For more than a decade, industrial cybersecurity has been trying to solve the same problem with the same set of tools. Detection has improved. Asset inventories are more complete. Segmentation projects are underway across nearly every industrial sector. Yet attackers still find ways in, operations still get disrupted, and recovery still takes far too long.
The latest 2025 SANS State of ICS/OT Security Survey confirms it. Yes, the industry is making progress, but this progress has created a false sense of security. Detection is improving, but consequences aren’t shrinking. Controls are deployed, but they’re shallow. Organizations are busy, but they aren’t proactive.
The real gap isn’t technology. It’s the absence of true adversary-driven validation — the kind you only get from threat hunting, assessments, and red/purple team exercises grounded in real ICS/OT evidence.
The Data Is Clear: OT Attacks Are Getting Caught Earlier… But Not Stopped
According to the report, nearly half of ICS/OT incidents are detected within 24 hours, and over 60% are contained within 48 hours. On the surface, that looks like progress.
But then comes the part the industry doesn’t like to talk about:
22% of organizations take 2–7 days to remediate, 19% take more than a month, and some take over a year.
That’s not a detection failure — that’s a visibility and preparedness failure.
Organizations are spotting symptoms but not the root causes. They’re catching the spark, not the pathway that led to ignition. And attackers know it.
Remote Access Is Still the Front Door — and It’s Wide Open
Half of all ICS/OT incidents in the past year started with unauthorized external access. While MFA enforcement and segmentation are rising, the controls that matter most — session recording, ICS-specific protocol awareness, real-time approvals — are implemented by fewer than 15% of organizations.
That gap persists because most organizations simply don’t know what their remote access landscape truly looks like. A full 31% admit they have no centralized inventory of ICS/OT remote access points at all.
You can’t secure what you can’t see.
And you definitely can’t hunt in an environment you can’t map.
Visibility Drops Precisely Where Consequences Rise
One of the most telling visuals in the entire report is the Purdue Model coverage map. It shows:
- 20% visibility at Level 3
- 10% visibility at Level 2
- Even less at Level 1 and remote field sites
Those are the layers where attackers pivot into disruption — and the exact places where defenders are most blind.
Traditional OT monitoring tools don’t see enough. IT to process ols don’t understand industrial context. And SIEM correlation only works if the underlying evidence exists.
This is why proactive, evidence-driven threat hunting — on hosts, on engineering workstations, in historian logs, in protocol captures — matters so much. It surfaces what passive tools miss.
The Industry’s Biggest Weakness: We Don’t Practice Security, We Just Install It
The report reveals a stunning stat:
Only 1 in 5 organizations performs either ICS/OT threat hunting or red/purple team exercises.
And yet the organizations that classify themselves as fully prepared for future threats?
- 55% conduct threat hunts
- 48% run red/purple team exercises
- They are 7× more likely to involve field technicians in preparedness
- They have significantly better kill-chain visibility
- They remediate faster, contain sooner, and recover with fewer consequences
Preparedness isn’t a checklist. It’s a habit. Proactive organizations don’t wait for incidents to teach them where they’re vulnerable.
Threat Hunting Is the Missing Middle Layer
Threat hunting is where theory meets reality. It’s where assumptions about segmentation, access pathways, and system hygiene get pressure-tested.
Done right, threat hunting combines:
- Host-level telemetry
- Network captures
- Engineering workstation behavior
- Historian patterns
- Ladder logic snapshots
- Protocol-aware analysis
It’s not just about finding active intrusions — it’s about uncovering unsafe configurations, legacy exposures, silent misuses, and dormant access paths attackers would exploit.
Passive detection can’t do that.
Assessments alone don’t go deep enough.
Compliance only proves paperwork, not safety.
Threat hunting ties everything together and makes it real.
Red and Purple Teaming: The Only Way to Know Your Defenses Work
Red teaming simulates the pathways attackers actually use. Purple teaming turns that simulation into training and tuning.
In OT, that means safely validating:
- Jump server enforcement
- Remote access controls
- Protocol misuse detection
- Segmentation
- SOC workflows
- Engineering workstation behavior monitoring
Organizations that do this consistently are not just compliant — they’re resilient.
The Bottom Line
The SANS report tells a story the industry can’t ignore:
We’ve improved at detection. We haven’t improved at prevention, validation, or resilience.
Attackers aren’t succeeding because they’re too advanced.
They’re succeeding because organizations aren’t looking deeply enough, often enough, or proactively enough.
Threat hunting, assessments, and red/purple team exercises grounded in real OT data aren’t “nice to have.” They’re the new baseline for operational safety.
