Look, if you’re involved in industrial operations, manufacturing, or critical infrastructure, you know that the cybersecurity landscape for operational technology (OT) has shifted dramatically. It wasn’t always the front-page story it is today, but now? Your OT environment is firmly in the crosshairs of a diverse and rapidly evolving group of adversaries. We’re seeing nation-states looking for strategic advantage, cybercriminals chasing profit, and even hacktivists driven by geopolitical causes. The threats targeting critical infrastructure aren’t just increasing; they’re accelerating. Understanding the nuances and the sheer pace of this OT threats landscape isn’t something you can put off anymore; it’s absolutely critical for safeguarding essential services, public safety, and even national security.
I’ve spent over two decades in this industry, watching these threats evolve, and the picture painted by the latest intelligence is stark. The Dragos Year in Review (YIR) for 2025, for instance, reveals adversaries operating with unprecedented speed and sophistication. They’re leveraging automation, readily available tools, and even artificial intelligence (AI) in ways that frankly erode the traditional defenses many organizations have relied upon. And this isn’t confined to just digital disruption; attackers are increasingly aiming to directly impact physical processes by targeting the core of industrial operations.
A trend that underscores the growing severity of OT threats. Insights from other key reports, like the Fortinet 2025 Global Threat Landscape Report and the Palo Alto Networks & Siemens OT Security Insights 2024, alongside crucial documents from the North American Electric Reliability Corporation (NERC) on OT security and compliance, all reinforce this alarming trend. Collectively, they highlight the increasing complexity and the urgent need to address the OT threats landscape head-on.
So, what exactly are these reports telling us about how adversaries are gaining an advantage, and what does it mean for you?
The Adversary’s New Edge: Speed and Scale
The Dragos YIR really emphasizes this point: adversaries are moving faster and scaling their operations far more effectively than ever before. This acceleration in the OT threat landscape is driven by a few key factors we’re seeing across the board:
Automation at Scale: Automated scanning tools are deployed globally at unprecedented speed. Fortinet’s data shows a 16.7% surge in active scanning, with billions of attempts monthly (36,000/sec). They target protocols like SIP, RDP, and Modbus TCP to map exposed services and identify vulnerable systems before patching. Fortinet notes tools like SIPVicious are weaponized for mass scanning, a shift to “left-of-boom” techniques.
Cybercrime-as-a-Service (CaaS): The industrialization of cybercrime lowers the entry barrier. Fortinet saw a 42% increase in darknet credential sales in 2024, fueled by a 500% surge in infostealer logs (Redline, Vidar). These stolen credentials (VPN, RDP, admin) are sold by Initial Access Brokers (IABs). Dragos and Fortinet report CaaS groups specialize, increasing efficiency and scale.
AI’s Supercharging Role: Adversaries leverage AI to enhance operations. Fortinet highlights AI tools for crafting compelling phishing, generating deepfakes, automating malware creation, and developing social engineering. Tools like FraudGPT and BlackmailerV3 automate malicious content generation, making attacks more scalable, believable, and effective, accelerating the entire attack lifecycle.
Probing Your Perimeter: The Surge in Reconnaissance and Initial Access
The increase in automated scanning activities confirms a pronounced emphasis on reconnaissance within the OT threat landscape. Attackers systematically probe internet-exposed devices. Palo Alto Networks/Siemens reported over 46 million observations of internet-exposed OT devices in early 2025 (1.25M+ IPs), including SCADA, building controls, routers, cameras, and firewalls – devices targeted for botnet C2, lateral movement, and persistence. NERC documents also warn about internet-exposed systems, including supply chain risks.
Aging vulnerabilities are another critical entry point. For example, Palo Alto Networks/Siemens found nearly 62% of exploit triggers in OT networks were for vulnerabilities aged 6–10 years! Meanwhile, rapid exploitation of new vulnerabilities occurs (Fortinet notes an Ivanti vulnerability exploited in six days), but older CVEs (like from 1999, 2000) persist (Palo Alto Networks/Siemens), showing struggles with patching due to legacy systems and operational constraints. Consequently, these long-standing weaknesses continue to be a low-hanging fruit for adversaries targeting OT threats, highlighting how outdated infrastructure amplifies the risk. Furthermore, many organizations lack the visibility or resources to address these OT threats comprehensively, leaving critical industrial environments exposed.
Darknet marketplaces fuel initial access. Beyond stolen credentials, exploit kits are traded (Fortinet). Dragos notes internet-exposed VNC servers (often HMIs) were targets for hacktivists using simple brute-force via default credentials in 2024. This reinforces that basic cyber hygiene is still failing.
Blending In: Stealthier Post-Exploitation Tactics
Once inside, adversaries prioritize stealth and persistence using “living off the land” (LOTL) techniques – legitimate system tools and protocols (Dragos YIR). This makes detection harder for traditional security. Examples include Active Directory manipulation (DCShadow, DCSync), RDP-based lateral movement, and encrypted C2 via DNS and SSL (Dragos, Palo Alto Networks/Siemens).
Dragos highlights active post-exploitation malware: RATs like Xeno RAT and SparkRAT for screen capture, data exfiltration, and backdoors. ICS-focused malware like Fuxnet and FrostyGoop are particularly concerning (Dragos). Fuxnet targeted Modbus TCP for disruption (traffic flood, memory manipulation). FrostyGoop (Modbus TCP) modified instrument measurements causing physical disruption (heating outages), explicitly linked to geopolitical conflicts. Downgrading controller firmware (FrostyGoop) is another subtle manipulation tactic.
Expanding the Playing Field: The Cloud Battlefield and Supply Chain Risks
Integrating cloud services into OT expands the attack surface. Fortinet and Palo Alto Networks/Siemens observe attackers targeting cloud by exploiting persistent weaknesses: misconfigured storage, over-permissioned identities, and insecure APIs. Attacks combine initial access (credential theft, phishing) with cloud tactics (identity abuse, cloud asset recon, API exploitation) in multi-stage campaigns (Fortinet, Palo Alto Networks/Siemens). Fortinet highlights identity monitoring’s critical role, noting 70% of cloud incidents involved unfamiliar geo logins. This underscores the importance of robust Application and DevOps Security to reduce risk across cloud-integrated OT environments.
Supply chain risks, amplified by geopolitical tensions, are a significant concern across critical infrastructure (NERC RISC, NERC PSCG). The EPRI report details vendor/subcontractor complexity, creating opportunities for malicious code, hardware backdoors, or vulnerabilities. NERC documents (Supply Chain Provenance, Secure Equipment Delivery) emphasize vendor vetting, provenance tracking (SBOMs – EPRI, NERC PSCP Guide), securing delivery (tamper-evident, chain of custody – EPRI, NERC Secure Equipment Delivery Guide), and vendor IR plans (NERC SCRM Vendor IR Guide). Scrutinize PCAs and EACMSs (NERC PSCP Guide, NERC EACMS/PACS Report). This growing OT threats vector demands a more rigorous approach to third-party risk, especially as Dragos analysis of BAUXITE (suspected Iranian ties) highlights targeting specific OT/ICS devices and OEMs, potentially leveraging supply chains for malware like IOControl.
Practical Defenses: What You Can Do Against the Evolving OT Threat Landscape
Navigating this demands a shift from reactive defense to proactive risk management, built on visibility, control, and resilience. Here are key, actionable recommendations from these reports:
Understand Your Exposure: Identify all internet-exposed devices, legacy systems, and misconfigurations (OT/cloud). Use tools (Shodan/Censys) to see your attack surface (Dragos). Comprehensive asset inventory is vital (NERC). Actionable Step: Get OT-tailored asset discovery and exposure analysis.
Strengthen Core Controls: Implement secure configurations, patch management, robust remote access, network segmentation, and defensive architecture (SANS ICS 5). Adopt Zero Trust principles (NERC ZT docs), verifying every request based on identity/context.
Prioritize Vulnerabilities OT-Style: Use an OT-centric approach like Dragos’ “Now, Next, Never,” prioritizing based on operational impact and active exploitation (Fortinet darknet intel). Traditional CVSS is insufficient (Dragos, Palo Alto Networks/Siemens). Actionable Step: Use OT-focused vulnerability assessment services applying frameworks like “Now, Next, Never.”
Enhance Visibility: Deploy OT-aware monitoring (Dragos NDR, Palo Alto App-ID) understanding OT protocols (Modbus, S7comm, OPC/UA, FINS – Fortinet, Dragos). Look for subtle movements, config changes, encrypted C2. Behavioral analytics is crucial for LOTL (Dragos IR shows monitoring cuts investigation time). Actionable Step: Enhance OT network visibility with behavioral analysis.
Address Supply Chain Risks: Build a robust SCRM program (NERC SCRM docs, EPRI). Vet vendors, track provenance (SBOMs – EPRI, NERC PSCP Guide), secure delivery (EPRI, NERC Secure Equipment Delivery Guide, tamper-evident, chain of custody), plan vendor IR (NERC SCRM Vendor IR Guide). Scrutinize PCAs/EACMSs (NERC PSCP Guide, NERC EACMS/PACS Report). Dragos notes groups targeting supply chains. Actionable Step: Get SCRM assessment and program development help.
Prepare for Incidents: Develop/test OT-specific IR plans (Dragos, NERC SCRM Vendor IR Guide) for ransomware, ICS malware, etc. Use tabletops/adversary emulation (LockBit, APT29 – Fortinet) to find gaps. Fast response minimizes impact.
Conclusion: Building Resilience is the Only Option
The 2025 reports from Dragos, Fortinet, and Palo Alto Networks/Siemens, with NERC guidance, paint a clear, urgent picture: the OT threat landscape is more dynamic, automated, and interconnected. Adversaries leverage sophisticated techniques, readily available tools, and market forces, eroding defenses and increasing potential physical impacts. Complacency is not an option.
Organizations must adopt a proactive, adaptive security posture. By focusing on understanding/reducing exposure, strengthening core controls (including Zero Trust), prioritizing vulnerabilities with an OT-specific lens, enhancing visibility via OT-aware monitoring/behavioral analytics, addressing complex supply chain risks, and preparing for robust incident response, CISOs and security teams can build resilience against the next wave of threats.
Compliance Labs specializes in helping organizations navigate OT security and compliance. We provide expert analysis and practical solutions aligned with best practices/regulations. Our services help assess attack surface, prioritize vulnerabilities, build SCRM programs, implement monitoring, and strengthen posture. Our goal is to educate, inform, and empower readers to improve understanding and take proactive steps.
