State of CPS Security 2025: OT Exposures” Reveals the OT Device Exposures Most Coveted for Exploitation by Adversaries

SYDNEY, Australia, 5 February 2025 – Claroty, the cyber-physical systems (CPS) protection company, today released a new report revealing the exposures that are most coveted for exploitation by adversaries in operational technology (OT) devices. Based on analysis of almost one million OT devices, the “State of CPS Security 2025: OT Exposures” report found over 111,000 Known Exploitable Vulnerabilities (KEVs) in OT devices across manufacturing, logistics and transportation, and natural resources organisations, with more than two-thirds (68%) of the KEVs being linked to ransomware groups. Based on analysis of almost one million OT devices, the report uncovers the riskiest exposures for enterprises amid rising threats to critical sectors.

In the report, Claroty’s award-winning research group Team82 examines the challenges industrial organisations face when identifying which KEVs in OT devices to prioritise for remediation. It highlights how understanding the intersection of these vulnerabilities with popular threat vectors, such as ransomware and insecure connectivity, can help security teams proactively and efficiently minimise risk at scale. With offensive activity rising from state-sponsored threat actors, the report details the risk critical sectors face from OT assets communicating with malicious domains, including those from China, Russia, and Iran.

“The inherent nature of operational technology creates obstacles to securing these mission critical technologies,” said Grant Geyer, Chief Strategy Officer at Claroty. “From embedding offensive capabilities in networks to targeting vulnerabilities in outdated systems, threat actors can take advantage of these exposures to create risks to availability and safety in the real world. As digital transformation continues to drive connectivity to OT assets, these challenges will only proliferate. There is a clear imperative for security and engineering leaders to shift from a traditional vulnerability management program to an exposure management philosophy to ensure they can make remediation efforts as impactful as possible.”

Key Findings:

• Of the close to one million OT devices analysed, Team82 found that 12% contain KEVs, and 40% of the organisations analysed have a subset of these assets insecurely connected to the internet.
• 7% of the devices are exposed with KEVs that have been linked to known ransomware samples and actors, with 31% of the organisations analysed having these assets insecurely connected to the internet.
• 12% of organisations in the research had OT assets communicating with malicious domains, demonstrating that the threat risk to these assets is not theoretical.
• The manufacturing industry was found to have the highest number of devices with confirmed KEVs (over 96,000) with over two-thirds (68%) of them being linked to ransomware groups.

To access Team82’s complete set of findings, in-depth analysis, and recommended security measures in response to vulnerability trends, download the “State of CPS Security 2025: OT Exposures” report.

Methodology

The “State of CPS Security 2025: OT Exposures” report is a snapshot of the vulnerability and exposure trends to OT devices across the manufacturing, logistics and transportation, and natural resources sectors observed and analysed by Team82, Claroty’s threat research team, and our data scientists.