Bethesda, MD, Nov. 19, 2025 (GLOBE NEWSWIRE) -- SANS Institute today released the 2025 State of ICS/OT Security Report, a global study detailing how industrial organizations detect, contain, and safely recover from cyber incidents across energy, manufacturing, chemicals, transportation, and other critical sectors.

The report reveals a trend that will concern industrial leaders. Detection is faster than ever, yet recovery remains slow, inconsistent, and high risk. Nearly half of all incidents were identified within the first 24 hours, but almost one in five took more than a month to fully remediate. The findings highlight a resilience gap that continues to affect safety, uptime, and operational continuity inside industrial environments.

Drawing on insights from more than 330 ICS and OT security professionals worldwide, the report exposes the conditions that contribute to long recovery cycles. Remote access remains the leading pathway for adversaries, yet only 13 percent of organizations have implemented advanced ICS aware controls such as session recording or real time approvals. Visibility also thins sharply as security teams move closer to controllers and process equipment, limiting their ability to detect dangerous changes early.

“These numbers highlight the pressure facing industrial teams,” said Jason D. Christopher, SANS Certified Instructor, report author and host of the November 19 webcast on the report. “Organizations are catching issues fast, which is a win. The challenge is what happens after the alarm sounds. Safe restoration in an industrial environment is complex and highly dependent on rehearsed procedures, verified access paths, and coordinated decision making. Without that preparation, recovery lingers and risk grows.”

The report also shows the value of regulatory alignment and operationalized threat intelligence. While regulated sites did not report fewer cyber incidents, they did see about 50 percent fewer financial losses and safety impacts. Organizations that converted ICS-specific threat intelligence into tuned detections, monitoring improvements, and segmentation changes reported significantly stronger defensive outcomes.

“Industrial operations cannot rely on detection alone,” said Christopher. “This report highlights where teams are gaining ground and where gaps remain. The organizations that move past checklists and convert intelligence, compliance, and exercises into routine practice are the ones that reduce downtime and protect their people and equipment.”

Key Findings

• More than one in five organizations reported a cyber incident in the past year and 40 percent resulted in operational disruption.

• Almost half of incidents were detected within 24 hours and 60 percent were contained within 48 hours, yet 19 percent took more than a month to remediate.

• Unauthorized external access accounted for half of all cyber incidents, while only 13 percent have fully implemented advanced ICS aware controls.

• Only 12.6 percent reported full ICS Cyber Kill Chain visibility, with the largest gaps near controllers and process level equipment.

• ICS specific threat intelligence correlated strongly with improved detections, expanded monitoring, and accelerated segmentation.

• Regulated sites saw similar incident rates but almost 50 percent fewer financial and safety impacts.

Christopher will walk through these findings and their implications during the November 19 webcast, which is designed for practitioners, engineers, responders, and OT security leaders. A follow up session on December 9, led by SANS Principal Instructor Dean Parsons, will also explore strategic guidance for CISOs and industrial executives planning for 2026.

“Our goal is to provide clarity and direction,” Christopher said. “The report gives leaders the data. The webcast will help them turn that data into decisions that improve resilience across plants, grids, and industrial sites worldwide.”

Register for the SANS 2025 ICS/OT Survey Webcast & Forum and download the associated report here.