homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. The 2024 State of ICS/OT Cybersecurity: Our Past and Our Future
370x370_Jason-D-Christopher.jpg
Jason D. Christopher

The 2024 State of ICS/OT Cybersecurity: Our Past and Our Future

The 2024 State of ICS/OT report shows our industry’s growth since 2019 and offers insight into how we may improve going into 2029.

October 16, 2024

Next year will mark the 20th anniversary of the SANS ICS Security Summit—our community’s largest asset owner/operator-driven educational event. In the two decades since its launch, our industry has grown considerably. In the pre-Stuxnet age, we were influenced by increased communications and data flowing across the IT-OT boundary (if such a boundary even existed).

Today, those communications and data flows have increased in both quantity and sophistication—and so have the threats.

Since 2017, the annual SANS State of ICS/OT Cybersecurity survey has provided industry with a wealth of information to help calibrate and further refine our industrial cyber risk programs. By highlighting trends across critical infrastructure sectors, asset owners and operators can effectively benchmark aspects of their ICS/OT security capabilities. Since our first publication, the document has become a vital tool for CISOs, security leaders, and ICS/OT practitioners.

I am proud to have authored this year’s report, which continues the SANS tradition of providing actionable information for asset owners/operators of critical infrastructure—with a slight twist. New to the 2024 State of ICS/OT Cybersecurity report are observations on how the trends and data have changed over the past five years of previous reports. By expanding beyond the “snapshot in time” we traditionally provide, readers will be able to observe our industry’s growth since 2019—and infer how we may improve going into 2029.

Hot Takes on the SANS Five ICS Cybersecurity Critical Controls

This year’s report is organized based on the SANS Five ICS Cybersecurity Critical Controls, with questions, data, and trend analysis offered to guide an organization on how to apply the controls, which were originally published in October 2022 by Rob Lee and Tim Conway. Don’t want to read about secure remote access? Skip it! Interested in non-ransomware cyber incidents that impacted ICS/OT networks? Jump to that section! With over 30 figures, tables, and graphs—and an underlying dataset of several thousand data points—you can nerd out on just about anything.

But if you’re short on time, here’s the “hot takes” and soundbites to use at your next security meeting (organized within the Five Critical Controls):

1. OT Incident Response

  • Thanks to the increase in ICS/OT-specific detection, we have gotten faster at detecting cyber incidents in our industrial environments—moving from an average of “days” in 2019 to “hours” in 2024.
  • Unfortunately, after detection, our industry is still lacking on ICS/OT-specific incident response, with only 56% of respondents having one.

2. Defensible Architecture

  • Our number one priority in creating a defensible architecture is still network protections, including boundary security measures—which makes sense, considering the number one attack vector into our ICS/OT networks is still pivoting from the enterprise IT network. Neither of these facts has changed drastically since 2019.
  • The most-used technology categories for ICS/OT cybersecurity architecture are access controls, endpoint detection and response (EDR), and segmentation, among others. Interestingly, both access controls and EDR saw massive growth across installations in industrial environments since 2019.

3. ICS Network Monitoring

  • While our industry has done a lot of recent work understanding ICS/OT networks and gaining visibility, we still have a long way to go. Only 12% of respondents had “extensive” ICS/OT network monitoring capabilities. This was the number one indicator for how quickly an ICS/OT cyber incident was detected.
  • Beyond ICS network monitoring, 70% of respondents use some sort of detection in their industrial facilities—even if visibility is limited.
  • Only a small portion of respondents, however, have a Security Operations Center (SOC) with ICS/OT capabilities (31%).

4. Secure Remote Access

  • Thankfully, multifactor authentication (MFA) has become the norm for remote access into ICS/OT networks, with 75% of respondents leveraging the technology.
  • That said, basic capabilities like logging and access verification are still absent for many practitioners.

5. Risk-Based Vulnerability Management

  • Like the use of MFA, performing annual ICS/OT-specific cybersecurity assessments can now be considered “table stakes” for industrial facilities. Historically, 70-75% of respondents have performed such annual assessments since 2019.
  • Unfortunately, most of these assessments are paper-based and very few provide the more technical findings from active vulnerability assessments or ICS/OT-specific penetration tests.

But wait, there’s more… on workforce and governance

Beyond the Five Critical Controls, this year’s report also dives deep into workforce management and governance, with some equally surprising hot takes:

  • The majority (52.6%) of the ICS/OT cybersecurity workforce has worked in the field for five years or less.
  • Most of the workforce also lacks job-relevant certifications, with only 49% holding (or having held) an ICS/OT-specific credential.

Completely understanding the reaction this next statement may invoke, the data is also clear:

CISOs officially “own” ICS/OT cybersecurity.

For years, and still today, there has been a debate on the owner of ICS/OT cybersecurity programs and the associated risks. The argument against CISOs owning ICS/OT programs is that individual facilities may know their systems better and that the CISO has historically been an IT-centric position with little influence on the culture in OT and operations. In teaching ICS418 with co-author Dean Parsons, the historic SANS response to this debate would be “it depends,” as we’ve all seen successes and failures when ICS/OT reports to either CISOs, CTOs, or VPs of Engineering.

Well, the data does not lie, and we can provide some more definitive insights.

First, per the chart below, it is apparent that since 2019, CISOs are highly favored to be the “leader” for ICS/OT cybersecurity:

ICS_-_Blog_Graphics_-_The_2024_State_of_ICS_OT_Cybersecurity-_Our_Past_and_Our_Future.png

All the other categories, as not-so-subtly outlined above, are “noise” to the signal—CISOs are the primary owner time and again.

Meanwhile, this has an overwhelmingly positive influence on ICS/OT cybersecurity programs. The data routinely shows that a CISO-led ICS/OT cybersecurity program has a shared IT-OT budget, which tends to be larger than any specific industrial facility/site can manage on their own.

CISOs also bring order to the chaos. When a CISO is in charge of ICS/OT cybersecurity, 82% of their programs are mapped to standards, compared to 42% if no corporate-wide policies exist (a nearly two-fold difference).

Interestingly, this correlation has larger ramifications. An organization that both maps to security standards and uses ICS/OT-specific threat intelligence to inform their program tend to be quicker at detecting (and responding to) cybersecurity incidents. These organizations are 53% more likely to have documented all external connections to its industrial environments.

At the end of the day, data is on the side to evolving the “Industrial CISO” to truly own and understand the implications of ICS/OT cybersecurity.

Does this mean every industrial CISO will be successful? Certainly not, and there will still be educational and cultural barriers to operating and sustaining these programs.

What does the future bring?

Like previous years, the 2024 State of ICS/OT Cybersecurity report analyzes the data behind ~40 technology categories used to manage industrial cyber risk. We included the full list in the appendix but dove deep on where the most growth will likely happen to 1) help asset owners/operators in their 3-5 year budget plans, and 2) attempt to forecast trends based on the 2019-2024 growth.

Suffice to say, the future looks cloudy. Technologically, that is, as 26% of respondents are now utilizing cloud technologies for ICS/OT applications—marking a significant (+15%) increase from previous years.

Meanwhile, artificial intelligence (AI) is a hot topic for IT systems but still has a long way to go (rightfully so) until the technology will be leveraged in ICS/OT networks—though plans are already in the works across several organizations that participated in the survey.

Actionable next steps

After completing a look back from 2019-2024, the logical question should be “how do we prepare for the next five years?” Regardless of the starting point, where should organizations focus their time and effort?

Based on the data, the following three objectives have the highest correlations and indicators of a mature and robust ICS/OT cybersecurity program:

  1. Adopt a standards-based program with centralized governance and ICS-specific threat intelligence, which will obviously take time if not already underway. This is also not relegated to just mid-sized or large organizations—when threat intelligence is centralized across IT and OT into a single team or senior leader, small organizations also saw rapid maturity and improvements compared to their peers.
  2. Prioritize workforce development, especially when considering the relative “newness” for ICS/OT security practitioners compared to their IT peers who may have spent more years in their field. As mentioned in the beginning—at our first SANS ICS Security Summit we did not even have ICS-specific courses. That was 20 years ago. A lot has changed, and the workforce protecting critical infrastructure needs to keep pace with the changing technologies and risks within our industrial environments.
  3. Evaluate technology adoption to understand what trends have succeeded over the past five years and which technologies will be deployed over the next five years. If there’s a clear majority of organizations using a technology (MFA for remote access, EDR where possible, segmentation, etc.) and your organization still has not deployed it—now is the time to use these benchmarks to enact change and better secure your industrial facilities.

I encourage each of you to read the report in full —especially with the new historic trend information.

If you missed the webcast where we deep-dive into more specifics, be sure to check out the recording here.

Lastly, stay up-to-date and be sure to join us for the 20th anniversary of the SANS ICS Summit in June!

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • ICS310: ICS Cybersecurity Foundations™

Tags:
  • Industrial Control Systems Security

Related Content

Blog
Industrial Control Systems Security
May 19, 2025
Culture Over Checklists: How NextEra Is Rethinking NERC CIP with People at the Center
When people ask me what makes a successful NERC CIP program, my answer is always the same: it’s not just about compliance, it’s about culture. You can meet every regulatory requirement and still be vulnerable. You can pass every audit and still lack resilience. The organizations that stand out—the...
370x370_Jason-D-Christopher.jpg
Jason D. Christopher
read more
Blog
SANS - Blog - Securing the Grid- Lessons from China's Cyberattacks on U.S. Providers_340 x 340.jpg
Industrial Control Systems Security
October 1, 2024
Securing the Grid: Lessons from China's Cyberattacks on U.S. Providers
Revelations about "Salt Typhoon" highlight that cyber threats targeting essential services are not a future concern—they are here and happening now.
370x370_Rob-Lee.jpg
Rob Lee
read more
Blog
Blog: Defending Against Ransomware in ICS
Industrial Control Systems Security, Cybersecurity and IT Essentials
August 30, 2023
Defending Against OT Ransomware in Industrial Control Systems
Leveraging ICS612 and the SANS Five Critical Cybersecurity Controls
Mike_Hoffman_-_Headshot_-_370x370.png
Mike Hoffman
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn