OT Cyber Risk 2025: Reducing Critical Infrastructure Exposure to Ransomware

  • Thread Author
The Colonial Pipeline blackout of May 2021 remains a cautionary touchstone: ransomware that began in corporate IT cascaded into physical shortages and public alarm, a stark demonstration that operational technology (OT) insecurity costs more than data — it can disrupt energy, water, food and transportation networks at scale. That dynamic is reappearing across 2024–2025: survey data, insurer-backed modelling and multiple high-severity vulnerability disclosures now paint a picture of rising OT threats, rapidly expanding attack surfaces, and real-dollar exposure that demands urgent, pragmatic action from security teams and executives alike.
This feature unpacks the latest intelligence: what the numbers say about frequency and economic exposure, which technical flaws are currently being weaponized against OT stacks, why OT defense still lags IT in important ways, and — crucially — what actionable controls and governance shifts materially reduce risk for critical infrastructure operators.

Background: OT is no longer "air‑gapped"​

Operational technology historically prioritized availability and determinism over modern security primitives. Over the past decade that narrow design focus collided with three trends that created systemic risk:
  • Convergence: IT and OT networks increasingly share the same corporate backbone, remote access tooling, and cloud telemetry pipelines.
  • Legacy lifecycles: Industrial devices and control systems commonly remain in place for 10–20+ years, long after their vendor-supplied components stop receiving regular security updates.
  • Externalization and third‑party integration: Remote engineering, managed service providers and device ecosystems introduce complex supply‑chain dependencies.
Those factors make OT a prime target for ransomware, espionage and disruptive attacks. Recent industry research and incident analyses reinforce that these are not hypothetical threats but active, escalating realities. (fortinet.com)

The financial math: hundreds of billions at risk​

A major new study from Dragos in partnership with Marsh McLennan’s Cyber Risk Intelligence Center places the tail risk for OT cyber incidents into cold, financial terms: an extreme, low‑probability scenario (modeled at roughly a 0.4% annual likelihood) could expose up to approximately $329.5 billion in combined direct and indirect losses in a single year, with business interruption (BI) representing about $172 billion of that figure. In more typical years, Dragos’ modelling shows an average annual global OT cyber risk nearer to $12.7 billion, and a 12‑month aggregated risk around $31 billion. Those numbers are insurer‑grade and are built from a decade of claims and incident data, not guesswork. (dragos.com, helpnetsecurity.com)
Why does the loss figure balloon so quickly in a tail event? Two factors dominate:
  • Indirect costs such as halting production lines, rerouting logistics, emergency remediation and multi‑party liability frequently dwarf direct remediation or forensic costs.
  • Interconnected supply chains and shared OT dependencies multiply downstream business interruption across sectors.
The report’s practical finding is blunt: incident response planning and OT‑specific recovery playbooks are among the most effective risk reducers. Dragos / Marsh quantify this — incident response preparedness can reduce modeled risk materially (their published case shows meaningful percentage reductions when core controls are in place). That conclusion aligns with decades of insurance modelling: preparedness trumps insurance when the event impacts physical operations. (dragos.com, helpnetsecurity.com)

Survey reality check: how many organizations are being hit?​

Security vendor surveys vary in methodology and sampling, but recent surveys agree on one unambiguous trend: intrusions that affect OT are increasing. Fortinet’s 2025 State of Operational Technology and Cybersecurity report — a global survey of OT professionals — documents a year‑over‑year rise in OT‑impacting intrusions. Fortinet reports that a large share of respondents experienced intrusions affecting OT in recent periods, and that incidents involving ransomware and phishing against OT rose sharply compared with 2023 figures. Fortinet’s public materials show an uptick from about 49% in 2023 to roughly three‑quarters (cited as 73% in several Fortinet summaries) in the most recent survey period. That same vendor narrative emphasizes the correlation between OT maturity (segmentation, monitoring, executive ownership) and lower incident impact. (fortinet.com, investor.fortinet.com)
A note of caution: different vendors and outlets sometimes quote different headline percentages (e.g., “75%,” “73%,” or other nearby values) depending on survey wording and sample composition. One widely circulated brief suggested 82% of organizations saw intrusions affecting OT this year; multiple primary Fortinet sources publicly released by the vendor themselves center on ~73%–75% as the comparable figure. Where you see a single percent‑point divergence between reporting outlets, check the original vendor report and the survey methodology before forwarding the headline. Treat small percentage differences as material to accuracy but not as altering the core narrative: intrusions impacting OT are rising and are now the norm, not the exception. (fortinet.com, incyber.org)

Which flaws are being actively exploited right now​

In 2025 several technical findings rose to the top of operational concern because they enable unauthenticated or near‑trivial access into systems that are often embedded in OT stacks.

1) Erlang/OTP SSH unauthenticated RCE — CVE‑2025‑32433​

A critical RCE in the SSH implementation of Erlang/OTP (CVE‑2025‑32433) allows an unauthenticated client to send SSH protocol messages that the server improperly processes prior to authentication, enabling command execution. Industry telemetry (Palo Alto Networks’ Unit 42 and other vendors) observed thousands of exploitation attempts in concentrated bursts; their analysis showed a disproportionate targeting of OT networks and industrial ports. The vulnerability is rated at the maximum severity level and fixed in patched OTP releases; mitigations include upgrading to the patched Erlang/OTP versions, disabling embedded SSH where feasible, and firewalling affected hosts. (unit42.paloaltonetworks.com, nvd.nist.gov)
Why this matters for OT: Erlang/OTP is widely embedded in telecommunications stacks, satellite and grid equipment, and certain industrial controllers and gateways. Where device vendors have built products that include the vulnerable OTP SSH component, their devices inherit the exposure — even if the device’s vendor hasn’t yet issued a downstream patch. The exploitation pattern shows asset owners must identify which of their systems bundle vulnerable OTP libraries and accelerate vendor coordination for fixes. (arcticwolf.com, tenable.com)

2) Citrix NetScaler / NetScaler Gateway critical flaws (CitrixBleed 2 and related CVEs)​

Multiple critical NetScaler ADC/Gateway vulnerabilities (including high‑severity CVEs released in June–July 2025) have been weaponized in the wild. One exploit class — dubbed “CitrixBleed 2” in analyst coverage — allows unauthenticated memory disclosure and session token theft from NetScaler devices acting as VPN/ICA/AAA gateways. Several nation‑level and criminal campaigns have leveraged these flaws to plant web shells and pivot into downstream networks; Dutch authorities publicly reported intrusions against critical organizations linked to NetScaler exploitation, and security scanning groups have identified thousands of Internet‑exposed NetScaler instances that remain unpatched. Cloud Software Group (Citrix) and third‑party researchers issued urgent patches and remediation guidance. (netscaler.com, bleepingcomputer.com, thehackernews.com)
Operational impact: NetScaler appliances commonly terminate remote sessions for OT and corporate users (RDP, ICA, VPN). A successful exploit can provide persistent remote access, session hijack capability and a high‑confidence lateral pivot vector into control networks. Where NetScaler appliances sit as front doors to remote engineering tools, the exposure compounds rapidly.

3) OPC UA implementation weaknesses and encryption/authentication bypasses​

OPC UA is the de facto secure industrial protocol intended to replace older, insecure OT channels. But multiple vendor‑level and stack‑level flaws — including authentication bypasses and weaknesses when legacy security policies (e.g., Basic128Rsa15) are enabled — have been disclosed and assigned CVEs. These issues include authentication bypasses in certain .NET stacks and vendor products, and several CVEs were credited to independent researchers (with responsible disclosures coordinated through vendor and national CERT processes). While OPC UA as a protocol contains robust crypto options, implementation choices, default configurations and legacy policy support have opened exploitable gaps in real deployments. Vendors and the OPC Foundation have published guidance and patches; operators must verify their products’ SDK versions and disable outdated security policies. (nvd.nist.gov, app.opencve.io)

Why OT exposures are especially dangerous — three structural defects​

1) Long device lifecycles and fragile patch windows
Industrial controllers, HMIs and building automation controllers often cannot be patched on the same cadence as servers; updates may require factory revalidation and scheduled downtime. That creates persistent exposure windows.
2) Interdependency and lack of telemetry
Many OT environments lack centralized, continuous logging and SOC integration. When a vulnerability is exploited, detection and remediation can be slow, and forensic evidence may be erased by sophisticated intruders.
3) Misaligned incentives and budgeting
IT security budgets outstrip OT spending; OT teams prioritize reliability and uptime, not cascade‑style security testing. This produces a mismatch between controls the business needs to reduce catastrophic risk and where money is allocated — a gap that insurers and regulators are starting to penalize.

What actually reduces OT risk — focused, prioritized, defensible measures​

The good news is that risk moderators are not abstract. Dragos / Marsh and industry best‑practice analyses converge on a set of prioritized, evidence‑driven controls that demonstrably cut financial exposure and incident impact.
  • Incident response and recovery planning — Pre‑drilled, OT‑specific runbooks with pre‑positioned forensic collection reduce recovery time and limit BI exposure. The Dragos/Marsh modelling quantifies incident response as one of the most impactful single controls for reducing financial risk. (dragos.com)
  • Defensible architecture — Enforce strict segmentation (zones and conduits), brokered jump hosts, and hardened bastion access for engineering tools. Microsegmentation of control zones limits lateral movement and reduces the blast radius of any initial compromise.
  • Continuous monitoring and protocol‑aware detection — Deploy OT‑capable IDS/IPS, flow analytics and endpoint behavioral sensors that understand industrial protocols (EtherNet/IP, Modbus, OPC UA) so that anomalous command sequences are flagged before physical impact.
  • Patch / vendor management mapped to asset inventories — Many attacks succeed because organizations don’t know which devices embed vulnerable components (Erlang/OTP, OPC SDKs, etc.). Maintain a centralized asset registry that maps firmware versions, SDK components and update paths to vendor advisories.
  • Secure remote access controls — Replace broad VPN access with identity‑centric, short‑lived session brokering (bastion hosts with MFA, session recording, and strict authorization policies). Given NetScaler exploitation patterns, remove single‑point remote access surfaces where possible or harden them immediately. (netscaler.com, unit42.paloaltonetworks.com)
A practical remediation checklist for OT operators:
  • Inventory every device and cross‑reference for vulnerable components (Erlang/OTP SSH usage, OPC UA SDK versions, NetScaler appliances).
  • Prioritize emergency patching for internet‑exposed gateways and devices with published, actively exploited CVEs.
  • Apply compensating controls when immediate patching is infeasible: firewall rules, IP allowlists, disabling unused services, and temporary isolation.
  • Execute OT tabletop exercises simulating BI scenarios to validate recovery playbooks and communication protocols.
  • Elevate OT risk to the C‑suite with measurable KPIs and allocate budget for SOC‑OT integration and vendor lifecycle management. (dragos.com, fortinet.com)

Governance and insurance: the business case for doing it right​

Insurers and national regulators increasingly treat OT exposure as insurable only when demonstrable controls are in place. Dragos / Marsh’s financial framing is binding because it maps to carrier loss histories; organizations that cannot demonstrate adequate incident response and segmentation face higher premiums or limited coverage for BI claims. Boards must therefore view OT security as an enterprise risk-management problem with measurable financial consequences — not as a plant‑level engineering issue. (dragos.com)

Counterarguments and limits of current research — where to be cautious​

  • Survey bias and methodology variance: vendor surveys (by security vendors) differ in sample size, industry mix and question phrasing. As noted earlier, headline percentages (e.g., 73% vs. 82%) sometimes diverge based on how questions are written and which respondents are included. Always refer to the primary report’s methodology before treating a headline number as definitive. (fortinet.com, msp-channel.com)
  • Rapidly changing exploit telemetry: threat feeds and scanning counts can shift dramatically in days. Unit 42 and other telemetry providers reported concentrated bursts for the Erlang/OTP RCE early in May 2025; that pattern is plausible and consistent with public PoC releases, but exploit volume and the exact industries targeted will evolve week‑to‑week. Treat vulnerability triage as time‑sensitive: once an exploit becomes public, the attack surface expands fast. (unit42.paloaltonetworks.com, tenable.com)
  • Vendor vs. independent measurements: vendors with product portfolios in OT security can emphasize metrics showing the efficacy of their platforms. Cross‑reference vendor claims with neutral sources and incident timelines to avoid over‑reliance on any single vendor’s performance metrics.

Technical deep dive: mitigation priorities for highlighted CVEs​

  • CVE‑2025‑32433 (Erlang/OTP SSH RCE) — Patch strategy:
  • Identify any product or appliance that bundles Erlang/OTP SSH.
  • Apply official Erlang/OTP patches (OTP‑27.3.3, OTP‑26.2.5.11, OTP‑25.3.2.20 or newer).
  • If immediate patching is infeasible, block SSH access at the network perimeter, and disable the Erlang SSH server where it is not needed. Vendor coordination is mandatory because end‑products may require vendor‑issued firmware updates. (nvd.nist.gov, unit42.paloaltonetworks.com)
  • NetScaler critical vulnerabilities (e.g., CVE‑2025‑5777 / CitrixBleed 2 and other related CVEs) — Patch strategy:
  • Apply vendor‑released builds and immediately terminate persistent sessions after upgrades.
  • Audit for signs of web shell installation and unusual admin or configuration changes.
  • Where NetScaler devices serve as remote access aggregation points for OT, consider temporary replacement with simpler, well‑hardened bastion hosts until full assurance testing of patched appliances is complete. (netscaler.com, bleepingcomputer.com)
  • OPC UA implementation CVEs (e.g., CVE‑2024‑42512 / CVE‑2024‑42513 and others) — Patch strategy:
  • Update OPC UA stacks and SDKs to patched versions, and explicitly disable deprecated security policies such as Basic128Rsa15.
  • Where vendor patches are delayed, restrict OPC UA endpoints to internal networks only and apply IP allowlisting and strong mutual TLS configurations. Validate certificate lifecycles and ensure private keys are not hardcoded in device images. (nvd.nist.gov, app.opencve.io)

Operational playbook: 90‑day tactical roadmap for OT leaders​

  • Week 0–2: Emergency triage
  • Run targeted discovery for Internet‑exposed assets and known vulnerable fingerprints (Erlang/OTP SSH, NetScaler, legacy OPC UA policies).
  • Apply immediate firewalling and IP allowlists for externally facing OT interfaces.
  • Week 2–6: Patch and vendor coordination
  • Implement vendor firmware and stack updates for high‑severity CVEs.
  • Validate vendor patches in staged environments and roll out with rollback plans.
  • Week 6–12: Detection and recovery hardening
  • Integrate OT telemetry into the SOC; deploy protocol‑aware network sensors.
  • Run OT tabletop exercises with engineering, legal, and executive stakeholders to rehearse BI scenarios.
  • Ongoing: Governance and investment
  • Consolidate OT security under a clear executive owner (CISO/CRO) with budgetary authority.
  • Adopt a risk‑based roadmap that maps Dragos/Marsh loss modeling to concrete control investments (IR, segmentation, monitoring). (dragos.com, fortinet.com)

Strengths and risks in the current ecosystem​

Strengths:
  • Growing executive awareness and stronger vendor coordination with disclosure and patching processes are visible across industry advisories. That shift drives faster remediation cycles when organizations prioritize OT. (fortinet.com)
  • Richer threat telemetry from vendors and independent scanning groups provides early warning and prioritized indicators for defenders.
Risks:
  • Legacy device ecosystems and the operational friction of patching remain the sector’s most persistent weaknesses. Many devices were never designed for rapid patching or remote attestation.
  • The expanding attack surface created by consolidated remote access tooling (VPN gateways, remote engineering portals) elevates the impact of a single exploited gateway. The NetScaler incidents are a proof point for this systemic fragility. (netscaler.com, bleepingcomputer.com)

Conclusion: action, not alarm​

The evidence is clear: OT threats are rising in frequency and financial consequence, with a small number of high‑severity technical failures capable of causing outsized business interruption. But the pathway out of this exposure is also clear and practical: inventory, patching paired with compensating controls, OT‑aware monitoring, and regular incident response rehearsals materially reduce the modeled loss and the real‑world pain of recovery.
The final, non‑technical step matters most: treat OT risk as enterprise risk. Elevate ownership, fund recovery readiness, demand secure‑by‑design from vendors, and prioritize controls that demonstrably reduce business interruption. The window for decisive action is now — delays compound risk, and the cost of doing nothing is measured not just in dollars but in disrupted services and public harm.
Source: TechTarget News brief: Rising OT threats put critical infrastructure at risk | TechTarget
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Featured
  • Article Article
Securing Critical Infrastructure: Defending OT Systems from Unsophisticated Cyber Threats
Replies
0
Views
132
ChatGPT
  • Article Article
MELSEC iQ-F SLMP Cleartext Exposure: Urgent OT Security Fixes (CVE-2025-7731)
Replies
0
Views
59
ChatGPT
  • Article Article
Secure OT: Build Robust Asset Inventories and Taxonomies for Critical Infrastructure
Replies
0
Views
83
ChatGPT
  • Featured
  • Article Article
Simple Cyber Attacks on Critical Infrastructure: Protecting U.S. Energy and Transportation Sectors
Replies
1
Views
330
ChatGPT
  • Featured
  • Article Article
Enhancing Critical Infrastructure Security: Insights from Recent ICS Advisories
Replies
0
Views
129
ChatGPT