Behind the Running Machines: The Cyber Threats Lurking in Your Industrial Systems

Introduction

For years, the cybersecurity conversation has revolved almost entirely around the IT world  corporate email, enterprise software, cloud storage. But the threat landscape has shifted. Quietly, and aggressively.

Attackers have figured out something that many security teams are only beginning to reckon with: Operational Technology (OT) and Internet of Things (IoT) environments are high-value targets, and by the standards the IT world now takes for granted, they are largely undefended.

The numbers don't leave much room for optimism. Ransomware attacks in the industrial sector spiked 87% year-over-year in 2024, making manufacturing the top ransomware target for four consecutive years. In the same period, the number of ransomware groups specifically targeting OT and ICS environments grew by 60%  not because these systems suddenly became more valuable overnight, but because attackers realized how exposed they already were.

One in every four penetration tests conducted on industrial environments still finds default credentials in active use. Sixty-five percent of OT environments have insecure remote access conditions. These aren't edge cases. They are the norm.

The question, then, is no longer whether your operational environment is a target. It already is. The real question is whether your organization is prepared when an attack arrives.

Sources: IoT Hacking Statistics 2025 · DeepStrike · OT Security Trends 2025 · Zero Networks · Fortinet 2025 State of OT Cybersecurity Report

Why OT and IoT Are Not Just "IT with Different Cables"

There's a tempting assumption that OT/IoT security is simply a matter of taking standard IT security practices and applying them to a different set of devices. That assumption is exactly the kind of thinking that gets organizations into serious trouble.

OT systems  the industrial control systems, programmable logic controllers, and SCADA networks that run physical processes  were designed in a different era with a different set of priorities. Availability and reliability were everything. Confidentiality and patch cycles were secondary concerns, sometimes not concerns at all. Many of these systems were built to run for decades. And they have.

The problem is they were never designed to be connected to broader networks, let alone the internet. But connectivity happened anyway, driven by efficiency demands and the rise of Industry 4.0  and the security architecture never caught up.

When a corporate IT network and a factory floor OT environment share connectivity  even indirectly  an attacker who breaches one has a potential pathway to the other. And lateral movement in these environments can be devastatingly fast. IBM's research shows the average lateral movement time has dropped to just 29 minutes. That means an attacker who enters through a vulnerable IoT sensor can reach mission-critical operational systems in less time than it takes to finish a cup of coffee.

IoT compounds the problem further. Connected devices  from smart meters and environmental sensors to surveillance cameras and building management systems  often run stripped-down operating systems with minimal security controls, infrequent firmware updates, and no monitoring visibility. Approximately 35% of global DDoS attacks today originate from IoT botnets, and hijacked devices routinely serve as entry points for deeper intrusions into IT and OT networks.

The 2021 Oldsmar, Florida water treatment attack  where an attacker used insecure remote-access software to attempt to alter chemical levels in a public water supply  remains one of the clearest illustrations of what's at stake when OT and IoT security fails.

Sources: Forescout 2025 Threat Report · Industrial Cyber · IBM Cost of a Data Breach Report 2024 · The Reality of IoT Security in 2025 · Growth Acceleration Partners

What Is Actually Happening in the Wild Right Now

Understanding the current threat landscape isn't an exercise in paranoia. It's a prerequisite for making good security decisions.

Nation-state actors have increasingly targeted critical infrastructure for geopolitical disruption  a trend that accelerated sharply in 2024. China's Volt Typhoon campaign, which maintained persistent access to US critical infrastructure by exploiting vulnerabilities in routers and remote-access solutions, showed just how patient and methodical state-sponsored attackers can be.

The FrostyGoop malware went even further: it exploited a zero-day vulnerability in Mikrotik routers, caused a district heating utility in Lviv to be misoperated, and left 600 homes without heat in the middle of winter. These are not theoretical scenarios. They happened.

Throughout 2024, CISA issued 241 new advisories affecting 70 vendors, resulting in 619 ICS CERT vulnerability disclosures. More troubling: 71% of the vulnerabilities being exploited were not in CISA's Known Exploited Vulnerabilities catalog  meaning attackers are actively going after weaknesses that many organizations aren't even tracking.

Patch management in OT environments is genuinely difficult. Downtime windows are narrow, legacy systems may not support modern updates, and operational continuity often takes precedence over security hygiene. But the cost of that trade-off is becoming increasingly visible.

Sources: Waterfall Security OT Attack Analysis 2024 · Shieldworkz 2025 OT/ICS Threat Landscape Report · Forescout 2025 Threat Report · Fortinet 2025 State of OT Cybersecurity Report

Building a Security Posture That Actually Fits OT/IoT Realities

Securing OT and IoT environments requires a fundamentally different methodology than traditional IT security  and it starts with acknowledging the constraints rather than fighting them.

OT systems often can't be patched on a standard schedule. Many can't tolerate the kind of active scanning that IT environments handle without issue. Some run on protocols that predate modern security by decades  Modbus, DNP3, and similar standards were designed for reliability and determinism, not authentication or encryption.

Effective OT/IoT security begins with visibility. You can't protect what you can't see. A comprehensive asset inventory  knowing every device on the network, its function, its communication patterns, and its vulnerability profile  is the foundation everything else builds on. Passive monitoring approaches that observe network traffic without disrupting operations are particularly well-suited to OT environments precisely because they provide visibility without operational risk.

From there, network segmentation becomes the most critical defensive layer. Many industrial organizations still operate with insufficient segmentation between IT and OT environments, leaving mission-critical assets exposed to threats that enter through the enterprise network. Proper segmentation, enforced by industrial firewalls and implemented alongside strict remote access controls, dramatically reduces an attacker's ability to move laterally from an IT compromise into operational systems.

The baseline goal is straightforward but not trivial: a breach in the corporate environment should never automatically translate into access to the factory floor.

One broader shift reflects this growing awareness. In 2025, 52% of organizations placed OT security under the CISO  up from just 16% in 2022. OT security is no longer a niche operational concern. It's a core enterprise risk issue.

Sources: Shieldworkz 2025 OT/ICS Threat Landscape Report · Fortinet 2025 State of OT Cybersecurity Report · Zero Networks OT Security Trends 2025

Making the Right Call Before an Incident Forces Your Hand

There are two versions of this conversation. One happens proactively. The other happens in the aftermath of a breach. Organizations that wait for the second version consistently face worse outcomes  not just operationally, but financially and reputationally as well.

The average time to identify a breach across all environments reached 194 days in 2024. In an OT environment, nearly seven months of undetected attacker presence is an extraordinarily long time for damage to accumulate invisibly.

Digital forensics taught us something worth carrying into OT: organizations that rush to restore without properly investigating what happened rebuild on the same broken foundation. Wiping a compromised industrial controller without first understanding how the attacker got in, how far they moved, and what they changed leaves the door open for an identical  or worse  incident weeks later.

ITSEC Asia has spent over a decade building cybersecurity capability across financial services, telecommunications, energy, transportation, manufacturing, and other critical sectors throughout Indonesia, Singapore, Australia, and the UAE. Our OT/IoT security practice covers the full spectrum of what organizations in these environments actually need: security testing to identify and remediate vulnerabilities, cyber asset management, vulnerability management tailored to operational constraints, managed detection and response, a dedicated OT Security Operations Center, tabletop exercises that test real incident response readiness, and digital forensics and incident response capability purpose-built for OT-specific incidents.

If your organization operates industrial systems, critical infrastructure, or connected operational environments  and hasn't yet conducted a structured assessment of its OT/IoT security posture  the data from the past 18 months makes a compelling case for starting that conversation now, before an incident forces the issue.

👉 Consult with our security specialists https://itsec.asia/contact