Full Report
New SANS Institute research finds that 50% of global organizations were hit by an OT security incident in the past year
Analysis Summary
# Incident Report: Pervasive OT Security Incidents Due to IT/OT Convergence
## Executive Summary
Over half of global organizations experienced a serious Operational Technology (OT) security incident within the last year, highlighted by a survey from SANS Institute and OPSWAT. The most common attack vector involved IT compromises bridging into traditionally siloed OT environments, leading to consequences like data loss and operational disruption. While budgets for security are increasing, insufficient dedicated resources and primary spending focus on traditional IT systems leave critical ICS/OT infrastructure dangerously exposed.
## Incident Details
- **Discovery Date:** Reporting based on survey data collected over the past 12 months (leading up to the March 2025 report date).
- **Incident Date:** Ongoing occurrences spanning the last 12 months.
- **Affected Organization:** Global organizations surveyed across Energy, IT, Government, and other critical infrastructure sectors (over 180 professionals polled).
- **Sector:** Critical Infrastructure (Energy, Government, Industrial Control Systems/OT).
- **Geography:** Global.
## Timeline of Events
*Note: This report summarizes aggregate findings across multiple incidents over a year, not a single event.*
### Initial Access
- **Date/Time:** Ongoing (within the last 12 months).
- **Vector:** "IT compromise" (cited by 58% as the primary OT attack vector). This suggests initial breach occurred within the Information Technology network.
- **Details:** Attackers leveraged the convergence between IT and OT environments to gain a foothold.
### Lateral Movement
- **Details:** The fact that IT compromise is the leading vector strongly implies successful lateral movement from the standard IT network into the Operational Technology (OT) or Industrial Control System (ICS) networks, bypassing prior segmentation controls.
### Data Exfiltration/Impact
- **Impact:** Incidents resulted in data loss, unauthorized access, or operational disruption.
### Detection & Response
- **Detection:** The data is based on retrospective reporting by security professionals.
- **Response Actions:** Organizations are prioritizing investment in defensible network architecture, ICS-specific incident response capabilities, and real-time visibility tools.
## Attack Methodology
*Note: Specific TTPs are not detailed, but the primary means of entry and focus are evident from the context.*
- **Initial Access:** IT network compromise (most common vector).
- **Persistence:** (Not explicitly detailed, but implied necessary post-compromise).
- **Privilege Escalation:** (Not explicitly detailed).
- **Defense Evasion:** (Not explicitly detailed).
- **Credential Access:** (Likely involved to move from IT to OT).
- **Discovery:** (Likely involved network reconnaissance).
- **Lateral Movement:** Movement from IT infrastructure into ICS/OT networks.
- **Collection:** Gathering of lost/stolen data or preparation for operational impact.
- **Exfiltration:** Data loss reported in some incidents.
- **Impact:** Operational disruption, unauthorized access, and data loss.
## Impact Assessment
- **Financial:** Budgets are growing (55% over two years), indicating recognition of financial risk, but investment is misaligned.
- **Data Breach:** Data loss was reported as an outcome of the security incidents.
- **Operational:** Operational disruption was cited as a key impact, threatening core business functions ("in an ICS organization, the ICS is the business”).
- **Reputational:** Not explicitly detailed, but disruption to critical infrastructure inherently carries high reputational risk.
## Indicators of Compromise
*No specific IoCs were provided in the summary as it discusses industry trends, not a specific case.*
- **Network indicators:** None provided.
- **File indicators:** None provided.
- **Behavioral indicators:** Lateral movement from IT to OT networks without proper segmentation is a critical behavioral indicator.
## Response Actions
The response focus is primarily on future investment strategies identified as priorities:
- **Containment (Future Focus):** Implementing ICS/OT defensible network architecture to enforce robust segmentation and prevent IT breaches from affecting OT.
- **Eradication (Future Focus):** Developing ICS-specific incident response plans covering standard ICS and specialized engineering devices.
- **Recovery (Future Focus):** Architectures supporting real-time network visibility and situational awareness.
## Lessons Learned
- The convergence of IT and OT has become the primary attack vector, confirming that traditionally siloed environments are now linked and vulnerable to cross-domain compromise.
- Cybersecurity budget increases are not translating into adequate protection for OT environments, as investment remains heavily focused on traditional IT support systems.
- A significant resource shortfall exists, with only 9% of professionals dedicated solely to OT security, despite OT being central to the business operations of critical infrastructure.
## Recommendations
- Re-evaluate security threats specifically targeting ICS/OT environments, as these are increasingly sophisticated.
- Prioritize investment in network segmentation to create defensible boundaries between IT and OT.
- Ensure security budgeting reflects the criticality of ICS/OT systems, recognizing that protecting these assets is essential for operational resilience.
- Increase dedicated staffing and expertise focused solely on OT security operations and incident response.
- Implement robust security controls for removable media and transient devices used by engineering and maintenance personnel.