Why the threat environment demands a resilience-first approach for manufacturing OT

The importance of cyber resilience is very real and growing due to an accelerating threat landscape for manufacturers that shows no signs of slowing down. The SANS Institute’s 2025 State of ICS/OT Cybersecurity Survey reveals troubling trends that should reshape how manufacturers think about operational security.

The SANS survey found that half of incidents originated from unauthorized external access, with ransomware accounting for 37.9% of all incidents. These aren't just meaningless statistics. They represent halted production lines, compromised safety systems and millions of dollars lost.

Secure remote access remains the weakest link in most operational technology (OT) environments. Despite half of all incidents beginning with external access, fewer than 15% of organizations have implemented advanced remote access controls such as session recording, real-time session approvals and ICS- or OT-aware access management. Only 13% reported having fully implemented these critical safeguards.

While the survey data focused primarily on traditional threat vectors, manufacturers face a reality that's filled with new and emerging threats as well. Cybercriminals are using generative AI tools to ramp up both the scale and effectiveness of attacks against OT environments.

AI-enhanced attack capabilities enable threat actors to:

• Automatically identify vulnerabilities in industrial control systems.
• Adapt attack vectors in real-time to evade detection.
• Optimize ransomware encryption for maximum operational impact.
• Eliminate the need for manual control once a beachhead is established.

Sophisticated ransomware attacks that once required skilled operators to carry out can now work autonomously without human intervention once an attacker gains initial access. As criminals increasingly tap into AI tools, manufacturers face an increasingly asymmetric battle where attackers armed with advanced automation can overwhelm traditional defense-in-depth cybersecurity strategies.

Survey respondents reported observing increases in:

• Ransomware targeting OT environments (63.9%).
• Nation-state-aligned threats (56.7%).
• Supply chain compromises (52.2%).

These aren't theoretical or distant possibilities. They're real today, and they should reshape how manufacturers think about operational security.

There is good news in the survey numbers: Manufacturers who prioritize resilience reported experiencing better outcomes than those who don't. Regulated sites with mandatory compliance obligations for secure remote access suffered roughly 50% fewer financial losses and safety impacts compared to unregulated peers.

It wasn’t that they experienced fewer incidents. The difference was that they set themselves up better to contain and recover from attacks. For manufacturers, resilience and cybersecurity have to go together.

How can manufacturers get there? The need to develop business continuity and disaster recovery plans for ICS and OT that encompass the full chain of resilience:

1. Know what matters: Integrate OT into enterprise business-impact analysis (currently done by only 52.5% of organizations).
2. Define recovery objectives: Establish recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical OT systems (51.8% currently do this).
3. Practice recovery safely: Regularly test and simulate OT-specific recovery scenarios (only 32.1% test annually).
4. Maintain site-level playbooks: Document specific procedures for cyber events at each facility (31.2% currently have these).
5. Integrate safety assessments: Align OT cyber risks with safety frameworks like HAZOP and PHA (23.4% currently do this).

The SANS survey revealed that only 12.6% of organizations have full visibility across the ICS Cyber Kill Chain. Many (42.3%) report partial visibility with major gaps. A lack of integration prevents organizations from understanding how threats move from initial IT to OT.

The most prepared organizations achieve visibility by coordinating IT and OT teams with shared log aggregation and correlation tools. A majority (56.5%) either operate a single IT-OT security operations center (SOC) or maintain parallel IT and OT SOCs with integrated monitoring.

With 83.3% of organizations using cloud services that connect to ICS, OT or IT networks, cloud monitoring is essential. But only 12.9% report fully integrated visibility for cloud environments, leaving significant blind spots for attackers.

Organizations also need to prioritize secure remote access improvements. The top blockers preventing full implementation are lack of internal resources (cited most frequently) and legacy system compatibility limitations. Solving this requires both investment and approaches that protect aging infrastructure without requiring disruptive replacements.

The 2025 State of ICS/OT Cybersecurity Survey makes one thing clear: The gap between threat sophistication and organizational resilience is widening. For manufacturers, the stakes couldn't be higher. With AI-powered attacks amplifying threat capabilities, nation-state actors increasingly targeting industrial environments and ransomware operators focusing on OT systems, the likelihood of successful attacks is growing.

The critical question for manufacturers isn't whether an incident will occur but how rapidly they can restore production when it does. Acronis Cyber Protect Local solves this challenge by delivering the recovery speed that OT environments demand.

The solution empowers on-site personnel to restore systems independently, without waiting for specialized IT support. Recovery that traditionally requires days or even weeks happens in minutes through a simplified restoration process.

Unlike fragmented security tools that create operational complexity, Acronis Cyber Protect Local unifies protection, backup and recovery capabilities within an integrated platform. This comprehensive approach enables manufacturers to safeguard what matters most: uninterrupted operations, workforce protection and sustained business performance in an increasingly dangerous threat landscape.

Download the SANS report to learn more.

Report

SANS Institute State of ICS/OT Cybersecurity Survey