The Cost of Doing Nothing: Lessons from the Nucor Cyberattack

When you think about the biggest threats to uptime and safety in industrial environments, you might picture an equipment failure or a supply chain delay. But as the recent cyberattack on Nucor proves, the real risk could be sitting quietly in your network — unpatched, under-protected, and underestimated. 

Nucor, the largest steel producer in the US, undoubtedly has a resiliency plans in place. But in May 2025, even this manufacturing giant was forced to temporarily halt production across multiple facilities due to a cyberattack.  

According to recently published filings, the attackers gained access to Nucor’s IT environment and then exfiltrated data. Recovery took time. Systems were pulled offline. And operations across the US., Canada, and Mexico were impacted. 

The Business Impact Was Limited — But the Next Time Could Be Far Worse

To their credit, Nucor contained the breach. They reported that the incident had no material impact on their quarterly financials.  

But here's the uncomfortable truth: the attack still worked. It caused downtime. It appears to have exposed data. It triggered trading drops. And it proved, yet again, that even the most robust, well-established industrial enterprises are vulnerable. 
 
Why? Because inaction is a risk strategy. And too many organizations still settle for it. 

Doing Nothing Is a Costly Choice 

When organizations delay security modernization, they rarely see it as an active decision. It feels more like maintaining the status quo. But in cyber-physical environments, “the way it’s always been” is a threat surface. Especially when: 

• IT and OT systems are increasingly interconnected 

• Third-party vendors connect remotely without granular controls around access, connectivity, and supervision 

• Legacy systems can’t support modern security best practices like strong authentication

And the risk of data breaches is far from the only threat facing today's industrial organizations.

Failure to modernize access procedures can lead to misconfigurations, unauthorized changes, and human errors that quietly undermine operational integrity and may eventually result in downtime, safety hazards, or compliance gaps – even with no attacker in sight. 

And the ultimate irony? The companies most at risk are likely those who are most resistant to make changes, fearing disruption, complexity, or cost. But while the cost of doing nothing may be invisible, it certainly isn’t zero. 

The Hidden Price Tag of Inaction 

1. Downtime hurts, even when it’s brief. 
   Every minute a critical plant or process is down chips away at customer trust, productivity, and revenue. Even the “limited disruption” at Nucor impacted operations across multiple sites and countries. 

2. Recovery takes time – and expertise. 
   Cyber incidents aren’t just momentary events. They require containment, forensics, system revalidation, compliance checks, and in many cases, external consultants. 

3. Reputation is currency. 
   You can’t always measure reputational damage – but there’s no question it’s real. Partners, suppliers, and customers don’t forget security failures, even minor ones. Following the Nucor breach, their trading volume dropped significantly, proving that markets react to even limited incidents.

4. Regulatory pressure is growing. 
   Cybersecurity regulations for critical infrastructure are catching up fast. From NIS2 in Europe to SEC disclosure rules in the US, post-breach transparency is no longer optional. 

Start With What You Can Control 

The good news? Security doesn’t have to come at the expense of uptime. The right strategies, designed purposefully for OT environments, can harden access security without disrupting operations or forcing massive infrastructure changes.

It starts with taking control of your access. Can you check all the following boxes? 

• Separate IT and OT environments clearly 

• Control and monitor third-party access 

• Apply least-privilege, identity-based access policies 

• Continuously audit and revoke stale credentials 

• Avoid exposing system credentials by storing them securely and limiting who can access them 

• Use Just-in-Time (JIT) access to eliminate standing privileges 

• Implement Zero Trust principles to prevent lateral movement 

• Supervise access with session recording and real-time monitoring 

• Reduce the overall attack surface by minimizing data exposure — even to your secure access vendor(s) 

The Time to Act Is Now 

No one wants to be the next cautionary tale. But the simple reality is that every organization that allows uncontrolled access or maintains outdated security policies is already in the blast radius of both potentially crippling cyberthreats and operational mistakes.
 
You don’t need to overhaul your entire infrastructure. But you do need to start moving. Start by securing instances of privileged access. Start by adding visibility. Start by ensuring control. 
 
Because when it comes to securing critical operations, doing nothing is no longer an option.