatory penalties, etc. We will (1) normalize and compare YoY survey distributions from SANS (2021–2025) and triangulate with external benchmarks such as the CS2AI ICS/OT survey (results expected in 25Q2), (2) map the most “value-dense” security improvements (e.g., improved monitoring, incident response exercising, backup resilience) to measurable shifts in financial loss reduction. Audience will see trends in data to infer what the future holds, as well as the financial ROI (in terms of reduced loss) for different mitigation projects that align with these changing trends.

SANS ICS Security Summit 2026