A Claroty, a leading company in the protection of cyber-physical systems (CPS), releases a new report revealing the most coveted exposures for adversary exploitation in operational technology (OT) devices. Based on the analysis of nearly one million OT devices, the report "The State of CPS Security 2025: OT Exposures"State of CPS Security 2025: OT Exposuresfound more than 111,000 Known Exploitable Vulnerabilities (KEVs) in OT devices across manufacturing, logistics, transportation, and natural resources organizations, with over two-thirds (68%) of KEVs linked to ransomware groups. Based on the analysis of nearly one million OT devices, the report reveals the most risky exposures for companies amid growing threats to critical sectors.
In the report, the renowned research groupTeam82Claroty examines the challenges that industrial organizations face in identifying, in OT devices, which Known Exploitable Vulnerabilities (KEVs) to prioritize for remediation. The survey highlights how understanding the intersection of these vulnerabilities with popular threat vectors, such as ransomware and insecure connectivity, can help security teams proactively and efficiently minimize risks at scale. With the offensive activity increasing by threat actors, the report details the risk that critical sectors face of OT assets communicating with malicious domains, including those from China, Russia, and Iran.
"The inherent nature of operational technology creates obstacles to protecting these mission-critical technologies," says Grant Geyer, Director of Strategies at Claroty. From the incorporation of offensive capabilities into networks to targeting vulnerabilities in outdated systems, threat actors can exploit these exposures to create risks to availability and security in the real world. As digital transformation continues to drive connectivity for OT assets, these challenges will only proliferate. There is a clear imperative for security and engineering leaders to shift from a traditional vulnerability management program to an exposure management philosophy, in order to ensure they can make the most impactful and feasible remediation efforts.
Main findings:
- Of the nearly one million OT devices analyzed, Claroty’s Team82 found that 12% contain Known Exploitable Vulnerabilities (KEVs), and 40% of organizations analyzed have a subset of these assets insecurely connected to the internet.
- 7% of devices are exposed with KEVs, which have been linked to known ransomware samples and actors, with 31% of organizations analyzed having these assets insecurely connected to the internet.
- In the survey, 12% of organizations had OT assets communicating with malicious domains, demonstrating that the risk of threats to these assets is not theoretical.
- The manufacturing industry was found to have the highest number of devices with confirmed Known Exploitable Vulnerabilities (over 96,000), with over two-thirds (68%) of these linked to ransomware groups.
To access all of Claroty’s Team82 findings, in-depth analysis, and recommended security measures in response to vulnerability trends, download the report:“State of CPS Security 2025: OT Exposures“
Methodology
The report “State of CPS Security 2025: OT Exposures” provides an overview of trends in OT device vulnerabilities and exposures in the manufacturing, logistics and transportation, and natural resources sectors observed and analyzed by Team82, Claroty’s threat research team, and our data scientists.
