ICS/OT Vulnerabilities Hit Record in 2025: 2,155 Flaws Across PLCs, SCADA & Industrial Systems
The Dragos OT Cybersecurity Report reveals 508 advisories covering 2,155 vulnerabilities in industrial control systems — the highest ever recorded. Three new threat groups now target critical infrastructure globally.
Industrial Control Systems Under Siege
The numbers are staggering: 508 advisories covering 2,155 vulnerabilities in industrial control systems — the highest volume since tracking began. That's the headline finding from Dragos's 2025 OT Cybersecurity Year in Review, and it paints a picture of critical infrastructure under escalating threat.
Three new threat groups targeting critical infrastructure were identified, and adversaries are progressing from reconnaissance to operational disruption — meaning they're not just looking at industrial systems anymore, they're actively trying to break them.
Related: Zero Trust for OT/Industrial Networks — how to protect industrial networks with zero-trust architecture.
Key Findings
Vulnerability Explosion
| Year | Advisories | Vulnerabilities | Trend | |------|-----------|----------------|-------| | 2022 | 365 | 1,342 | Baseline | | 2023 | 408 | 1,667 | +24% | | 2024 | 451 | 1,890 | +13% | | 2025 | 508 | 2,155 | +14% |
The growth isn't slowing down. More devices are being connected to networks, more researchers are looking for flaws, and vendors are being forced to disclose.
Where the Flaws Are
The most affected systems:
- Field controllers and PLCs — The devices that directly control physical processes (valves, motors, switches)
- SCADA systems — Supervisory control and data acquisition servers
- HMI panels — Human-machine interfaces used by operators
- Engineering workstations — Where configurations are developed and deployed
- Network infrastructure — Industrial switches, routers, and gateways
High-Severity Flaws Dominate
The report highlights a sharp rise in high-severity vulnerabilities affecting core assets. These aren't theoretical — many are remotely exploitable with low complexity, meaning an attacker doesn't need physical access or advanced skills.
Three New Threat Groups
Dragos identified three new threat groups targeting industrial infrastructure globally. While specific names are tracked under Dragos's threat intelligence framework, the key patterns are:
1. Coordinated Ecosystem Operations
Threat groups are no longer operating in isolation. They work as coordinated ecosystems — one group handles initial access, another performs reconnaissance, and a third executes the operational disruption.
2. From Device to Control Loop
Adversaries have progressed from targeting individual devices to mapping entire industrial control loops. This means they understand:
- How sensors feed data to controllers
- How controllers drive actuators
- What happens when you manipulate values at specific points in the process
This level of understanding enables targeted disruption with maximum physical impact.
3. IT-to-OT Pivot
Most OT compromises still start from the IT network. Attackers gain access through:
- Phishing emails to corporate users
- VPN vulnerabilities
- Exposed remote access tools (RDP, TeamViewer)
- Compromised vendor/integrator credentials
Then pivot through the IT/OT boundary — often a poorly segmented firewall or shared jump server.
Impact by Industry
| Sector | Risk Level | Key Concern | |--------|-----------|-------------| | Energy & Utilities | Critical | Grid disruption, power generation manipulation | | Water & Wastewater | Critical | Treatment process tampering, chemical dosing | | Railway & Transportation | High | Signalling system compromise, safety system bypass | | Manufacturing | High | Production line sabotage, quality manipulation | | Oil & Gas | Critical | Pipeline SCADA manipulation, safety system override | | Pharmaceuticals | High | Batch process tampering, recipe modification |
What This Means for Network Administrators
If you manage networks that connect to or support OT/ICS environments, here's your action plan:
1. Network Segmentation Is Non-Negotiable
Implement the Purdue Model with proper segmentation:
Level 5: Enterprise Network (Internet, email, ERP)
──── Firewall (strict rules) ────
Level 4: IT/Business Network (corporate apps)
──── DMZ (data diode or firewall) ────
Level 3: Operations (OT servers, historian, SCADA)
──── Firewall (OT-specific rules) ────
Level 2: Control (HMI, engineering workstations)
──── Network switch (VLAN isolation) ────
Level 1: Field Controllers (PLCs, RTUs, DCS)
──── Physical isolation where possible ────
Level 0: Physical Process (sensors, actuators)
2. Monitor OT Networks with SNMP and Passive Tools
Industrial devices often support SNMP for basic health monitoring:
# Monitor PLC/RTU health via SNMP
snmpwalk -v3 -u ot_monitor -l authPriv \
-a SHA256 -A "OT_AuthPass!" \
-x AES256 -X "OT_PrivPass!" \
<plc_gateway_ip> 1.3.6.1.2.1.2.2 # Interface statistics
# Monitor industrial switch port status
snmpwalk -v3 -u ot_monitor -l authPriv \
-a SHA256 -A "OT_AuthPass!" \
-x AES256 -X "OT_PrivPass!" \
<switch_ip> 1.3.6.1.2.1.2.2.1.8 # ifOperStatus
# Set up trap receiver for OT network events
# Critical: keep trap receiver in OT DMZ, not IT network
snmptrapd -c /etc/snmp/snmptrapd-ot.conf \
-Lf /var/log/ot-network-traps.log3. Patch What You Can, Compensate What You Can't
Many OT systems can't be patched easily (vendor restrictions, uptime requirements, safety concerns). Use compensating controls:
- Virtual patching with IDS/IPS rules for known CVEs
- Application whitelisting on engineering workstations and HMIs
- USB device control — block unauthorized removable media
- Network access control — only authorized devices on OT VLANs
4. Asset Inventory
You can't protect what you don't know about:
# Passive discovery of OT assets (don't actively scan OT networks!)
# Use span/mirror port to capture traffic
tcpdump -i eth0 -n -e -c 10000 -w /tmp/ot-discovery.pcap
# Analyze captured traffic for device identification
# Industrial protocols to look for:
# - Modbus TCP (port 502)
# - EtherNet/IP (port 44818)
# - DNP3 (port 20000)
# - OPC UA (port 4840)
# - S7comm (port 102)Never run active scans (Nmap, vulnerability scanners) directly against OT devices — they can crash PLCs and cause safety incidents.
Building an OT Security Program
Quick Wins (This Week)
- Verify IT/OT network segmentation — check firewall rules
- Disable unnecessary services on industrial switches and routers
- Change default credentials on all OT network devices
- Enable logging on IT/OT boundary firewalls
- Review remote access tools — disable anything not actively used
Medium Term (This Quarter)
- Deploy passive network monitoring in OT environment
- Implement network access control for OT VLANs
- Create OT-specific incident response playbook
- Establish vulnerability management process for OT assets
- Train IT staff on OT safety considerations
Long Term (This Year)
- Implement zero-trust architecture for OT networks
- Deploy industrial-specific threat detection (Dragos, Claroty, Nozomi)
- Establish OT security operations capability
- Conduct tabletop exercises for OT incident scenarios
- Integrate OT security into enterprise risk management
FAQ
Are these vulnerabilities being actively exploited?
Yes. The three new threat groups identified by Dragos are actively targeting industrial infrastructure. While mass exploitation is less common than in IT, targeted attacks against specific facilities are increasing.
Does this affect small manufacturers or just large utilities?
All sizes are affected. Small manufacturers often have weaker security posture and are targeted as supply chain entry points to larger organizations. If you have any network-connected industrial equipment, you're in scope.
We use air-gapped OT networks. Are we safe?
True air gaps are rare. Most "air-gapped" networks have some connectivity — USB transfers, vendor VPN connections, shared historian databases, or dual-homed workstations. Audit your actual connectivity, not your assumed connectivity.
How do we monitor OT networks without risking disruption?
Use passive monitoring only. Deploy network TAPs or SPAN ports to copy traffic for analysis. Never send active probes to OT devices. Industrial-specific monitoring tools (Dragos Platform, Claroty, Nozomi Networks) are designed for safe OT visibility.