SANS Institute 2025 Survey Reveals Surge in OT Cybersecurity Incidents Amid Rising Ransomware and Remote Access Threats

Transforming Industrial Cybersecurity: Insights from the SANS ICS/OT Cybersecurity Report

New research from the SANS Institute’s ICS/OT Cybersecurity Report reveals pressing developments in the realm of industrial cybersecurity, highlighting how ransomware, remote access issues, and real-world disruptions are reshaping the landscape for organizations reliant on operational technology (OT). Presented by Jason D. Christopher, a certified instructor at SANS, the 2025 survey provides invaluable insights into how defenders are currently responding to these escalating threats.

Increase in Cybersecurity Incidents

The survey paints a vivid picture of the ongoing challenges within industrial cybersecurity. Alarmingly, over one in five organizations—22%—reported experiencing a cybersecurity incident over the past year. Of these incidents, a substantial 40% resulted in operational disruptions, with nearly 20% dragging on for more than a month before a resolution was reached. While detection capabilities have seen improvement, the recovery process often falls behind. Nearly half of the incidents were detected within the first 24 hours and 60% were contained within 48 hours, yet remediation could extend for days, weeks, or even longer.

The Risks of Remote Access

Remote access remains a significant vulnerability in industrial environments, with unauthorized external access implicated in half of all reported incidents. Despite the risks, only 13% of organizations have fully integrated advanced controls such as session recording or ICS/OT-aware access. This disconnect underscores a broader issue: preparedness across the sector varies immensely. While just 14% of respondents felt fully equipped to handle emerging threats, those who engaged frontline technicians in exercises showed a noteworthy increase in readiness—almost 1.7 times more likely to feel prepared.

Investment Shifts Towards Key Security Areas

Investment patterns reveal where organizations see the most significant value. Areas such as asset visibility, threat detection, and secure remote access lead the list for both current deployments and planned investments for 2026–2027. However, as Christopher points out, the journey toward effective cybersecurity is fraught with obstacles. He emphasizes the crucial need for enhanced visibility and network segmentation to effectively mitigate risks.

Improvement in Detection and Containment

A noteworthy trend since last year is the improvement in detection and containment times for ICS/OT incidents. The survey indicates that nearly 50% of incidents are detected in under 24 hours, and containment follows closely behind. Nevertheless, the promising statistics stop short when it comes to remediation times, which still average days, and in some cases, stretch to over a year.

The Role of Preparedness

Preparedness continues to be a pivotal factor in the efficacy of response efforts. The report indicates that 57% of respondents possess a dedicated ICS/OT incident response plan, a slight increase from previous years—a sign of maturing strategies across the industry. In regulated environments, this figure jumps to 70% when paired with threat intelligence capabilities.

Matt Wiseman, director of product marketing at OPSWAT, highlights that merely increasing spending isn’t the answer. Instead, organizations should focus on smarter investments in essential controls like segmentation, secure remote access, and thorough scanning processes to improve overall safety and uptime.

Incident Response Plan Testing

Interestingly, while 39% of organizations test their incident response plans annually—down from previous years—there’s a notable increase in those conducting tests quarterly (25%). More frequent testing is correlated with varied methodologies, including operational drills and red and purple team exercises, contributing to a more robust incident response framework.

Adapting to Change with Threat Intelligence

The report also underscores the necessity of adapting to the evolving threat landscape. About 67% of respondents leverage threat intelligence to some degree, with government sources and industry information-sharing centers playing a vital role. Moreover, almost 80% of those with an incident response plan updated it in 2025, driven primarily by the integration of threat intelligence and compliance with regulatory changes.

Remote Access Challenges Persist

Despite improvements, secure remote access continues to be a challenge. Enhanced multifactor authentication (MFA) capabilities have been incorporated, yet standard practices still exhibit significant gaps. Only 13% of organizations have fully implemented crucial features such as remote access segmentation and vendor-managed access restrictions. The report identifies lack of resources and legacy system compatibility as major barriers to implementing secure remote access protocols across ICS/OT environments.

The Importance of Holistic Involvement

The findings reiterate that cybersecurity must not function in isolation. Engaging field technicians, engineers, and operators in cybersecurity exercises enhances organizations’ readiness and resilience. Dean Parsons, a Principal Instructor at SANS, notes that those closest to critical systems understand how cyber incidents can disrupt safety and reliability best.

Maturity Across Capabilities

The survey reflects varying maturity levels across capabilities according to the Purdue Model. Detection capabilities show the most progress, with 28% reporting full ICS/OT program coverage for detection, but vulnerability management and threat hunting remain significantly lagging.

Future Investment Predictions

Looking ahead, interviews indicate that industrial organizations will stay the course with investments in asset visibility, secure remote access, and threat detection. Regulated facilities are leading the pack, enjoying a higher level of maturity in security technologies.

The SANS Institute 2025 survey encapsulates a critical juncture for industrial cybersecurity. While advancements are clear, challenges such as slow remediation times, gaps in advanced practices like threat hunting, and significant remote access risks remain areas for improvement. Organizations must embrace a more integrated approach, moving beyond basic compliance toward a culture of resilience that engages all facets of the organization in cybersecurity preparedness.