" " indicates required fields
Claroty’s 2025 State of CPS Security: OT Exposures report analyzed nearly 1 million OT devices across critical sectors such as manufacturing, logistics, and natural resources. The findings reveal a rapidly worsening threat landscape, underscoring the urgent need to rethink OT cybersecurity strategies.
Nation-state cyberattacks are escalating. Operational Technology (OT) systems have become prime targets for adversaries seeking to disrupt physical operations through digital means. Are you prepared for what’s next?
Manufacturing faced the highest risk as a sector, with over 96,000 devices containing confirmed Known Exploited Vulnerabilities (KEVs), including more than 65,000 linked to known ransomware. To put this into perspective, the next most targeted sector, Natural Resources, had just 3,921 devices with confirmed ransomware-linked KEVs.
Key Findings from Claroty:
These statistics reveal systemic weaknesses in protecting industrial systems against sophisticated adversaries.
Russia, Iran, and China successfully launched a multitude of state-sponsored attacks directly targeting critical infrastructure, with the shared goal of disrupting operations and escalating conflict through cyber-enabled sabotage.
A breakdown of each nation-sponsored threat:
In 2024, a threat group from North Korea, also known as Anadariel, was involved in a global espionage campaign that targeted the UK, US, and South Korea. The motive was reported to be military gain. Still, the techniques mirrored those used in OT attacks described in the report, leveraging living-off-the-land (LOTL) methods and remote access Trojans (RATs) to exfiltrate data, manipulate systems, and compromise critical national infrastructure (CNI).
The nation-sponsored attacks have highlighted significant security gaps in PLCs, network segmentation, and poor visibility across operational technology environments. Device exposures were attributed to various factors, including outdated firmware, unsupported end-of-life systems and devices, and weak configurations. Each presents a risk.
OT assets like Programmable Logic Controllers (PLCs), SCADA systems, and Human-Machine Interfaces (HMIs) are essential to industrial operations. Still, they also represent some of the most attractive entry points for attackers. Traditional vulnerability scoring systems, such as CVSS, fall short in these environments because they fail to account for critical systems’ operational context, business impact, and exploitability.
Security teams managing thousands of devices often face an overwhelming challenge: how to prioritize what to fix first. Without context, even valid mitigation can become misdirected – or worse, introduce disruption. Vulnerabilities aren’t just about severity ratings; they must be understood in how they expose the business to real risk.
Threat exposure management addresses this by mapping vulnerabilities to their place in the attack path, revealing how misconfigured firewalls, legacy devices, or unused open ports could provide attackers with lateral access across the network. These exposures aren’t isolated; they form sequences that adversaries exploit to escalate access, disable safety systems, and halt operations.
Through attack path validation and linear traceability, security teams gain visibility into the full chain of events an attacker could trigger, from reconnaissance to payload execution. Instead of reacting to isolated alerts, exposure management enables proactive, risk-informed decisions that prevent attackers from ever reaching their target.
C2A Security’s EVSec Platform delivers context-aware vulnerability management, helping manufacturers and asset owners identify what vulnerabilities matter most and why.
Aligned with the OT threat landscape identified in the Claroty report, EVSec enables security teams to close critical visibility gaps, prioritize the riskiest exposures, and automate remediation across OT and embedded environments. Whether outdated firmware, poorly segmented networks, or internet-facing assets, EVSec delivers the tools to detect, contextualize, and eliminate systemic weaknesses that nation-state actors routinely exploit.
EVSec provides:
Schedule a demo to learn how C2A Security can prevent the exposure of critical OT assets and infrastructure.
CRO
C2A Security
VP and GM, Medical Technology
C2A Security
Ken Zalevsky brings over 20 years of medical device cybersecurity experience to his role at C2A Security, where he serves as VP and GM, Medical Technology, following the acquisition of Vigilant Ops in October 2025. A former Bayer executive, Ken founded Vigilant Ops in 2019 after witnessing the consequences of inadequate technical preparation in the healthcare industry. He is an active contributor to CISA’s SBOM working groups and a frequent speaker on software supply chain security. Ken’s mission: transform SBOM from a compliance checkbox into operational intelligence that keeps patients safe while streamlining regulatory processes.