SANS Institute 2025 survey finds OT cybersecurity incidents rising as ransomware and remote access risks grow - Industrial Cyber

Attacks and Vulnerabilities Control device security Critical infrastructure Cyber-Physical Industrial Cyber Attacks IT/OT Collaboration Malware, Phishing & Ransomware News Risk & Compliance Secure Remote Access The Skills Gap - Training & Development Threat Landscape Vulnerabilities SANS Institute 2025 survey finds OT cybersecurity incidents rising as ransomware and remote access risks grow November 20, 2025 New research from the SANS ICS/OT Cybersecurity Report shows how ransomware, remote access, and real-world disruptions are transforming industrial cybersecurity. The SANS Institute 2025 survey explores how defenders are responding to these growing threats, covering everything from securing remote connections to enhancing network segmentation and recovery processes, and highlighting the key priorities for protecting OT (operational technology) today. Presented by Jason D. Christopher, a SANS certified instructor and the survey’s author, the report found that incidents remain both frequent and disruptive. Over one in five organizations (22%) reported a cybersecurity incident in the past year, with 40% causing operational disruption and nearly 20% taking more than a month to remediate. Detection is improving, but recovery often lags. Nearly half of the incidents were detected within 24 hours, and 60% contained within 48 hours, yet remediation can stretch into days, weeks, or even over a year.  Remote access continues to be a major risk. Unauthorized external access accounted for half of all incidents, but only 13% of organizations have fully implemented advanced controls such as session recording or ICS/OT-aware access. Preparedness varies widely. Just 14% of respondents felt fully prepared for emerging threats, though organizations that involved frontline technicians in exercises were nearly 1.7 times more likely to report strong readiness. Investment momentum is clear: asset visibility, threat detection, and secure remote access lead both current deployments and planned investments for 2026–2027, highlighting where organizations see the greatest value. “This year’s findings show that while progress is being made, the industry still faces significant challenges in securing converged environments,” Christopher said in a Wednesday media statement. “Organizations must prioritize visibility and segmentation to mitigate these risks effectively.” Sponsored by OPSWAT, the SANS Institute 2025 survey highlights two trends that have been maintained from previous years. First, industry continues to improve in detection times for ICS/OT incidents, with nearly 50% of incidents being detected within the first 24 hours. Second, we are similarly improving on containment, with over 65% of detection-to-containment gaps being addressed in the proceeding 24 hours. That means, on average, ICS/OT incidents are detected and contained within 48 hours. That, however, is where the good news ends.  Remediation, which includes the act of eradicating the threat and recovering operational integrity, still takes days to achieve, on average, with 22% taking two to seven days to recover. The risks here are real, with 19% of incidents in 2025 taking over a month to remediate and a striking 3% taking over a year. Preparation is still key to responding and recovering quickly during an industrial cyber incident. 57% of respondents have a dedicated ICS/OT incident response plan, a minor increase from previous years that represents further maturity across the industry. If an organization has both threat intelligence capabilities and is regulated, the coverage for ICS/OT-specific incident response plans jumps to 70%. “Our earlier research with the SANS Institute showed that most organizations dedicate less than 25% of their security budgets to OT,” Matt Wiseman, director of product marketing at OPSWAT, said. “The new findings make it clear that increased spending alone is not enough. The priority now is smarter investment in the controls that matter most for safety and uptime: segmentation, secure remote access, and scanning inbound files and devices before they reach the operational environment. OT security requires an integrated approach that closes the gaps attackers continue to exploit.” Most organizations (39%) test their incident response plan annually. While this decreased from previous years, that is because we saw a sharp increase in the number of organizations that are now testing their incident response plan quarterly (25%). Interestingly, those that perform more regular incident response testing also have more variety in the ways they test, and they are far more likely to have operational drills, red and purple team exercises, and executive-level tabletops, ensuring training and practical experience for responders. The SANS Institute 2025 survey found that nearly 80% of respondents with incident response plans updated them in 2025. Beyond changes in the organization or technology used for incident response, there were two major drivers for these updates. These include threat intelligence (41%) and regulatory changes or audit feedback (40%), highlighting how industrial cybersecurity is impacted by both external forces. Starting with threat intelligence, 67% of respondents leverage threat intelligence in some capacity, with an additional 16% planning to use it over the next year. The majority (79%) of threat intelligence programs for ICS/OT environments are built on vendor-provided intelligence feeds, with government and public reporting sources coming in at a close second (77%), along with peers or industry information sharing and analysis centers (ISACs) (72%).  The SANS Institute 2025 survey noted the increase in ICS/OT cybersecurity-specific regulations over the past few years. “It therefore came as no surprise that 58% of respondents reported having at least one facility subject to mandatory cybersecurity compliance requirements. Of that group, 26% reported having a possible violation from an audit or self-report. Smaller compliance programs (fewer than 10 facilities in scope) were mostly impacted, accounting for nearly 40% of those possible violations, indicating a possible need for additional resources in those environments.” Secure remote access continues to be a challenge for ICS/OT environments. Although industry has improved with multifactor authentication (MFA), there are still plenty of coverage gaps and capabilities missing in standard practices, like remote access segmentation, MFA, and vendor-managed/third-party access restrictions.  The SANS Institute 2025 survey notes that these capabilities tend to be stronger at regulated sites, where mandatory secure remote access requirements drive higher maturity. Even so, many industrial environments still have room to grow. ICS-specific protocol or device awareness, session recording and replay, and real-time session approvals were each reported as fully implemented by only 13% or fewer respondents. Considering the high degree of real-world incidents stemming from remote access, the report recognized that these capabilities may benefit many industrial organizations as they plan for increased cyber defenses. “When asked what is preventing organizations from achieving full implementation of secure remote access controls across ICS/OT environments, the top blocker was lack of internal resources (60%), followed by legacy system compatibility limitations (46%).” “Combined with the fact that roughly one-third (31%) of respondents have no formal centralized inventory—or no inventory at all—of active ICS/OT remote access points, there is an obvious divide between the ‘haves’ and the ‘have-nots’ in the world of secure remote access for industrial environments,” the report added. “As threats evolve and real-world incidents continue to target these assets, many organizations should prioritize these capabilities and provide adequate resources for teams requiring remote access.” Dean Parsons, SANS Principal Instructor, said the findings reinforce what ICS/OT defenders and engineering teams already understand about protecting critical infrastructure. Engineering-informed cyber preparedness cannot operate in a silo. It has to reach across the entire plant floor and every part of engineering operations. “Involving field technicians, engineers, and operators in ICS/OT tabletop exercises and industrial incident response planning nearly doubles the likelihood that an organization with ICS/OT is ready to face emerging threats that can directly impact safety,” according to Parsons. “That’s no coincidence. Those closest to the control loops, HMIs, and PLCs understand better than anyone how cyber incidents ripple into safety, reliability, and process integrity.”  He added that by embedding engineering staff and having them lead the way into ICS/OT cybersecurity exercises, ICS/OT organizations and critical infrastructure operations transform preparedness from a compliance checkbox into a true resilience capability. “One that protects the operational environment as well as continuity and human safety. After all, in an organization that has ICS/OT, the ICS/OT is the business.” The SANS Institute 2025 survey examined the maturity of several capabilities across the Purdue Model, including ICS/OT-specific detection, risk-based vulnerability management, ICS/OT threat hunting, and safety-minded penetration testing through red and purple team exercises.  At Level 4, 28% of respondents reported full ICS/OT program coverage for detection, while 37% reported that detection is largely covered. Vulnerability management at this level had 18% full coverage and 55% largely covered. Threat hunting had 11% full coverage and 62% largely covered. Penetration testing had 9% full coverage and 62% largely covered. At Level 3.5, detection had 23% full coverage and 39% largely covered. Vulnerability management had 14% full coverage and 54% coverage that was largely effective. Threat hunting had 7% full coverage and 63% largely covered. Penetration testing had 8% full coverage and 62% largely covered. At Level 3, detection had 20% full coverage and 38% largely covered. Vulnerability management had 12% full coverage and 55% coverage that was largely effective. Threat hunting had 6% full coverage and 62% largely covered. Penetration testing had 8% full coverage and 63% largely covered. At Level 2, detection had 10% full coverage and 39% largely covered. Vulnerability management had 8% full coverage and 56% coverage that was largely effective. Threat hunting had 4% full coverage and 64% largely covered. Penetration testing had 7% full coverage and 65% largely covered. At Level 0/1, detection had 6% full coverage and 48% largely covered. Vulnerability management had 7% full coverage and 61% coverage that was largely effective. Threat hunting had 4% full coverage and 69% largely covered. Penetration testing had 3% full coverage and 66% largely covered. For field and remote sites, detection had 8% full coverage and 41% largely covered. Vulnerability management had 9% full coverage and 57% coverage that was largely effective. Threat hunting had 7% full coverage and 66% largely covered. Penetration testing had 3% full coverage and 66% largely covered. Over the last year, industrial organizations invested in a variety of new technologies. The top areas, asset inventory and visibility (50%), and secure remote access with MFA (45%), align with the threats and real-world incidents that were reported, along with increased segmentation (32%).  Other categories, such as ICS-specific tabletop exercises (17%) and threat intelligence integration (21%), were low, which correlates with previous topics and highlights a need for increased investment in these areas, as each has a demonstrable impact on incident response detection, containment, and remediation timelines. ICS/OT-specific security orchestration, automation, and response (SOAR) was the lowest area of technology investment (12%). This trend remained true regardless of preparedness, regulations, or whether the organization had a SOC, where SOAR may provide tangible benefits. Heading into 2026–2027, the SANS Institute 2025 survey forecast that organizations will continue to invest heavily in asset inventory and visibility (54%) and secure remote access (40%) as they did over the past 12 months. However, threat detection (43%) and vulnerability management (41%) also round out the top investments, at a higher rate than 2025 deployments.  “There are several factors that influence what technologies industrial organizations invest in. For example (and unsurprisingly), regulated facilities track higher in every category for both past and future technology deployments,” the survey added. “As a matter of fact, both regulatory requirements and threat landscape were listed as the top drivers for technology deployments (both at 61%).”  However, the most significant determining factor and unique profile for investment came from industrial organizations with SOCs that include ICS/OT in some fashion, those organizations are more likely to have invested (and continue to invest) in asset visibility (63% in 2025 and 2026–2027), threat detection (47% in 2025 compared to 32% for organizations without a SOC), and log collection/ centralization (43% in 2025 compared to 32% for their non-SOC peers). Organizations that previously identified themselves as fully prepared for future cyber threats also invested in technology differently from their peers, likely because they already had heavy capabilities in threat detection and secure remote access. In 2025, these organizations invested more in threat intel integration (43%), log centralization (40%), and vulnerability management (40%).  For the next 12–24 months, these prepared organizations plan to continue to invest heavily in asset visibility (66%) and threat detection (55%), while adding configuration management (55%) to the top three categories.  The SANS Institute 2025 survey paints a mixed picture. On one hand, detection timelines are shrinking, incident response planning is more common, and regulatory pressure is driving long-term maturity. On the other hand, remediation remains slow, advanced practices such as threat hunting and red/purple team exercises are limited, and remote access continues to expose organizations to disproportionate risk. Looking ahead, the path forward for the industry is clear and actionable. Organizations need to improve coverage of ICS and OT security, since using a risk-based and threat-informed approach to security controls has already shown it can speed up incident response and reduce reliability, safety, and financial impacts. They also need to shift their focus from detection to resilience, because shorter containment times are not enough; faster, safer recovery depends on stronger backups, better failover strategies, and cyber-informed engineering.  Preparedness must also broaden beyond security teams, with field technicians, engineers, and executives all taking active roles in threat-aware exercises. Finally, regulation should serve as a springboard, with compliance requirements treated not as a ceiling but as the starting point for stronger detection, response, and culture-wide integration. The SANS Institute 2025 survey mentioned that the industry has made tangible progress since this survey began in 2017. “Yet as the appendix data shows, gaps persist at the very layers of the Purdue Model where consequences are most severe. The challenge for 2026 and beyond is clear: Close those gaps before adversaries exploit them and transform today’s incremental improvements into tomorrow’s resilience,” it added. In March, research from OPSWAT and the SANS Institute disclosed that ICS/OT cybersecurity budgets lag as attacks surge, exposing critical infrastructure to risks. The financial shortfall is particularly alarming given that over 50 percent of organizations have reported experiencing at least one security incident within their ICS/OT environments. Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related Marlink warns surge in satellite spoofing is blinding maritime digital infrastructure, disrupting vessel navigation Stryker rules out ransomware, confirms threat actor used non-propagating malicious file FCC expands Covered List to block high-risk routers and drones, tighten ban on foreign-made connectivity devices Tenable Hexa AI brings agentic automation to exposure management across IT, OT and AI environments NIST expands CSF 2.0 toolkit with quick-start guides aligning cyber risk, risk management, workforce strategy PwC Annual Threat Dynamics 2026 discloses that identity attacks surge as AI reshapes cyber threat landscape Forescout achieves FedRAMP high ATO, strengthens security for converged IT, OT and IoT networks Darktrace introduces Adaptive Human Defense to personalize security training and protection across organizations NetRise Provenance launched to expose open source contributor risk, map impact across software supply chains ISA opens call for ISA113 committee to tackle industrial workflow interoperability challenges across industrial systems