SANS State of OT Security 2025: What the Data Tells Us

The 2025 SANS State of ICS/OT Cybersecurity Survey reveals an industry at an inflection point. Based on responses from over 330 industrial cybersecurity professionals worldwide, the data shows clear progress in some areas of ICS cybersecurity—and persistent gaps in others that adversaries are actively exploiting. For organizations securing critical infrastructure, the message is straightforward: the fundamentals matter more than ever, and purpose-built capabilities make the difference between containment and catastrophe.

Industrial organizations are getting faster at spotting threats. Nearly 50% of incidents in 2025 were detected within 24 hours, and 60% were contained within 48 hours of detection. That’s a meaningful improvement from previous years and reflects growing investment in OT-specific monitoring capabilities.

Organizations leveraging ICS-specific threat intelligence showed even stronger performance. They were 52% more likely to improve network segmentation and monitoring based on threat data and adjusted defensive priorities in real-time as adversary tactics evolved.

What is driving this improvement? Two forces are converging: regulatory pressure and real-world threat intelligence. Sites subject to mandatory compliance—whether NERC CIP, TSA Security Directives, or emerging APAC frameworks—experienced roughly the same incident rates as their peers but saw approximately 50% fewer financial losses and safety impacts when incidents occurred.

The reason is clear: regulation forces organizations to deploy foundational capabilities - asset visibility, logging, change detection - that also happen to be the building blocks of effective threat detection and response.

Here’s where the data reveals the industry’s most critical gap.

While 49% of organizations report having OT-specific detection capabilities, visibility drops dramatically as you move deeper into industrial environments. Only 1 in 8 organizations (12.6%) report full visibility across the ICS Cyber Kill Chain - from initial IT compromise all the way to potential impacts on PLCs, SCADA systems, and physical processes.

Breaking this down by Purdue Model levels tells an even starker story:

• Level 3 (Operations Systems): 19.7% report full visibility
• Level 2 (Supervisory Control - SCADA/HMI): Just 10% report full visibility
• Level 1 (Basic Control - PLCs/RTUs): Coverage is even thinner
• Remote Sites: 17.5% report coverage across distributed operations

This matters because adversaries don’t stop at the IT/OT boundary. Modern industrial cyber threats, from ransomware groups to nation-state actors conducting reconnaissance on critical infrastructure, specifically target supervisory and control layers where they can disrupt operations, manipulate setpoints, or disable safety systems.

The implication: Many organizations can see threats approaching but lose visibility exactly where consequences become most severe.

Despite the proven value of threat intelligence, only 21% of organizations deployed intelligence integration capabilities in 2025. That’s a missed opportunity.

The survey data shows organizations using ICS-specific threat intelligence were significantly more likely to:

• Improve asset monitoring and network segmentation
• Update threat detection rules based on adversary TTPs
• Adjust incident response procedures ahead of emerging threats
• Achieve faster detection and containment during actual incidents

This isn’t about consuming generic threat feeds. It’s about operationalizing intelligence that’s tailored to industrial control systems—understanding which threat actors target your sector, what their capabilities are, and how their techniques translate to your specific OT environment.

Organizations that integrate threat intelligence don’t just react faster. They position defenses before threats arrive.

While detection and containment timelines have improved, remediation remains a stubborn challenge.

• 22% of incidents took 2-7 days to fully remediate
• 19% took over a month
• 3% took over a year

That’s not just a cybersecurity problem. It’s an operational availability and financial risk problem. Extended recovery times translate directly to lost production, emergency contractor costs, regulatory scrutiny, and potential safety implications.

The organizations that recovered fastest shared common characteristics: they had OT-specific incident response plans (57% of all respondents), tested those plans at least quarterly (25%), and involved field technicians, not just security teams, in preparedness exercises.

The data is unambiguous: organizations that practice realistic OT incident response are 1.7x more likely to report strong preparedness for emerging threats.

Asset inventory and visibility was the #1 technology investment area in 2025 (50% of respondents) and remains the top priority for 2026-2027 (54%). There’s a simple reason: you can’t protect what you can’t see.

But traditional IT discovery tools fall short in OT environments. They often require active scanning that can disrupt industrial processes, lack the protocol-specific knowledge to identify ICS devices accurately, and don’t provide the depth needed to understand PLC configurations, firmware versions, or backplane-level details that matter for vulnerability management.

The survey data shows organizations with comprehensive asset visibility are:

• 3.7x more likely to achieve full visibility across the ICS Cyber Kill Chain
• Better positioned to implement risk-based vulnerability management
• More successful at network segmentation and architecture improvements
• Faster at incident response because they know exactly what’s at risk

This is why OT-native platforms matter. Passive discovery, protocol-aware identification, and continuous asset intelligence provide the foundation for every other security capability, from threat detection to compliance reporting.

Only 14% of respondents felt fully prepared for emerging OT cyber threats. But those organizations share distinct characteristics that others can learn from:

• They push visibility deeper. Rather than stopping at enterprise IT or Level 3, they extend monitoring into supervisory control, basic control, and remote sites—where adversaries increasingly aim to operate.
• They involve the right people. Fully prepared organizations were 66% more likely to include field technicians in preparedness exercises and 56.7% more likely to actively contribute to information sharing and analysis centers (ISACs).
• They embed security into operations. These organizations don’t treat cybersecurity as a separate function. They integrate it into daily OT decision-making, engineering change processes, and business continuity planning.
• They leverage OT-native platforms. Whether for asset discovery, threat detection, or vulnerability management, the most prepared organizations deploy purpose-built tools designed for industrial environments—not adapted IT security products.

The 2025 survey data points to a clear strategic path forward:

1. Invest in Foundational Visibility. Asset inventory isn’t glamorous, but it’s non-negotiable. Prioritize OT-native discovery that provides depth—not just device counts, but firmware versions, configurations, and risk context.
2. Extend Detection Across All Purdue Levels. If your visibility stops at Level 3, you’re blind where it matters most. Purpose-built OT threat detection should cover supervisory control, PLCs, and remote sites—passively, without operational risk.
3. Operationalize Threat Intelligence. Generic threat feeds don’t move the needle. ICS-specific intelligence that maps adversary TTPs to your environment enables proactive defense adjustments and faster response when incidents occur.
4. Practice Realistic Incident Response. Tabletop exercises are valuable, but organizations that involve field technicians in hands-on recovery drills—testing backup restoration, logic validation, and safe restart procedures—build the muscle memory that matters during real incidents.
5. Treat Compliance as a Starting Point, Not a Ceiling. The data shows regulated organizations experience better outcomes—not because compliance prevents incidents, but because it forces deployment of capabilities that improve detection, containment, and resilience. Use regulatory requirements as a foundation and build from there.

The survey data paints a picture of an industry making progress—but not fast enough.

Threat actors continue to target industrial environments with increasing sophistication. Nation-state groups are pre-positioning in critical infrastructure. Ransomware operators have learned that OT disruption maximizes leverage and ransom payments. Supply chain compromises are exposing vulnerabilities across entire sectors.

At the same time, regulatory frameworks are expanding globally, from NERC CIP updates in North America to Australia’s SOCI Act, Singapore’s Cybersecurity Code of Practice, and Saudi Arabia’s OTCC-1:2022. Organizations that wait for mandates will find themselves perpetually behind.

The path forward requires closing visibility gaps at lower Purdue levels, operationalizing threat intelligence, accelerating remediation through practiced response, and building programs on OT-native capabilities designed for industrial environments.

The data shows what works. The question is whether organizations will act on it before adversaries exploit the gaps that remain. Want to see how your OT security program compares to industry benchmarks?

Download the full SANS State of ICS/OT Cybersecurity 2025 report.

Download Now