Claroty’s 2025 State of CPS Security: OT Exposures report analyzed nearly 1 million OT devices across critical sectors such as manufacturing, logistics, and natural resources. The findings reveal a rapidly worsening threat landscape, underscoring the urgent need to rethink OT cybersecurity strategies.

Nation-state cyberattacks are escalating. Operational Technology (OT) systems have become prime targets for adversaries seeking to disrupt physical operations through digital means. Are you prepared for what’s next?

OT Device Exposure: Risk by The Numbers

Manufacturing faced the highest risk as a sector, with over 96,000 devices containing confirmed Known Exploited Vulnerabilities (KEVs), including more than 65,000 linked to known ransomware. To put this into perspective, the next most targeted sector, Natural Resources, had just 3,921 devices with confirmed ransomware-linked KEVs.  

Key Findings from Claroty:

• 40% of organizations have insecure internet-facing assets.
• 12% of OT devices contain KEVs.
• 12% of OT environments had assets communicating with malicious domains.
• 7% of devices had KEVs linked to ransomware campaigns.

These statistics reveal systemic weaknesses in protecting industrial systems against sophisticated adversaries.

Nation-Sponsored Threat Actors Targeting Critical OT 

Russia, Iran, and China successfully launched a multitude of state-sponsored attacks directly targeting critical infrastructure, with the shared goal of disrupting operations and escalating conflict through cyber-enabled sabotage.

A breakdown of each nation-sponsored threat:

• Volt Typhoon (China): Threat actors linked to the People’s Republic of China compromised critical infrastructure and OT networks by leveraging living-off-the-land (LOTL) techniques to evade detection. The attackers managed to obtain privileged access credentials found in exploited system vulnerabilities to move laterally within networks and disrupt critical services. It was reported that Volt Typhoon threat actors had maintained undetected access to some U.S. networks for up to five years.
• Sandworm (Russia): Russia-sponsored military threat intelligence actors were responsible for the 2015 power grid attack during the Ukrainian conflict. The attackers successfully compromised SCADA systems by exploiting the MicroSCADA application binary, which acted as a supervisory control interface. This allowed them to send unauthorized command messages to remote substations and gain access to critical OT systems.
• CyberAv3ngers (Iran): Iranian threat group CyberAv3ngers targeted Israeli-developed technology and infrastructure. The state-sponsored “hacktivist” group, linked to the Islamic Revolutionary Guard Corps (IRGC), has recently expanded its operations into the industrial sector, targeting U.S.-based water facilities using vulnerable Unitronics HMI/PLC devices. The group had previously disabled over 4,000 Iranian gas stations in 2021 as part of internal retaliation. 

In 2024, a threat group from North Korea, also known as Anadariel, was involved in a global espionage campaign that targeted the UK, US, and South Korea. The motive was reported to be military gain. Still, the techniques mirrored those used in OT attacks described in the report, leveraging living-off-the-land (LOTL) methods and remote access Trojans (RATs) to exfiltrate data, manipulate systems, and compromise critical national infrastructure (CNI).

The nation-sponsored attacks have highlighted significant security gaps in PLCs, network segmentation, and poor visibility across operational technology environments. Device exposures were attributed to various factors, including outdated firmware, unsupported end-of-life systems and devices, and weak configurations. Each presents a risk.

Beyond CVEs: Why Exposure Management Matters

OT assets like Programmable Logic Controllers (PLCs), SCADA systems, and Human-Machine Interfaces (HMIs) are essential to industrial operations. Still, they also represent some of the most attractive entry points for attackers. Traditional vulnerability scoring systems, such as CVSS, fall short in these environments because they fail to account for critical systems’ operational context, business impact, and exploitability.

Security teams managing thousands of devices often face an overwhelming challenge: how to prioritize what to fix first. Without context, even valid mitigation can become misdirected – or worse, introduce disruption. Vulnerabilities aren’t just about severity ratings; they must be understood in how they expose the business to real risk.

Threat exposure management addresses this by mapping vulnerabilities to their place in the attack path, revealing how misconfigured firewalls, legacy devices, or unused open ports could provide attackers with lateral access across the network. These exposures aren’t isolated; they form sequences that adversaries exploit to escalate access, disable safety systems, and halt operations.

Through attack path validation and linear traceability, security teams gain visibility into the full chain of events an attacker could trigger, from reconnaissance to payload execution. Instead of reacting to isolated alerts, exposure management enables proactive, risk-informed decisions that prevent attackers from ever reaching their target.

Preventing OT Risks with C2A Security’s Product Security Platform

C2A Security’s EVSec Platform delivers context-aware vulnerability management, helping manufacturers and asset owners identify what vulnerabilities matter most and why.

Aligned with the OT threat landscape identified in the Claroty report, EVSec enables security teams to close critical visibility gaps, prioritize the riskiest exposures, and automate remediation across OT and embedded environments. Whether outdated firmware, poorly segmented networks, or internet-facing assets, EVSec delivers the tools to detect, contextualize, and eliminate systemic weaknesses that nation-state actors routinely exploit.

EVSec provides:

• Real-time risk-based vulnerability management, continuously prioritizing and mitigating exposures that pose the most significant business or safety impact.
• Policy-driven compliance automation, aligning with standards like ISO 21434, RED, the EU Cyber Resilience Act and more, ensuring cybersecurity is embedded from development through deployment.
• Contextual threat triage, integrating sources like Auto-ISAC, and correlating threat intelligence with system architecture and product functions.
• Attack path mapping and lifecycle tracking, linking exposures to threat models (e.g., TARA) for traceability across SDLC stages and deployment environments.
• Unlike traditional tools, EVSec connects the dots between vulnerabilities, misconfigurations, and product-specific risks to provide precise and actionable insights.

Schedule a demo to learn how C2A Security can prevent the exposure of critical OT assets and infrastructure.