A Claroty, a leader in cyber-physical systems (CPS) protection, releases a new report revealing the most coveted exposures for exploitation by adversaries in operational technology (OT) devices. Based on the analysis of nearly one million OT devices, the report “State of CPS Security 2025: OT Exposures” found more than 111,000 Known Exploitable Vulnerabilities (KEVs) in OT devices across manufacturing, logistics and transportation, and natural resources organizations, with over two-thirds (68%) of KEVs linked to ransomware groups. Based on the analysis of nearly one million OT devices, the report reveals the riskiest exposures for companies amid growing threats to critical sectors.
In the report, the renowned research group Team82 from Claroty examines the challenges industrial organizations face in identifying which Known Exploitable Vulnerabilities (KEVs) to prioritize for remediation on OT devices. The survey highlights how understanding the intersection of these vulnerabilities with popular threat vectors, such as ransomware and insecure connectivity, can help security teams minimize risks at scale proactively and efficiently. With offensive activity increasing from threat actors, the report details the risk critical sectors face from OT assets communicating with malicious domains, including those from China, Russia, and Iran.
“The inherent nature of operational technology creates obstacles to protecting these mission-critical technologies,” says Grant Geyer, Chief Strategy Officer at Claroty. “From incorporating offensive capabilities into networks to targeting vulnerabilities in outdated systems, threat actors can exploit these exposures to create real-world risks to availability and safety. As digital transformation continues to drive connectivity for OT assets, these challenges will only proliferate. There is a clear imperative for security and engineering leaders to shift from a traditional vulnerability management program to an exposure management philosophy, ensuring they can make the most impactful and feasible remediation efforts.”
Key findings:
- Of the nearly one million OT devices analyzed, Claroty’s Team82 found that 12% contain Known Exploitable Vulnerabilities (KEVs), and 40% of the organizations analyzed have a subset of these assets insecurely connected to the Internet.
- 7% of devices are exposed with KEVs that have been linked to known ransomware samples and actors, with 31% of the analyzed organizations having these assets insecurely connected to the Internet.
- In the research, 12% of organizations had OT assets communicating with malicious domains, demonstrating that the threat risk to these assets is not theoretical.
- The manufacturing industry was found to have the highest number of devices with confirmed Known Exploitable Vulnerabilities (over 96,000), with more than two-thirds (68%) of them linked to ransomware groups.
To access all findings, in-depth analysis, and security measures recommended by Claroty’s Team82 in response to vulnerability trends, download the report: “State of CPS Security 2025: OT Exposures“
Methodology
The report “State of CPS Security 2025: OT Exposures” provides an overview of vulnerability trends and OT device exposures in the manufacturing, logistics and transportation, and natural resources sectors observed and analyzed by Team82, Claroty’s threat research team, and our data scientists.
