The Operational Technology Threat Landscape: Insights from IBM X-Force

This article was developed with contributions from Jeff Kuo and Kelsey Oliver.

The world’s most sophisticated threat actors are moving faster, operating quieter, and targeting the very heartbeat of modern society: operational technology (OT) and critical infrastructure. The facts are stark: many ransomware, advanced persistent threats (APTs), and cybercrime groups are going beyond data theft, aiming for physical disruption and even sabotage. The convergence of IT and OT, driven by business demands—has created a sprawling, high-stakes attack surface. Weaponized vulnerabilities (CVEs) are being exploited at breakneck speed, often within days or hours of disclosure. 

This blog fuses front-line intelligence from IBM X-Force and new OT-related breach data uncovered during the 2025 Cost of a Data Breach survey.

• Among the organizations studied as part of this year’s Cost of Data Breach Report, 15% experienced cybersecurity incidents that affected their OT environment. Of this group, nearly a quarter reported that the incident damaged their OT systems or equipment. These incidents cost USD 4.56 million on average—slightly higher than the global average (USD 4.44 million).
• Data from the X-Force Vulnerability Database found that of the 670 vulnerabilities disclosed in H1 2025 that could impact OT, nearly half (49%) have a CVSS Severity Rating of “Critical” or “High”. One-fifth (21%) of “Critical” vulnerabilities have publicly available exploit code.

For IBM’s Cost of a Data Breach Report 2025, our research partners at Ponemon Institute studied more than 6,485 breaches. Of those organizations, 15% indicated that the incident affected their OT environment and of that group, nearly a quarter (23%) reported that the incident resulted in damage to their OT systems or equipment.

It comes as no surprise that organizations are experiencing an impact to their OT environments as the result of a breach. There have been numerous examples in recent years of threat actors causing OT disruption across various industries:

• Persistent power grid destabilization and coordinated substation failures:
  Attackers are successfully leveraging ICS-specific malware, protocol manipulation (e.g., protocols IEC 104 and DNP3), and remote access exploits to cause multi-site grid disruptions and blackouts, often requiring manual grid restoration and impacting millions of utility customers.
• Sustained compromise of water treatment, energy production, and manufacturing operations:
  Threat actors disrupt core OT processes by manipulating SCADA and Programmable Logic Controller (PLC) environments, interfering with chemical dosing, flow regulation, and automated safety controls, resulting in production slowdowns, environmental incidents, or hazardous conditions for plant personnel.
• Widespread interruptions across global supply chains and critical logistics:
  Ransomware and destructive malware campaigns have paralyzed automated warehouses, distribution centers, and transportation management systems, delaying shipments, halting just-in-time manufacturing, and exposing organizations to downstream economic and reputational loss.

The technical sophistication and persistence of modern adversaries create the potential for simultaneous, multi-vector disruption, with cascading effects on physical safety, regulatory compliance (e.g., NERC CIP, NIST CSF, IEC 62443), and eroding public trust in critical infrastructure.

Today’s adversaries are more diverse, specialized, and aggressive than ever, blending nation-state resources, cybercrime innovation, and hacktivist opportunism. Their playbooks are constantly evolving, with newer groups and alliances joining legacy players to threaten critical infrastructure worldwide.

Threat actors seeking to cause operational disruption are targeting a narrow spectrum of vulnerabilities, predominantly affecting perimeter-facing devices such as VPN concentrators, remote desktop gateways, and OT protocol converters. These CVEs, once weaponized, provide attackers with unauthenticated remote code execution, root-level device control, and often allow direct bypass of legacy authentication and access control mechanisms. The operational impact is amplified as many of these vulnerabilities remain unpatched in critical environments due to device uptime requirements, vendor patch delays, or asset visibility gaps.

Furthermore, the convergence of IT and OT, proliferation of remote management tools, and integration with third-party vendors have created new lateral pathways for attackers. Compromised supply chain partners or third-party integrators are leveraged as trusted entry points; exposed vendor remote access services and misconfigured firewalls further erode static segmentation. Adversaries exploit trusted IT/OT bridges, unsecured field devices, and even maintenance laptops to gain direct access to process control networks and safety systems. This evolving attack surface renders legacy perimeter security models insufficient, emphasizing the need for dynamic network monitoring, continuous asset discovery, and threat-informed architecture.

Data from the X-Force Vulnerability Database indicates there have been 670 vulnerabilities disclosed in H1 2025 that could impact OT environments and of those, 11% have a CVSS Severity Rating of “Critical” (CVSS score between 9.0-10.0). Furthermore, one-fifth (21%) of critical vulnerabilities have publicly available exploit code.

There have been notable examples this year of the exploitation of critical OT vulnerabilities:

• In May 2025, threat actors exploited a critical remote-code-execution vulnerability in the Erlang/OTP SSH daemon (CVE‑2025‑32433), which allows unauthenticated users to run arbitrary commands. About 70% of attack attempts were aimed at OT firewalls and environments
• The Dutch NCSC confirmed that attackers had been exploiting CVE‑2025‑6543, a severe flaw in Citrix NetScaler ADC and Gateway products, as a zero-day since early May 2025, prior to public disclosure. This allowed attackers to deploy web shells, establish persistent access, and potentially disrupt VPN and remote-access gateways in critical sectors.
• In May 2025, steel manufacturer Nucor halted production at several facilities following a cybersecurity breach. The intrusion involved unauthorized access to internal IT systems, prompting shutdowns as a precaution. While classified as IT-centric, the disruption directly impacted industrial operations and underscores the tight coupling between IT and OT domains.

These examples illustrate the importance of staying informed of which vulnerabilities may be on threat actors’ radars. X-Force assessed various online forums, markets, telegram channels, chat rooms and discussions to reveal the most mentioned CVEs in H1 2025 that could impact OT/ICS environments.  These insights could assist organizations with their patch management strategies.

Of the top 10 mentioned CVEs disclosed in H1 2025 that could impact OT, 90% have been actively exploited and 70% have been actively exploited by APTs. For instance, the top-mentioned CVE, CVE-2025-0282, has reportedly been exploited by UNC5221, a “suspected China-nexus espionage actor”. This vulnerability allows unauthenticated attackers to gain an initial foothold into the internal network behind a vulnerable Connect Secure VPN appliance. Attackers could then move laterally into the network and potentially impact industrial control systems. The second most mentioned vulnerability, CVE-2025-31324, was reported to have been actively exploited by Chaya_004, “a Chinese threat actor”. This vulnerability affecting SAP NetWeaver Visual Composer could allow an attacker to execute code remotely. Many industrial organizations leverage SAP for enterprise resource planning (ERP) and supply chain management (SCM), which may interface directly with or indirectly influence OT systems.

2025 stands as a defining year for OT and critical infrastructure security. The convergence of motivated nation-state adversaries, rapidly evolving ransomware ecosystems, and persistent exploitation of a narrow set of high-impact vulnerabilities has exposed fundamental weaknesses in legacy OT environments. Attackers now routinely bypass traditional perimeter defenses, leveraging supply chain compromise, stolen privileged credentials, and deep lateral movement to achieve business-crippling, and even safety-critical outcomes.

This threat landscape requires organizations to fundamentally rethink how OT risk is managed. Cybersecurity must move beyond compliance and checkbox controls toward an intelligence-driven and sector-specific defense model. Survival is no longer just about preventing initial access; it demands rapid detection, effective containment, and resilient recovery, all underpinned by continuous executive engagement and board-level governance.

Operational resilience in 2026 and beyond will be determined by an organization’s ability to prioritize the right vulnerabilities, simulate real-world attack scenarios, enforce layered controls, and drive cybersecurity ownership from the control room to the boardroom. The stakes are existential: service continuity, regulatory compliance, physical safety, and public trust all hinge on a proactive, adaptive OT cyber defense strategy. We encourage organizations to review the following recommendations:

1. Hyper-prioritize patch management

• Patch like your business depends on it, because it does. Prioritize vulnerabilities that are being actively exploited. Use CISA’s Known Exploited Vulnerabilities (KEV) Catalog, MITRE, threat intelligence feeds and vendor advisories as your 'to-do' list.
• If patching is delayed, deploy network segmentation, application allowlisting, and step up monitoring for OT/ICS anomalies.

2. Map threats to your sector

• Consider obtaining a strategic threat assessment of your organization to understand the threats most likely to impact your environment based on your industry and where you operate geographically.
• Use MITRE ATT&CK Matrix for ICS and sector ISAC alerts (i.e., E-ISAC, MFG-ISAC, Water-ISAC) to map the TTPs relevant to your business.

3. Red team like they do

• Don’t just test generic “malware outbreaks.” Run realistic red team/tabletop exercises that emulate real-world adversaries and scenarios, be it grid manipulation, production halt, or ransomware double extortion.
• Simulate:
  • Sandworm’s grid manipulation.
  • Volt Typhoon’s living off the land (LOTL) techniques.
  • LockBit’s double extortion and potential cascading impacts to ICS/OT.

4. Layered defense, not “checkbox security”

• Segregate IT and OT, use firewalls, DMZs, unidirectional gateways.
• Enforce MFA, rotate credentials, and ban shared logins on engineering workstations.
• Invest in anomaly detection and passive deep packet inspection DPI for OT and establish clear incident response playbooks.

5. Board-Level Buy-In and Real-World Testing

• Treat OT security as a C-level imperative: OT risk isn’t just IT’s problem—it’s a core business and safety issue. Board-level engagement and executive sponsorship in this area are non-negotiable in 2025. Test your cyber crisis management operations in a highly immersive experience based on real adversary scenarios.