Industrial cybersecurity is experiencing a “two-speed” reality. This is one of the main findings of the 2025 State of ICS/OT Security Report, the new report from the SANS Institute analyzing the current security landscape in industrial control systems (ICS) and operational technology (OT) across critical sectors such as energy, manufacturing, chemical, transportation, and essential infrastructure.
According to the study, based on responses from over 330 ICS/OT security professionals worldwide, organizations are now quicker at detecting incidents than in previous years, but still take too long to recover. The gap between detection and recovery is becoming one of the most concerning weaknesses for industrial plants, electrical grids, and transportation systems.
Detection in hours, recovery in weeks
The data paints a mixed picture. More than one in five industrial organizations report experiencing at least one cybersecurity incident in the past year, and in 40% of cases, some form of operational disruption occurred: plant shutdowns, service degradation, or impacts to critical processes.
The positive aspect is in the detection phase. Nearly half of the incidents were identified in less than 24 hours, and around 60% were contained within the first 48 hours. In terms of monitoring, early warning, and initial response, the sector shows real progress compared to previous years.
However, the situation shifts when looking at recovery. Nearly 19% of the analyzed incidents took over a month to fully resolve—from the initial attack to the secure restoration of operations. In environments where any downtime results in financial losses, physical safety risks, or impacts on essential services (energy, water, transport), these delays are critical.
Jason D. Christopher, a certified instructor at SANS and author of the report, summarizes the situation: organizations have improved at “hearing the alarm,” but still struggle to “put out the fire” quickly and without increasing risk. Restoring an industrial environment is far more complex than rebooting an office system; it involves validating access routes, verifying that controllers and PLCs haven’t been altered, and coordinating engineering, operations, and cybersecurity teams.
Remote access: the main entry point
The study clearly highlights an uncomfortable factor: remote access. Half of the reported incidents originate from unauthorized external access, whether via VPN tunnels, poorly configured remote maintenance solutions, or jumps from IT networks into OT networks.
Despite this, only about 13% of organizations report having implemented advanced remote access controls “ICS-aware”: session logging, real-time approval for sensitive actions, strict user and device identity verification, or dedicated OT gateways. In many cases, the historical priority has been operational continuity and ease of access for providers and technicians, rather than designing a robust, auditable remote access model.
Recent OT-related research confirms this trend: a significant portion of industrial systems remain accessible from the Internet or through legacy architectures designed for a world where OT was never expected to connect externally. Recent academic estimates indicate tens of thousands of OT devices exposed globally, many with outdated firmware and known vulnerabilities unpatched for years.
Visibility that diminishes near the process
The report also highlights a classic industrial security challenge: lack of visibility in the levels closest to the physical process. Only 12.6% of participants claim to have full visibility across the entire “ICS Cyber Kill Chain,” from higher supervision layers down to controllers and field devices.
As security teams approach PLCs, RTUs, or process instruments, monitoring data becomes scarcer or nonexistent. This hampers early detection of dangerous changes in control parameters, lateral movement within the OT network, and forensic reconstruction after an incident.
In practice, many organizations can detect “the noise” when an attack originates in the IT network or supervisory layers, but lose track right where a setpoint change, malicious command, or deactivation of a safety feature could cause real damage to the plant or service.
Regulation and threat intelligence: measurable impact
Another key finding from the report is the impact of regulation and specific ICS threat intelligence. Facilities subject to strict regulatory frameworks—such as certain critical infrastructures—do not report fewer incidents but do experience approximately 50% less financial and security impact.
In other words, breaches still happen, but the resulting damages are typically lower. Regulatory compliance requires deploying controls, audit processes, response plans, and simulation exercises that, once ingrained, help contain the effects of an attack.
Similarly, organizations that turn ICS-specific threat intelligence into concrete actions—adjusting detection rules, expanding monitoring, segmenting networks, or reviewing access policies—demonstrate significantly better defensive outcomes than those that passively consume reports.
What are the most advanced teams doing?
Beyond the data, the SANS report and sector analyses outline a clear roadmap to bridge the detection and recovery gap in industrial environments:
- Treat remote access as a process control function, not just an IT service. This involves channeling all connections through dedicated OT gateways or jump hosts, applying Zero Trust principles (strong identity, least privilege, explicit approval for critical actions), and exhaustively logging sessions for audit purposes.
- Design and maintain a defensive network architecture, with clear segmentation between IT, OT, and Internet zones, minimizing exposure points, and controlling traffic flows between zones and levels.
- Invest in native OT visibility, including updated asset inventories, industrial protocol monitoring, and anomaly detection at control and field levels—not just within the corporate network.
- Practice response and recovery in real industrial scenarios, through drills involving plant engineers, operators, and business leaders—not only cybersecurity teams. The organizations that rehearse these scenarios show markedly higher preparedness, according to the study.
Meanwhile, threats like targeted ransomware attacks on OT environments and activity from advanced groups investigating critical infrastructure for espionage or sabotage continue to grow. This underscores the importance that security measures are not superficial but integrated into the industrial operation itself.
Next steps: from data to decisions
To complement the report release, SANS has scheduled a dedicated webcast on November 19, aimed at technicians, engineers, response teams, and OT security leaders, where Jason D. Christopher will discuss the findings and their implications for the field. A second session on December 9 will target CISOs and industrial executives planning their strategies for 2026.
The core message is clear: detection alone no longer signifies maturity. True industrial resilience will be measured by an organization’s ability to recover operations safely, swiftly, and without increasing risks to personnel, equipment, or society’s essential services.
Frequently Asked Questions about the SANS 2025 ICS/OT Security Report
What exactly is ICS/OT security in critical infrastructures?
ICS/OT security focuses on protecting systems that control physical processes in industries like energy, water, transportation, manufacturing, and chemicals. This includes systems like SCADA, HMI, PLCs, and sensors that directly operate valves, motors, or production lines. The goal is to prevent operational disruptions, equipment damage, or safety risks caused by cyber attacks.
Why can recovery from an industrial cyberattack take over a month?
Many industrial environments require more than restoring backups. They need to verify controllers haven’t been tampered with, validate process configurations, check remote access routes, and coordinate safe system startups. Without established procedures, documented protocols, and clear decision channels, recovery steps slow down, extending total recovery time to weeks.
What “ICS-aware” remote access controls are most critical for risk reduction?
Key measures include centralizing remote access via dedicated OT gateways, enabling strong user and device authentication, session logging, real-time approval for high-impact actions (like PLC logic changes or safety parameter adjustments), and limiting privileges only to necessary functions. These practices significantly reduce unauthorized external access and facilitate incident investigations.
How can organizations leverage ICS-specific threat intelligence?
The focus should be on translating intelligence into concrete actions: refining detection rules, strengthening network segmentation where new attack techniques emerge, updating critical asset inventories based on activity from known threat groups, and conducting scenario-based response exercises. Organizations integrating threat intelligence into daily operations tend to experience lower financial and security impacts.
For more information and the full report, visit sans.org.