Claroty is named 2025 Best in KLAS for Healthcare IoT Security for the 5th year in a row!
Get the Report
Claroty Toggle Search
Return to Blog

Claroty’s State of CPS Security 2025: OT Exposures

/ / 3 min read

Organizations in critical infrastructure sectors face unprecedented threats against their operational technology (OT) leading into 2025. As threat actors invest significant time and resources into the exploitation of weaknesses in OT devices and systems, the time is now for security leaders to act. Chief information security officers (CISOs) and others responsible for OT and the protection of cyber-physical systems (CPS) must understand not only how devices are vulnerable to exploitation, but also how these critical devices are connected to the internet and prioritize defending them based on their exposures.

According to Team82’s analysis of almost one million OT devices in our “State of CPS Security 2025: OT Exposures” report, we discovered 111,000 OT devices across manufacturing, logistics and transportation, and natural resources organizations, contain Known Exploitable Vulnerabilities (KEVs)  with more than two-thirds (68%) of the KEVs linked to ransomware groups.

In this report, Team82 examines the challenges industrial organizations experience when faced with an overwhelming number of KEVs. It also analyzes how to best prioritize remediation and mitigation efforts by combining KEVs with other factors such as links to ransomware and whether devices are securely connected to the internet. This provides decision makers with a better understanding of their risk and a smaller number of vulnerable devices to tackle first.  

Here are some key findings from the report:

OT exposures cannot be measured in critical common vulnerabilities & exposures (CVEs) alone

We recommend organizations follow an exposure management approach that prioritizes remediation not only to known exploited vulnerabilities, but by those devices containing KEVs that are also insecurely exposed to the internet, and at risk of ransomware. 

  • Of the close to one million OT devices analyzed, Team82 found that 12% contain KEVs, and 40% of the organizations analyzed have a subset of these assets insecurely connected to the internet. 

Confirmed KEVs linked to ransomware

The riskiest behavior for organizations is directly connecting an OT device to the internet; such devices are assigned IP addresses and can be mapped by internet-scanning services such as Shodan.

  • 7% of the devices are exposed with KEVs that have been linked to known ransomware samples and actors, with 31% of the organizations analyzed having these assets insecurely connected to the internet.

Threat actors are strategically targeting OT 

Adversaries are targeting OT with greater frequency in the hopes of impacting national security among Western nations, as well as economic stability in those areas, and in some cases, public safety.

  • 12% of critical sectors such as manufacturing, logistics and transportation, and natural resources have OT assets that are communicating with malicious domains, including some in China, Russia, and Iran, for example.

Manufacturing organizations face the highest impact 

Manufacturing is consistently a top sector targeted by ransomware actors, likely because of a perceived willingness to meet ransom demands in order to resume production and minimize downtime.

  • The manufacturing industry was found to have the highest number of devices with confirmed KEVs (over 96,000) with over two-thirds (68%) of them being linked to ransomware groups.

With offensive activity rising from state-sponsored threat actors, organizations must implement the proper strategies and solutions to combat against all manner of threat. Although many OT security projects start in the asset inventory phase, a catalog of the assets in and of themselves doesn't drive down cyber risk. Based on the collective insights from asset owners and operators, we’ve established three core processes that are commonly leveraged to reduce the risk of a cyber attack against industrial control systems: exposure management, secure access, & network protection. 

To uncover more of the findings in our State of CPS Security 2025: OT Exposures report & to get detailed recommendations based on our three core processes access the report now.

Stay in the know Get the Claroty Newsletter

Interested in learning about Claroty's Cybersecurity Solutions?

Claroty
LinkedIn Twitter YouTube Facebook