A sharp increase in exposed industrial control system (ICS) and operational technology (OT) devices is intensifying systemic cyber risk across critical infrastructure sectors, including manufacturing, energy, and transportation. A study by Bitsight reported that the number of internet-accessible ICS devices grew from approximately 160,000 at the start of 2024 to over 180,000 by year-end, with projections exceeding 200,000 before the close of 2025. Many of these devices rely on insecure protocols and lack adequate authentication, raising concerns about vulnerabilities in fuel infrastructure, water treatment, and building automation systems.
Background
ICS and OT systems support critical infrastructure by managing Supervisory Control and Data Acquisition (SCADA) operations, Programmable Logic Controller (PLC) workflows, and industrial automation across sectors such as energy, transportation, and manufacturing. Analysts note that these systems were frequently designed with a focus on availability and functionality, often at the expense of security. This has led to deployments that remain exposed even after known vulnerabilities are addressed.
Recent threat intelligence reports underscore the rise of OT-focused cyber threats. Dragos' 2025 OT/ICS Cybersecurity Report documented an 87% year-over-year increase in ransomware targeting OT environments, highlighted the appearance of new malware families such as FrostyGoop and Fuxnet, and tracked the activities of threat groups including BAUXITE and GRAPHITE. These groups leveraged exposed devices across energy, water, chemical manufacturing, and logistics sectors.
Details
Bitsight's data shows that a substantial number of newly connected ICS devices lack robust network segmentation or authentication. Automatic Tank Gauging systems at fuel stations were often deployed without password protection or relied on insecure login methods, making them vulnerable to remote interference with fuel deliveries or safety-critical functions.
Claroty's "State of CPS Security 2025: OT Exposures" report, based on an analysis of nearly one million OT devices, found that 12% contained known exploited vulnerabilities (KEVs), and 40% of organizations maintained direct internet connections to at least some of these at-risk devices. Additionally, 7% of OT devices harbored KEVs tied to ransomware, with 31% of organizations exposing such assets online.
Zscaler reported a 387% surge in IoT and OT cyberattacks targeting the energy sector, while manufacturing and transportation accounted for nearly 20% of global IoT-related attacks. This trend highlights the increasing risk in industrial environments with flat network structures, which enable lateral movement following a breach.
Cyble Intelligence Labs observed that ICS vulnerability disclosures nearly doubled in 2025, rising from 1,690 in 2024 to 2,451 involving 152 vendors. Manufacturing was the most affected sector, with about 600 entities targeted, followed by 477 in healthcare. Hacktivist groups such as Z-Pentest and Dark Engine intensified operations against exposed Human-Machine Interfaces (HMIs) and industrial technologies.
Outlook
Security experts advise infrastructure operators, manufacturers, and vendors to prioritize network segmentation, remote access controls, and comprehensive threat visibility across IT and OT environments. Recommended practices include enforcing zero-trust principles with strong identity management and multifactor authentication, implementing industrial security zones such as demilitarized zones (DMZs), and employing patch management strategies in line with operational requirements, supplemented by compensating controls where immediate patching is impractical. Adoption of frameworks such as the National Institute of Standards and Technology (NIST) ICS guidance and the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Performance Goals 2.0 is expected to support long-term cyber resilience, though widespread implementation is projected to extend through 2026 and beyond.
