SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with operational technology (OT) cybersecurity.

OT risk is more extreme than IT risk. It could lead to social chaos, harm to individuals, damage to the national economy, and threats to national security. Welcome to OT security.

By operational technology, we mean the hardware and software that is used to operate physical devices, typically in industrial settings. This includes the full range of ICS and SCADA systems and their components, the IoT devices that collect data from, and deliver instructions to the factory floor; programmable logic controllers, and the Human-Machine Interface (HMI) devices that allow human operators to monitor and control the rest of the OT systems.

The nature of these systems means they are heavily concentrated within the critical infrastructure sectors. And just as OT technology differs from IT technology, so the threats, likely adversaries, and potential harm also differs. This is what we mean by OT security.

All cybersecurity is a constant battle between adversaries and defenders. All battles ebb and flow. It will be the same for OT in 2025: there will be wins for the defenders and wins for the adversaries. David Redekop, founder and CEO at ADAMnetworks, describes 2025 as a ‘mixed bag’ for OT. 

“As older equipment reaches end-of-life and is replaced, the new defaults will eliminate the criminals’ low-hanging fruit of easy-to-compromise credentials” he explains. “On the flipside, attacker tools will continue to advance; so, the moment an attacker succeeds with a network implant, the discovery of exploitable hosts and services is more efficient than ever, leading to shorter dwell times and faster attacks.”

John Gallagher, VP at Viakoo fears that OT is still viewed as the poor relative of IT. “OT often lacks the protections of traditional IT systems and is often configured and managed by non-IT people (making it more likely to be exploitable). That’s why IoT devices often use default passwords, are not on segmented networks, and are behind on firmware patches.”

He is particularly concerned that already compromised systems – especially IoT devices – will be leveraged in 2025. “OT systems are often used for launching DDoS attacks, and these devices have botnet armies already in position and waiting to be activated. In 2025 these botnets will likely be capable of more sophisticated attacks, and will be harder to detect because of methods like polymorphic encoding.”

Joe Saunders, founder & CEO at RunSafe Security, is clear on his view of the threats. “We can be certain that nation-states, adversaries, and APTs will target OT devices, the software supply chain, and critical infrastructure itself to potentially disrupt it,” he warns.

“These attacks will grow increasingly more destructive, from nation-states prepositioning assets for future disruption of basic services to bad actors seeking financial gain through ransomware attacks. In 2025,” he continues, “it would not be a surprise to see a top-20 US city lose one of its critical services, whether telecommunications or water utilities, to a ransomware attack.”

Nevertheless, he adds, “I remain optimistic that the US will make great forward progress in protecting critical infrastructure.”

But don’t forget that the AI effect is a new threat to OT. “In 2025, says Vivek Ponnada, SVP Growth & Strategy at Frenos, ‘it is likely more sophisticated attacks will leverage AI for increased accuracy – rather than using the technology to create malicious code – with the aim of making attacks harder to detect and defend against.”

John Terrill, CSO at Phosphorus Cybersecurity

John Terrill, CSO at Phosphorus Cybersecurity, worries about new OT-focused malware. “Over the next year, I’m anticipating we will see more sophisticated OT malware.” It has been evolving over the last ten years with more support for different devices and protocols that until recently were thought to be obscure and difficult to manipulate. 

“This includes libraries of exploits and techniques, such as the ability to brute force passwords. As attackers adapt to the OT world that was once poorly understood, it’s becoming clear that the next generation of OT malware is supporting multiple protocols, multiple devices, and is much more outcome oriented than the brittle technical tools of the past.”

The danger is that better and more accessible malware will bring OT attacks more into the purview of financially motivated criminals (think ransomware) rather than just elite nation state actors.

Where there are threats, so there are regulations. OT is automatically subject to most IT regulations, but there are additional regulations for specific critical industries, and some for specific OT devices. 

“As the threat landscape for OT systems expands, regulatory bodies around the world are introducing stricter compliance requirements for OT cybersecurity,” says Carlos Buenano, CTO for OT at Armis. He cites the continuing evolution of NERC CIP in the US and the NIS2 and CER directives in the EU as examples. 

Carlos Buenano, CTO for OT at Armis

The latest CIP-003 version 9 has an effective date of April 1, 2026. NIS2 (Network and Information Systems) expands its remit to include OT-heavy critical industry sectors such as energy, transport, healthcare, manufacturing and water. CER (the Critical Entities Resilience Directive), closely linked to NIS2, became active on October 18, 2024. (NIS2 came into effect on October 17, 2024 – although since it is a Directive rather than Regulation, actual implementation (that is, when it becomes active) can vary in detail and date between the different EU member nations).

“In 2025, organizations must not only implement these protections but also demonstrate compliance through audits and continuous risk assessments,” adds Buenano.

Secure-by-design is an implicit rather than explicit requirement for both hardware and software. “It will be a huge focus for manufacturers of OT products in 2025,” says Trevor Dearing, director of critical infrastructure at Illumio. “Manufacturers will be expected to address vulnerabilities, provide auto-updates, and contain potential threats, while ensuring that these practices don’t negatively impact the performance of such devices.”

While ‘secure-by-design’ is not specifically required by law (difficult when there are no measurable objective metrics that can be applied), it is nevertheless urged and encouraged. CISA, for example, published a Secure by Design Pledge on May 8, 2024, “a voluntary pledge focused on enterprise software products and services…” It states, “Physical products such as IoT devices and consumer products are not scoped in the pledge, though companies who wish to demonstrate progress in those areas are welcome to do so.”

There are signs that some regulatory progress is being made, but doubts over whether they can enforce more secure OT hardware continue. “Although there has been some good progress on the manufacturing side of things – with the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act and the US proposed Cyber Trust Mark for IoT devices – they are only a first small step and almost entirely focused on smart consumer IoT products and not on mission-critical OT cyber-physical systems like PLCs, HMIs, RTUs, and SCADA systems,” says John Vecchi, security strategist at Phosphorus Cybersecurity.

“Laws like the UK forcing organizations to not ship with default passwords is a start,” adds Gallagher: “but there is a very long way to go. Even if manufacturers improve the inherent device security, users are often not IT people and are not natives when it comes to staying on top of password changes, firmware updates, and use certificates.”

This will be a problem for both suppliers and users of OT in 2025. Regulations implicitly require security but offer little advice on how to achieve it.

IoT devices, often referred to as IIoT (Industrial Internet of Things) for devices in industrial settings, and their inherent issues (lost and forgotten but still connected, insecure and frequently with default passwords) play an important role in business transformation and the elevation of OT. But they will be a particular pain point for OT in 2025. “The explosion of IoT devices will expand the attack surface significantly,” warns Ihab Shraim, CTO at CSC. 

“Securing interconnected systems, particularly in critical infrastructure, will be a top priority for the private and public sectors.” He offers smart cities as an example: “Cybercriminals will exploit weaknesses in municipal IoT infrastructure, targeting traffic systems, public utilities, and surveillance networks.” 

The principle will apply across all OT domains, from factory floors to critical services – IoT is widely considered the low-hanging fruit of OT.

Paul Savill, global network and edge computing practice leader at Kyndryl, quantifies the growth of IoT. “The global deployment of IoT devices is forecast to climb to more than 25.4 billion in 2030, almost triple from 8.74 billion devices in 2020.”

But he adds the concomitant rise of private 5G networks for communication with and from IoT devices to the problem. “The proliferation of private 5G networks will create a double-edged sword,” he says. “While they offer untapped potential to accelerate digital transformation, the automation enabled by private 5G networks also allows hackers to run autonomous searches for exposed networks.”

Furthermore, “As organizations continue to leverage private 5G networks in an effort to build more reliable connections compared to legacy network technology, its vulnerabilities can have a ripple effect across the entire connected infrastructure. A single software or equipment hack can take down all mission-critical assets across an organization.”

We cannot ignore the effect of geopolitics on security in general, but OT in particular. “The current geopolitical landscape is having a serious impact on the security of industrial organizations. This will continue in 2025,” warns David Neeson, senior SOC analyst at Barrier Networks.

“A big threat in relation to this comes down to the work Russia is currently conducting to harm countries that ally with Ukraine. We can expect to see Russian state sponsored actors increase their sights on NATO member targets, with the aim of taking out critical supplies, such as water, gas and electricity,” he continued.

He believes that attacks will likely target the traditional IT networks and then pivot to OT through the routes opened by business transformation. “These attacks will be dangerous and, if industrial organizations are not prepared, they could seriously harm the target country and its citizens.”

But it’s not just Russia that should concern us. “Whether it is war between Ukraine and Russia, Chinese efforts to have backdoors and compromised devices around the world under their control, North Korean activities, Israeli offensive cyber capabilities, and others, it is clear that the battlefield has been growing into cyberspace,” warns Gallagher.

“The cost and effort to root out already compromised ICS/OT/IoT devices is extraordinary; therefore, the issue is in who controls them (and for what intent), and whether there are effective mitigations in place (if not remediations).”

He expects to see a growth in OT focused, geopolitically motivated nation state activity in 2025. “The trend seen from the Russia / Ukraine conflict can be a good learning example,” he suggests. “Initially, cyberattacks were data focused, then moved to using OT devices to gather intelligence, and are now becoming more physical – as demonstrated by the ‘skyscraper-high’ plume of sewage sprayed over Moscow (assumed to be from a Ukrainian cyberattack, as reported by The Register).”

Russia has also been active, both within and around Ukraine. “During 2024, Russia-affiliated threat actors executed a campaign of physical sabotage throughout the European Union (EU) targeting critical infrastructure, the defense industry, and other elements of EU society,” notes John Sheehy, SVP Research & Strategy, IOActive. 

“I assess it is likely that Russian-affiliated threat actors will conduct intensified reconnaissance, establishment of persistence, and the launch of exploratory cyberattacks on liquid natural gas (LNG) export and import facilities serving EU member states consistent with the Russian strategy of weaponizing natural gas export flows to those nations, and its recent operational activity in the EU,” he adds.

“In a nutshell,” says Vecchi, “if the past year is any indication, threats to OT and ICS cyber-physical systems will only continue to rise in frequency, sophistication, and scope. From recent attacks and malware like FrostyGoop and Fuxnet, to botnets like Volt Typhoon’s KV-Botnet, nation-states, hacktivists, and ransomware gangs are not only increasing their focus on OT endpoints but are incorporating deeper knowledge of these systems to make their malware more effective and targeted.”

He points to a lack of fundamental security hygiene on these OT devices. “We’ll likely see threat actors pivot to attacks that rely less on sophisticated ICS malware and more on simply exploiting the built-in functions native to network-connected OT devices to cause cyber-physical disruptions. This tactic will be coupled with ICS malware that is more generic and device-agnostic in nature, allowing attackers to target entire categories of devices like PLCs and HMIs, as opposed to targeting only a specific device and manufacturer.”

Kai Roer, CEO and founder at Praxis Security Labs, introduces an additional concept that needs to be considered. “One of the biggest shifts in technology today is the shift from globalization to protectionism… As we move into protectionism and isolationism, we must all recalibrate our sensors,” he suggests.

He no longer believes that securing OT can be limited to technical controls. “The security team must seek to understand the geopolitical and geofinancial trends and directions, and analyze their likely impact on them, their industry as well as their nation and allies.”

Will we see more attacks? “I think that is an easy yes.” Will they become more sophisticated? “For sure,” he says.

But he continues, “The scary part, in my opinion, is if that enemy of yours buys or has bought the core tech you use, and he now controls it, how will you protect yourself? That is a real scenario that must be brought into discussions by the board of directors, executives and security teams.” The manufacturer you bought from during friendly globalization may no longer be a friend in the geopolitically inspired age of protectionism and isolationism and the shifting spheres of political influence.

Tom Marsland, VP of technology at Cloud Range, also introduces the potential for wider shifts in international relations. “The United States military and leadership describe the tension with China and the ‘great power competition’. Even now, the US military discusses changes to ‘maintain superiority amid Great Power Competition’.”

As a result, he adds “I would expect an increase in nation state activity directed at OT as so much of our OT is critical infrastructure that supports our military and intelligence communities. We have already seen the beginnings of this with threat actors from China (Volt Typhoon, Salt Typhoon, Flax Typhoon), and I would expect even more aggressive behavior, especially if trade and tariff competitions that strain those economies begin to unfold.”

Redekop adds, “Given the cost of traditional war in real terms, the OT attacker has a low cost and low collateral damage – it simply requires advanced red teams with adversarial cyber tools.” Geopolitics makes the world a scary place, and geopolitics + OT makes it a dangerous one.

Since OT involves cyber-physical devices, the potential for destructive cyber damage to become destructive physical damage is obvious – and in times of both hot and cold international warfare, the potential of nation state aggression for nation state purposes is equally obvious. But the potential for criminal activity against OT is also high.

Before business transformation, OT was separated, often air-gapped, from the rest of IT, using arcane technology. Attacking OT was limited to the elite attackers. This no longer applies. “As OT systems and IT systems become more converged, attackers have stumbled on ways to cause disruption without having to rely on the sophisticated attack-craft,” says Oakley Cox, director of product at Darktrace.

Oakley Cox, director of product at Darktrace.

“That’s why some of the most disruptive attacks of the last year have come from hacktivist and financially-motivated criminal gangs – such as the hijacking of internet-exposed PLCs by anti-Israel hacking groups and ransomware attacks resulting in the cancellation of hospital operations.”

Easier access to OT combined with the increasing capabilities of the major cybercriminal families will lead to an increase in financially motivated extortion attacks (see also Cyber Insights 2025: Malware Directions). We already see this in the proliferation of healthcare ransomware attacks. That physical threat, for extortion purposes, is easily transferrable to other critical infrastructure sectors.

The geophysical danger in this is that politically aligned cybercriminals may be less concerned about avoiding physical damage and personal harm within certain targets during this period of high tension.

“In 2025,” says Cox, “we expect to see an increase in cyber-physical disruption caused by threat groups motivated by political ideology or financial gain, bringing the OT threat landscape closer in complexity and scale to that of the IT landscape. The sectors most at risk are those with a strong reliance on IoT sensors, including the healthcare, transportation, and manufacturing sectors.”

Threats against OT in 2025 will increase, and the potential harm from successful OT attacks will worsen. Will OT security improve enough to counter these threats? In parts, maybe – but sufficiently? Probably not. It is probably safe to say that OT threats will increase during 2025 at a faster rate than improvements in OT security. 

“We won’t see the needle move much on the manufacturer side of the security equation for OT devices in the year ahead,” says Vecchi. “For device manufacturers, the reality is that security is still at best an afterthought in their development lifecycle and manufacturing process – which is far more focused on delivering working, feature-rich products as opposed to devices that are secure-by-design.” 

Small steps in the right direction are not yet sufficient, he warns. “Although there has been some good progress on the manufacturing side of things, they are only a first small step and almost entirely focused on smart consumer IoT products and not on mission-critical OT cyber-physical devices like industrial IoT, PLCs, HMIs, RTUs, and SCADA systems,” he says.

The traditional need for operational technology to remain operational (to avoid a complete manufacturing shutdown) remains paramount – there is a reluctance and distrust in change. “The nature of OT means that change is slow,” notes Jose Seara, CEO and founder at DeNexus. “Upgrades or replacements offered by vendors often require downtime, which must be planned carefully. Such changes are also tied to resource availability at remote facilities and must account for safety.”

Even where the will to improve security exists, the possibility may not. “The issue faced by most organizations is that the majority of their operations are conducted with legacy products that do not have an option to better secure the IoT devices themselves,” says Justin Flynn, senior director of cybersecurity professional services at Stratascale.

“So, in the sense of delivering more secure products in legacy environments, the answer is no. However, there should be an increase in establishing mitigating controls such as segmentation and reactive controls like incident response to handle these scenarios.”

Savill believes that secure 5G implementations could help. “While private 5G networks pose new threats, they also allow companies to have full control over their network infrastructure, providing better security, data privacy outcomes, and flexibility when implemented right.”

But he believes this must include a zero trust integrated approach. “A zero trust integration, supported by the creation of multiple visibility points and automated detection and response, ensures the protection of critical applications, data, and systems, and can reduce the attack surface.”

In short, threats against OT are likely to increase faster in 2025 than our ability to defend against those attacks. Until OT specific weaknesses are properly tackled – primarily by the manufacturers – the primary defense against the potential and blast radius of attacks against OT could be the lessons already learned in defending IT.

Save the Date: 2025 ICS Cybersecurity Conference | Oct. 27-30 | Atlanta

Related: Iranian Hackers Use IOCONTROL Malware to Target OT, IoT Devices in US, Israel

Related: ICS Patch Tuesday: Security Advisories Released by Siemens, Schneider, CISA, Others

Related: SIGA Launches OT Threat Detection and Response Suite