The majority of confirmed OT cyber incidents begin outside standard business hours, with a peak concentration between 11pm and 5am. The analysis, drawn from e2e-assure managed detection telemetry and cross-referenced against public incident disclosures, demonstrates that threat actors are not selecting attack windows at random. They are targeting the hours when operational technology environments are least likely to have active analyst coverage.
The Timing Pattern
Across e2e-assure managed OT deployments, 63% of confirmed threat activity showing lateral movement or pre-impact behaviour was first observed between 23:00 and 05:00 local time. The concentration was highest on Friday nights into Saturday mornings, a pattern consistent with the documented methodology of several ransomware-as-a-service groups who time deployment to coincide with weekend staffing reductions.
Dwell time, the period between initial access and detectable impact, averaged 11 days across reviewed incidents. In cases where monitoring was time-limited rather than continuous, dwell times were significantly higher, in some cases exceeding 30 days. Independent research published in the e2e-assure OT Security Review 2026 places this in context: the mean time from initial compromise to full remediation across UK CNI and manufacturing organisations is 164 days, comprising 52 days to detect, 59 days to contain, and 53 days to remediate. Every day of undetected dwell time extends that window further.
Join The European Business Briefing
New subscribers this quarter are entered into a draw to win a Rolex Submariner. Join 40,000+ founders, investors and executives who read EBM every day.
SubscribeWhy Standard SOC Models Fail in OT
Most enterprise SOC arrangements operate on a business-hours or daytime-weighted model, with reduced capacity in evenings and weekends. For IT environments this is manageable because the attack surface is more homogeneous and detection tooling is more mature. For OT environments, it is a structural vulnerability.
Industrial control systems, SCADA networks, and distributed control systems run continuously. Production does not stop at 5pm. A monitoring model that provides reduced coverage outside business hours is not a cybersecurity posture. It is a schedule that threat actors can plan around.
The OT Security Review found that only 31% of organisations report sub-12-hour detection times. For those relying on IT-adapted detection tools in OT environments, with no continuous, protocol-aware monitoring overnight, the 52-day detection average is not the ceiling. It is closer to the floor.
The Commercial Case for Continuous Coverage
e2e-assure operates a fully staffed 24/7 OT security monitoring capability. Analysts are trained specifically on industrial protocols and OT network behaviour. This distinction matters because OT environments generate network traffic patterns that look anomalous to IT-trained analysts but are entirely normal for industrial processes.
The cost of undetected dwell time in OT environments is quantifiable. The OT Security Review found that 80% of CNI organisations experiencing OT downtime face costs of up to GBP 5 million, with a mean impact of GBP 1.17 million per organisation from their most severe incident. For a mid-sized manufacturer, each additional hour of unplanned production downtime can cost between GBP 50,000 and GBP 250,000. Continuous monitoring is not a premium add-on. It is a baseline control whose absence creates disproportionate financial exposure.
Recommendations for OT Operators
Organisations running OT environments should audit their SOC coverage model against three questions. First, is monitoring continuous across all hours or does analyst capacity reduce at night and at weekends? Second, are the analysts monitoring OT traffic trained on industrial protocols, or are they applying IT detection logic to OT environments? Third, is mean time to detect being measured and benchmarked, or is coverage assumed to be effective without evidence?
For operators of critical national infrastructure, these questions carry additional urgency. NIS2-equivalent UK regulations require organisations to demonstrate proportionate technical controls. A SOC model with documented off-hours coverage gaps is unlikely to satisfy a regulator reviewing an incident disclosure.
For more information on e2e-assure’s 24/7 OT security monitoring service, visit e2e-assure.com.
Key Facts
- 63% of confirmed OT threat activity detected between 23:00 and 05:00 local time
- Highest concentration: Friday night into Saturday morning, matching known ransomware deployment patterns
- Average dwell time across reviewed incidents: 11 days; exceeded 30 days in time-limited monitoring deployments
- OT Security Review (Censuswide/e2e-assure, Jan 2026): mean time from compromise to full remediation is 164 days
- OT Security Review: 52 days to detect, 59 days to contain, 53 days to remediate
- Only 31% of surveyed organisations report sub-12-hour detection times
- 80% of CNI organisations experiencing OT downtime face costs of up to GBP 5 million
- e2e-assure SOC operates fully staffed 24 hours a day, 365 days a year
About e2e-assure
e2e-assure is a UK-based managed SOC and cybersecurity company specialising in IT/OT security, threat detection and response, and cyber assessment services for critical national infrastructure and industrial operators. Founded by Rob Demain, e2e-assure operates the Cumulo platform, purpose-built for unified IT/OT monitoring. The company serves clients in manufacturing, energy, water, and transport across the U
