The SANS 2025 State of ICS Security Report: Progress, Pressure, and the Path to Resilience

Now in its eighth year, the SANS State of ICS/OT Security 2025 Report continues to serve as a mirror for the industrial cybersecurity community, capturing how asset owners, operators, and defenders are adapting to the realities of an increasingly connected ICS landscape. Each edition reveals not only how far our community has come, but also how the nature of risk continues to evolve amid the rise of digital transformation in industrial environments.  

The 2025 report highlights that evolution in sharp context. Detection and containment are faster than ever before, a testament to years of investment in visibility, monitoring, and coordinated incident response. Yet full post-breach restoration remains slow, with many organizations still struggling to recover operations safely after an event. That divide defines a “two-speed reality” uncovered in the report’s analysis. Defenders are moving faster, but the systems they protect still demand precision, patience, and deeper integration of cyber, safety, and operational disciplines. 

I'm proud to have authored this year’s report, which draws on the experiences of more than 330 ICS security professionals across energy, manufacturing, water, transportation, and other essential industries. The data shows that while our community has made undeniable progress, resilience remains uneven. More work must be done to sustain secure and reliable operations for the systems that make, move, and power our world. The following takeaways outline the 2025 report’s key findings, showing where ICS security is advancing, where it’s stalled, and where the next breakthroughs in resilience must occur. 

1. Incidents Remain High and Disruptive, But Recovery Lags  

More than one in five organizations (21.5%) reported experiencing a cybersecurity incident over the past year, and four in 10 of those events caused operational disruption. That statistic alone underscored that, for most critical infrastructure operators, ICS attacks are no longer theoretical. They are operational events that demand the same safety, reliability, and continuity processes as mechanical or environmental disruptions.  

Above all, the report showcased clear progress in detection and containment. Nearly half (49%) of all incidents were detected within 24 hours, and 55% were contained within 48 hours— clear evidence that investments in detection engineering, log correlation, anomaly analysis, and real-time visibility over the past five years are paying off. However, the data also revealed a significant recovery gap. While many organizations detect and respond quickly, the path to full restoration is far more elongated. Nearly one in five incidents required more than a month to remediate. 

The containment-to-restoration gap is largely due to the physical nature of ICS environments. Industrial control systems govern physical processes that can’t be simply reimaged or restarted. Bringing plants, substations, or production lines back online safely requires device state validation, process checks, and coordination with safety and reliability. Operators must ensure that every change is verified before reintroducing processes that affect power flow, pressure, or even chemical reactions. Speed can never come at the expense of safety. This reality underscores the importance of integrating cybersecurity into business continuity and disaster recovery planning, rehearsing validated restoration steps, and measuring time-to-safe-operating-state cycles.  

2. Cybersecurity Regulation is Driving Maturity 

Compliance continues to prove its value as a catalyst for resilience. Regulated sites experience roughly the same number of incidents as their peers but suffer about 50% fewer financial and safety impacts. That distinction comes down to structure and accountability. Regulations such as NERC CIP, TSA pipeline directives, and EU NIS2 require asset owners to define their critical systems, document access control, logging, and evidence processes, and subject those systems to regular internal and external audits. In other words, compliance forces organizations to operationalize discipline. 

The result is what can be described as cyber safety: a fusion of safety culture, compliance culture, and cybersecurity execution. Regulations, when properly implemented, serve as the “double-check” mechanism that ensures security programs function as designed. They require teams to test, validate, and demonstrate that safeguards are working, not just assumed to be. Compliance by itself does not eliminate incidents, but it can consistently reduce incident impact when controls are implemented as designed and evidenced.  

3. Threat Intelligence Sharing Pays Dividends  

This year’s data validates a direct relationship between ICS-specific threat intelligence programs and improved operational outcomes. Organizations that leveraged threat intelligence were more likely to adjust defensive priorities, improve detection logic, and accelerate segmentation projects. 

What sets these organizations apart is how they use intelligence. Too many programs collect threat data but stop short of acting on it. Mature programs operationalize threat intelligence as a continuous feedback loop that correlates multiple sources, validates indicators through hunts, updates detection rules, and measures how quickly those updates propagate to the production environment. Another important insight is the need for multi-source visibility. Relying solely on an ISAC or vendor feed limits perspective to what threats other organizations have already seen. A balanced program blends external feeds with internal telemetry, creating a more adaptive, evidence-based understanding of attacker behavior. Programs that utilize intelligence to drive hunts and detection activities report higher readiness and faster containment which allows them to stay ahead of emerging threats.

4. Remote Access Remains a Top Attack Vector 

Half of all reported incidents this year began with unauthorized external access. Even as multi-factor authentication becomes commonplace, fewer than 15% of organizations have implemented advanced ICS-aware controls including session recording, device-specific access, or real-time approvals. Much of this exposure stems from changes made during the pandemic. Remote access expanded rapidly in 2020 to maintain operations, and many of those ad-hoc measures never reverted to structured, safety-driven models. Five years later, industrial networks are still dependent on connectivity that was never designed to be permanent. 

Remote access has become part of the fabric of industrial operations. It is here to stay, but it must evolve. That starts with treating it as a process control function in its own right. True ICS-aware remote access design means controlling every connection through a brokered gateway or jump host, verifying both device and user identity, recording sessions for auditability, and requiring explicit approvals for privileged actions. Without that, organizations risk turning operational convenience into systemic vulnerability.

5. Preparedness Is Uneven, and Field Technicians Make the Difference 

Only 14% of respondents reported feeling fully prepared for emerging threats, a statistic that reflects both a capability and a culture gap. But within that number lies one of the most actionable insights in the report: organizations that include field technicians and operators in cybersecurity tabletop exercises report readiness levels 1.7 times higher than those that don’t. That difference shows that preparedness in ICS environments cannot be achieved solely from the boardroom or security operations center. The people who operate, maintain, and repair systems every day understand safe states, control limits, and real-world recovery constraints better than anyone. Their insight is essential to effective incident response and remediation.

Too often, exercises and tabletop scenarios exclude the very people who will have to execute recovery procedures under pressure. When operators, engineers, and maintenance staff are included, the lessons become tangible. Teams build muscle memory that improves both communication and confidence during real events. Preparedness is a measure of cross-functional coordination. The organizations that eliminate siloes between IT, OT, and engineering will continue to outperform peers when it matters most. 

6. Investment Momentum Is Clear

The 2025–2027 investment priorities cited by survey respondents reveal that the industry is learning from experience. Asset visibility, detection, secure remote access, and vulnerability management top the list; all capabilities that directly address the causes of most industrial incidents. 

However, it was notable to see how these investments mirror real-world threat activity. Concerns about long-dwell espionage campaigns like Volt Typhoon have accelerated adoption of segmentation and telemetry at the lower Purdue levels. Ransomware incidents have driven new interest in validated restoration planning and offline backup integrity. In other words, the industry is aligning its spending with its most urgent scenarios — a sign of growing maturity. 

Still, investment must also expand its reach. Larger organizations with regulatory mandates and mature security programs are progressing quickly, while smaller or less-regulated operators remain behind. The next wave of maturity will depend on spreading those best practices and technologies to every layer of the ecosystem, from the enterprise network to the smallest remote site. The sector’s long-term health will depend on how well the community raises the baseline, not just how far the leaders advance. 

Driving Progress for a Safer Future 

The SANS State of ICS/OT Security 2025 Report shows a sector in transition. Detection is faster, intelligence is more actionable, and investment momentum is strong. Yet resilience remains uneven, and the consequences of that imbalance are real.  

A critical throughline in this year’s findings is the renewed focus on segmentation as the connective tissue between visibility and resilience. Effective segmentation does more than divide networks; it defines how organizations contain disruption, preserve safety, and accelerate recovery. It’s the architectural expression of operational discipline, the difference between knowing where risk lives and proving you can isolate it when it matters. The task ahead is to level the field, ensuring that every organization, regardless of size or maturity, can detect fast, restore safely, and sustain operations with confidence. 

Read the full SANS State of ICS/OT Security 2025 Report to explore how ICS defenders can turn these findings into action – and how SANS’s ICS curriculum equips teams to do it.

If you missed our Webcast, check out the recording here.