Organizations in critical infrastructure sectors face unprecedented threats against their operational technology (OT) leading into 2025. As threat actors invest significant time and resources into the exploitation of weaknesses in OT devices and systems, the time is now for security leaders to act. Chief information security officers (CISOs) and others responsible for OT and the protection of cyber-physical systems (CPS) must understand not only how devices are vulnerable to exploitation, but also how these critical devices are connected to the internet and prioritize defending them based on their exposures.
According to Team82’s analysis of almost one million OT devices in our “State of CPS Security 2025: OT Exposures” report, we discovered 111,000 OT devices across manufacturing, logistics and transportation, and natural resources organizations, contain Known Exploitable Vulnerabilities (KEVs) with more than two-thirds (68%) of the KEVs linked to ransomware groups.
In this report, Team82 examines the challenges industrial organizations experience when faced with an overwhelming number of KEVs. It also analyzes how to best prioritize remediation and mitigation efforts by combining KEVs with other factors such as links to ransomware and whether devices are securely connected to the internet. This provides decision makers with a better understanding of their risk and a smaller number of vulnerable devices to tackle first.
We recommend organizations follow an exposure management approach that prioritizes remediation not only to known exploited vulnerabilities, but by those devices containing KEVs that are also insecurely exposed to the internet, and at risk of ransomware.
Of the close to one million OT devices analyzed, Team82 found that 12% contain KEVs, and 40% of the organizations analyzed have a subset of these assets insecurely connected to the internet.
The riskiest behavior for organizations is directly connecting an OT device to the internet; such devices are assigned IP addresses and can be mapped by internet-scanning services such as Shodan.
7% of the devices are exposed with KEVs that have been linked to known ransomware samples and actors, with 31% of the organizations analyzed having these assets insecurely connected to the internet.
Adversaries are targeting OT with greater frequency in the hopes of impacting national security among Western nations, as well as economic stability in those areas, and in some cases, public safety.
12% of critical sectors such as manufacturing, logistics and transportation, and natural resources have OT assets that are communicating with malicious domains, including some in China, Russia, and Iran, for example.
Manufacturing is consistently a top sector targeted by ransomware actors, likely because of a perceived willingness to meet ransom demands in order to resume production and minimize downtime.
The manufacturing industry was found to have the highest number of devices with confirmed KEVs (over 96,000) with over two-thirds (68%) of them being linked to ransomware groups.
With offensive activity rising from state-sponsored threat actors, organizations must implement the proper strategies and solutions to combat against all manner of threat. Although many OT security projects start in the asset inventory phase, a catalog of the assets in and of themselves doesn't drive down cyber risk. Based on the collective insights from asset owners and operators, we’ve established three core processes that are commonly leveraged to reduce the risk of a cyber attack against industrial control systems: exposure management, secure access, & network protection.
To uncover more of the findings in our State of CPS Security 2025: OT Exposures report & to get detailed recommendations based on our three core processes access the report now.
Interested in learning about Claroty's Cybersecurity Solutions?