Ransomware drives nearly 38% of incidents; over 40% lead to operational downtime, exposing critical gaps in industrial security.
A new report from the SANS Institute, sponsored by OPSWAT, paints a sobering picture of industrial cybersecurity. According to The State of ICS/OT Cybersecurity 2025, 21.5% of organizations experienced a cyber incident affecting their industrial control systems (ICS) or operational technology (OT) in the past year.
The findings reveal ransomware as the leading culprit, responsible for 37.9% of reported incidents, while 40.3% resulted in operational downtime—a stark reminder of the real-world impact of cyberattacks on critical infrastructure.
“Progress is being made, but visibility and segmentation remain urgent priorities.” — Jason Christopher, SANS Institute
Based on responses from over 330 professionals across vital sectors, the survey highlights systemic vulnerabilities:
- Half of ICS/OT incidents began with unauthorized external access, often via third-party remote maintenance.
- Fewer than 15% of organizations have advanced remote access controls.
- Only 12.6% report full ICS Kill Chain visibility, leaving detection gaps at Purdue Levels 2–3.
- Just 14% feel fully prepared for emerging threats.
“This year’s findings show that while progress is being made, the industry still faces significant challenges in securing converged environments,” said Jason Christopher, author of the report. “Organizations must prioritize visibility and segmentation to mitigate these risks effectively.”
Matt Wiseman, Director of Product Marketing at OPSWAT, added: “Increased spending alone is not enough. The priority now is smarter investment in segmentation, secure remote access, and scanning inbound files and devices before they reach the operational environment.”
The report underscores the need for an integrated approach to OT security, combining proactive controls with robust incident response strategies to safeguard uptime and safety.
