Can We Fix OT Security? Why 2025’s Surge in Attacks Demands a Proactive Response

Across critical infrastructure, a steady escalation has been taking place. Operational technology (OT) systems, once isolated, purpose-built, and relatively immune to the security issues of traditional IT, are now exposed, interconnected, and increasingly targeted by nation-state actors. 2025 has already made this fact unmistakably clear. In the face of surging attacks, the operational assumptions underpinning OT security are no longer viable.

Recent public warnings from agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) reflect a consensus. OT systems are now strategic targets for advanced persistent threat (APT) groups, many of which are linked to state-sponsored activity. Security researchers have documented a rise in persistent access operations, including campaigns by Salt Typhoon and Volt Typhoon, with adversaries moving laterally through environments that bridge traditional IT and OT domains.

In June of this year, analysts reported the emergence of MISSION2025, a long-term espionage and disruption campaign attributed to Chinese state actors. Its targets span aerospace manufacturing, national defense suppliers, energy providers, and healthcare networks. The objectives range from intellectual property theft to prepositioning access for future operations. Each new move by threat actors represents a deliberate strategy to compromise infrastructure that remains difficult to defend with traditional tools and practices.

Ransomware has followed a similar trajectory. According to research by Honeywell, ransomware attacks against OT environments increased by 46 percent in the first quarter of 2025. The surge of attacks on OT is just the start, and we’ll continue to see disruptions that carry operational and economic consequences, not to mention implications for public safety and national resilience.

The Weak Spots in OT Security

The drivers behind this growing risk are structural. OT networks, once air-gapped or minimally connected, now integrate with IT systems to support efficiency, remote management, and business analytics. The convergence delivers operational benefits but also brings new vulnerabilities.

A report from Palo Alto found that 7 out of 10 industrial OT attacks originate in Informational Technology (IT) environments. Asset owners are learning that legacy assumptions about segmentation, isolation, and the improbability of certain types of access no longer hold in an interconnected world.

At the technical level, long-standing vulnerabilities persist. Many OT systems still lack basic protection such as multi-factor authentication, proper segmentation, and timely patching procedures. The devices themselves often operate on proprietary or unsupported operating systems. Updating them requires not only technical expertise but also coordination with operational schedules, vendor contracts, and safety protocols. As a result, patch latency is significant. In many cases, vulnerabilities remain unaddressed for months, if not years.

Vulnerabilities in device software are also a major risk. Memory safety issues—such as buffer overflows and use-after-free errors—remain among the most common and most exploitable classes of software defects in embedded systems. These flaws are especially concerning because they can be leveraged for arbitrary code execution, persistence, and lateral movement. They are also difficult to detect with conventional scanning tools, making them widespread across devices used in critical infrastructure environments.

In short, the security posture of many critical infrastructure systems is undermined by a combination of legacy architecture, operational constraints, and vulnerabilities in device software.

Limitations of the Patch-and-Pray Model

Given these realities, the longstanding strategy of vulnerability discovery followed by patch development, testing, and deployment has reached its practical limits. In highly dynamic IT environments, this model was already struggling to keep pace. In the OT domain, it is even less sustainable. Identifying vulnerabilities, developing patches, testing, and then pushing them out, hoping everybody applies the updates in a timely fashion, is a losing model over time. You can never keep up.

First, there are logistical barriers. Unlike desktops or cloud servers, OT systems often cannot be updated automatically or on demand. Maintenance windows are infrequent. The risk of unplanned downtime may be unacceptable. Device manufacturers may no longer support the hardware in question, or the source code may be unavailable for modification. These constraints make rapid patching unrealistic, even when vulnerabilities are publicly known.

Second, the sheer number of components involved in modern OT ecosystems makes complete coverage a daunting task. Many systems include third-party software, open-source libraries, and legacy firmware, often with unclear provenance. Without comprehensive inventory and dependency tracking, it is nearly impossible to assess where known vulnerabilities exist within a system.

Third, attackers are no longer waiting for high-profile vulnerabilities to appear. They are investing in bespoke exploits, custom tooling, and stealthy access strategies. In this environment, reacting after a vulnerability is published provides little assurance of protection.

To address these limitations, a strategic shift is necessary.

Secure by Design: A Path Toward Resilience

A more viable model is to prevent vulnerabilities from being introduced in the first place. This approach, commonly referred to as Secure by Design, focuses on integrating security practices throughout the software and system development lifecycle.

For example, modern development toolchains can apply hardening techniques at compile time to reduce or eliminate the entire class of memory-related vulnerabilities. These techniques include runtime protections, like Load-time Function Randomization (LFR), among others. When applied systematically, they can dramatically reduce the exploitability of deployed software, even in the presence of other flaws. If you can eliminate entire classes of vulnerabilities before software hits the field, you don’t need to play whack-a-mole with patches.

Complementing this, software transparency mechanisms like a Software Bill of Materials (SBOM) provide critical visibility into component-level dependencies. By maintaining accurate and up-to-date SBOMs, organizations can identify inherited vulnerabilities and respond accordingly. In complex systems, where software is built from dozens or hundreds of sources, this visibility is indispensable.

Automation is essential for scaling these practices. Manual auditing cannot keep pace with modern development cycles, and static processes often break down under pressure. Automated tools for vulnerability scanning, configuration validation, and supply chain inspection can reduce the burden on security teams and improve consistency.

Ultimately, automation and good processes will raise all boats. In the context of critical infrastructure, where failures can have cascading consequences, this level of foresight is essential.

Prioritizing Shared Responsibility

Fixing OT security cannot be achieved in isolation. The ecosystem includes asset owners, device manufacturers, integrators, regulators, and even end users. Each plays a role in either advancing or impeding security progress.

Asset owners must elevate their procurement standards. If suppliers are not required to disclose SBOMs, demonstrate secure development practices, or support automated updates, there is little incentive for improvement. Owners should also examine their environments for segmentation gaps, identity management deficiencies, and detection blind spots.

Manufacturers must prioritize secure development practices. This means not only applying technical safeguards, but also institutionalizing security testing, threat modeling, runtime protections, and updating mechanisms into their processes.

Regulators play a pivotal role in setting minimum expectations. International frameworks such as the EU Cyber Resilience Act are already pushing suppliers to provide greater transparency and demonstrate due diligence in security. In the United States, policy efforts are underway, but uneven in adoption. Alignment across sectors will be critical for long-term resilience.

Finally, security professionals must continue to advocate for systemic change. Technical innovation will be necessary, but so too will collaboration, education, and leadership.

A Measured Path Forward

The risks facing OT systems are real, growing, and increasingly difficult to manage using traditional methods. Yet the situation is not without hope. With sustained effort, technical discipline, and cooperation across the ecosystem, measurable improvements are possible.

Preventing vulnerabilities before deployment, embracing transparency, investing in automation, and adopting Secure by Design principles are all steps that can and should be taken now. They do not require technological breakthroughs so much as institutional commitment.

It is no longer a question of whether we have the tools to secure our infrastructure. It is a question of whether we will apply them at the necessary scale and whether we can align stakeholders around a shared vision of resilience.

We can fix OT security. But only if we act with urgency, coordination, and clarity of purpose.