In partnership with The SANS Research Program

2025 State of ICS/OT Security

Insights from ICS/OT professionals on today’s evolving industrial cyber threats.

  • 22% of organizations experienced an ICS/OT cyber incident in the last year.
  • 40% of those incidents disrupted operations; nearly 1 in 5 took over a month to fully remediate.
  • Remote access initiated half of all incidents—yet advanced controls are still rare.

In partnership with SANS Research, this report is based on responses from 330 ICS/OT practitioners across energy, government, technology, and more.

Why ICS/OT Security Leaders Need This Report Now

ICS and OT environments are under more pressure than ever—from ransomware and supply-chain compromise to expanding regulatory mandates. This report distills what's really happening across industrial networks: where incidents are originating, how quickly they're being contained, and which controls are actually moving the needle.

 

Incidents are rising and increasingly disruptive

Operational disruption in 40% of incidents. Safety, reliability, and financial impacts still common.

 



Detection is improving—but recovery lags

Many organizations detect and contain incidents within 48 hours. Full remediation often still stretches into days or weeks.

 

 

 

Remote access remains the weakest link

Half of reported incidents begin with unauthorized external access. Advanced OT-aware remote access controls are implemented in only a small minority of organizations.

 

 

 

Regulation and threat intel drive maturity

Sites under mandatory compliance see fewer financial and safety impacts. Organizations using ICS-specific threat intelligence are more likely to tune detection, segmentation, and monitoring.

Inside the 2025 State of ICS/OT Security Survey

The report analyzes where industrial cybersecurity stands today, and where it's going next, across three dimensions: past trends, current practices, and future plans.

 

 

Threats & Incidents

  • Real-world ICS/OT incident rates and root causes
  • Compromise-to-detection, detection-to-containment, and containment-to-remediation timelines
  • How ransomware, supply-chain attacks, and nation-state-aligned actors are shaping risk

 

 

 

Detection & Visibility

  • Adoption of ICS-aware detection tools across the Purdue Model
  • IT/OT visibility integration patterns (SOC models, SIEM, log aggregation)
  • Gaps in kill-chain visibility at Levels 2, 1, and remote/field sites

 

 

 

Remote Access, Cloud & Architecture

  • Cloud-connected OT data platforms and monitoring coverage
  • Secure remote access controls in use today (MFA, segmentation, brokering, session recording)
  • The real blockers: resources, legacy compatibility, and organizational ownership

 

 

 

Preparedness, Resilience & Culture

  • Incident response planning and exercise patterns (tabletops, drills, red/purple teaming)
  • How organizations integrate ICS/OT into BC/DR and cyber resilience
  • What "fully prepared" organizations do differently—from engaging field technicians to contributing to information sharing

 

Ready to Dive Deeper?

Get the full 2025 State of ICS/OT Security report and arm yourself with the data-driven insights your industrial security program needs.