Reassessing the OT Threat Landscape

Breaking down the riskiest OT exposures and the hackers targeting critical infrastructure and the ICS.

Feb 20, 2025
Industrial Cyber

Claroty recently published their State of CPS Security 2025: OT Exposures report. The report analyzes nearly one million OT devices, most of which are found in the manufacturing, logistics and transportation, and natural resources sectors. The data shows that many organizations face the challenge of prioritizing which vulnerabilities to remediate first due to the sheer number of KEVs (known exploited vulnerabilities) present across OT devices.

Key findings include:

  • 12 percent of OT devices analyzed contain KEVs and 40 percent of organizations have a subset of these devices insecurely connected to the internet.  
  • Seven percent of OT devices are exposed with KEVs linked to known ransomware samples, with 31 percent of organizations having these assets insecurely connected to the internet.  
  • 12 percent of industrial organizations had OT assets communicating with malicious domains, underscoring active threats. 
  • The manufacturing industry was found to have the highest number of devices with confirmed KEVs, devices with confirmed KEVs linked to ransomware, and devices with confirmed KEVs linked to ransomware and insecurely connected to the internet.

The report also offered perspective on some active threat actors:

  • China-based Volt Typhoon and Salt Typhoon: Volt Typhoon uses native legitimate tools to exploit weak or default passwords for access. Salt Typhoon has been linked to breaches against U.S. internet service providers and ISP wiretap systems, allegedly exfiltrating data useful for intelligence operations.
  • Russia-based Sandworm: The group is allegedly responsible for several attacks against Ukraine’s power grid, as well as the NotPetya malware. It is also responsible for the deployment of Industroyer and Industroyer 2, which was purpose-built malware targeting industrial equipment communicating over the IEC-104 (IEC 60870-5-104) protocol. In Ukraine, the targets were power system automation applications used in high voltage electrical substations.
  • CyberAv3ngers: Under the watch of the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC), this group has vowed to target any OT and enterprise technology developed in Israel. In late 2023, they targeted Unitronics’ integrated HMI/PLC devices inside U.S. water facilities, and in December 2024, attacks against civilian infrastructure were disclosed using a Linux-based backdoor called IOCONTROL that has a modular configuration that allows it to be used against OT assets, including PLCs and HMIs.

     

Latest in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
February 17, 2025
Data Center
Testing Assures Data Center Resilience
February 20, 2025
Peach Istock Ai Cyber
Report Demonstrates AI's Role in Threat Escalation
February 20, 2025
Online Safety And Security
CISA, FBI Release Advisory on Ghost Ransomware
February 20, 2025
Related Stories
Data Center
Cybersecurity
Testing Assures Data Center Resilience
Peach Istock Ai Cyber
Cybersecurity
Report Demonstrates AI's Role in Threat Escalation
General Cyberattack
Cybersecurity
Survey Shows Continued Spike in Third-Party Incidents
Today in Manufacturing Podcast
Sponsor Content
Today in Manufacturing Podcast
More in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
Today in Manufacturing has a new podcast brought to you by the editors of Industrial Media. In each episode, we discuss the five biggest stories in manufacturing, and the implications they have on the industry moving forward.
February 17, 2025
Peach Istock Ai Cyber
Cybersecurity
Report Demonstrates AI's Role in Threat Escalation
With AI fueling more deceptive, scalable attacks, the cyber arms race is escalating faster than ever.
February 20, 2025
Online Safety And Security
Cybersecurity
CISA, FBI Release Advisory on Ghost Ransomware
These widespread attacks target outdated versions of software and firmware on internet facing assets.
February 20, 2025
Siemens' Cobot AVG.
Cybersecurity
Betacom and Siemens Launch Private 5G Network Platform
Complete enterprise-grade solution accelerates Industry 4.0 adoption.
February 19, 2025
Ransomware
Cybersecurity
Ransomware Attacks Costing Manufacturers $1.9M/Day in Downtime
Ransom and recovery costs continue to skyrocket.
February 13, 2025
Ep130tn
Video
Security Breach: The Evolution of OT Vulnerabilities
Threats and risks have escalated, but when properly implemented, some solutions have risen to the task.
February 13, 2025
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
CISA, FBI Warn of Buffer Overflow Vulnerabilities
Threat actors exploit these vulnerabilities to gain access and move laterally through the network.
February 13, 2025
Intllectual Property
Cybersecurity
Study Finds Nearly Half Suffered a Third-Party Data Breach
A lack of visibility, internal resources, and mature security strategies continue to be obstacles.
February 13, 2025
Autonomous Car Cockpit
Cybersecurity
Report Shows Surging Automotive Cyber Threats Stemming from Critical Gaps
Critical infrastructure in smart mobility devices, like EV chargers, has expanded the attack surface and magnified the stakes.
February 13, 2025
Protection Background Technology Security 524882074 701x502 (1)
Cybersecurity
Recovery Platform Runs with NVIDIA BlueField-3
The platform is designed to significantly reduce cyber recovery times in minimizing losses.
February 13, 2025
SoftBank Chief Masayoshi Son, left, and OpenAI Chief Sam Altman hold a talk during an event for enterprises in Tokyo, in Tokyo, Monday, Feb. 3, 2025.
Cybersecurity
SoftBank, OpenAI Set Up Joint Company to Push AI Services
The startup will help bring "transformative AI to some of the world's most influential companies."
February 6, 2025
The smartphone app DeepSeek page is seen on a smartphone screen in Beijing, Jan. 28, 2025.
Cybersecurity
Researchers Link DeepSeek to Chinese Telecom Banned from Doing Business in U.S.
The chatbot's code shows connections to computer infrastructure owned by China Mobile.
February 6, 2025
The smartphone apps DeepSeek page is seen on a smartphone screen in Beijing, Tuesday, Jan. 28, 2025.
Cybersecurity
House Lawmakers Push to Ban AI App DeepSeek from U.S. Government Devices
The Chinese government could use the app for surveillance and misinformation.
February 6, 2025
I Stock 1736195547
Cybersecurity
Study: Industry Should Make Cybersecurity a Top Priority in 2025
The report says companies have too little budget to secure devices, machines, and systems.
February 6, 2025
Cloud
Cybersecurity
Maximizing Resiliency with Cloud-Hosted Security
Migrating to cloud-hosted security offerings provides many benefits, but misconceptions remain.
February 4, 2025