The Colonial Pipeline ransomware attack in 2021 marked a seismic shift in how we view operational technology (OT) security. Once thought safely air-gapped from the internet, OT networks controlling energy, water, and manufacturing were suddenly shown to be vulnerable to cascading disruptions that could empty gas stations and freeze supply chains. Fast forward to 2025, and new data paints an even grimmer picture: ransomware and targeted exploits are now a mainstream threat to critical infrastructure, with financial exposure measured in the hundreds of billions. A groundbreaking report from Dragos and Marsh McLennan quantifies the potential fallout, while fresh survey results and a wave of actively exploited vulnerabilities underscore why the time for action is now.
The Financial Math: OT Risk in Dollars and Cents
The 2025 OT Security Financial Risk Report, a partnership between Dragos and Marsh McLennan’s Cyber Risk Intelligence Center, delivers insurer-grade analysis based on a decade of claims and incident data. Its headline figure is startling: an extreme, low-probability scenario (modeled at roughly 0.4% annual likelihood) could expose global economies to up to $329.5 billion in combined direct and indirect losses in a single year. Business interruption alone accounts for about $172 billion of that total.
More typical years, however, also carry a heavy burden. The report estimates average annual OT cyber risk at $12.7 billion, with a 12-month aggregated risk around $31 billion. The numbers are not hypothetical; they are built from real-world incidents and underwriter loss histories.
What drives such astronomical figures? Two factors dominate. First, indirect costs—halting production lines, rerouting logistics, emergency remediation, and multi-party liability—frequently dwarf direct forensic expenses. Second, interconnected supply chains and shared OT dependencies multiply downstream business interruption across sectors. A single compromised vendor can ripple into dozens of downstream clients.
The report’s practical insight is blunt: incident response preparedness is one of the most effective risk reducers. Organizations with OT-specific recovery playbooks and pre-positioned forensic tools can materially slash potential losses. Dragos/Marsh quantify meaningful percentage reductions when core controls are in place—a finding that aligns with decades of insurance modeling showing that readiness trumps insurance when physical operations hang in the balance.
Reality Check: How Many Organizations Are Being Hit?
While financial models project worst-case scenarios, survey data confirms that intrusions are already rampant. Fortinet’s 2025 State of Operational Technology and Cybersecurity Report—a global survey of OT professionals—shows a sharp year-over-year rise in incidents affecting OT environments. In the most recent survey period, roughly 73% to 75% of respondents reported an intrusion that impacted OT systems, up from about 49% in 2023. Incidents involving ransomware and phishing against OT networks rose sharply.
A note of caution: different vendors and outlets sometimes quote slightly different headline percentages (e.g., “75%,” “73%,” or “82%”) depending on survey wording and sample composition. Primary Fortinet sources released by the vendor center on ~73%–75%. Treat small divergences as material to accuracy but not as altering the core narrative: intrusions impacting OT are now the norm, not the exception.
The Fortinet report also highlights a strong correlation between OT security maturity—segmentation, continuous monitoring, executive ownership—and lower incident impact. Organizations that invested in OT-aware defenses weathered attacks better, while laggards faced longer outages and higher recovery costs.
Which Technical Flaws Are Being Weaponized Right Now?
In 2025, several high-severity vulnerabilities rose to the top of operational concern because they enable unauthenticated or near-trivial access into systems commonly embedded in OT stacks.
1. Erlang/OTP SSH Unauthenticated Remote Code Execution – CVE-2025-32433
A critical flaw in the SSH implementation of Erlang/OTP (CVE-2025-32433) allows an unauthenticated attacker to send specially crafted SSH protocol messages that the server processes prior to authentication, leading to command execution. Industry telemetry from Palo Alto Networks’ Unit 42 and others observed thousands of exploitation attempts in concentrated bursts, with a disproportionate targeting of OT networks and industrial ports.
Erlang/OTP is embedded in telecommunications stacks, satellite and grid equipment, and certain industrial controllers and gateways. Where device vendors have built products that include the vulnerable SSH component, those devices inherit the exposure—even if the device vendor hasn’t yet issued a downstream patch. Mitigation requires upgrading to patched Erlang/OTP releases, disabling the SSH server where possible, and firewalling affected hosts.
2. Citrix NetScaler / NetScaler Gateway Critical Flaws (CitrixBleed 2 and Related CVEs)
Multiple critical NetScaler ADC and Gateway vulnerabilities disclosed in mid-2025 have been weaponized in the wild. One class of exploit—dubbed “CitrixBleed 2”—allows unauthenticated memory disclosure and session token theft from devices acting as VPN, ICA, or AAA gateways. Nation-state and criminal campaigns have used these flaws to plant web shells and pivot into downstream networks. Dutch authorities publicly reported intrusions against critical organizations linked to NetScaler exploitation, and security scanners have identified thousands of internet-exposed, unpatched instances.
The operational impact is severe: NetScaler appliances commonly terminate remote sessions for OT and corporate users. A successful exploit can provide persistent remote access and a lateral pivot vector into control networks. Immediate patching and a review of remote access architecture are mandatory.
3. OPC UA Implementation Weaknesses and Authentication Bypasses
OPC UA is the de facto secure industrial protocol, but multiple stack-level and vendor-specific flaws—including authentication bypasses and weaknesses when legacy security policies like Basic128Rsa15 are enabled—have been disclosed. These issues highlight that, while OPC UA’s cryptographic design is strong, real-world implementations often leave exploitable gaps due to default configurations or outdated SDK versions. Operators must verify their products’ SDK versions, disable deprecated security policies, and restrict endpoints to internal networks.
Why OT Exposures Are Especially Dangerous
Three structural defects make OT environments especially susceptible to these threats:
- Long device lifecycles and fragile patch windows: Industrial controllers and building automation systems can remain in place for decades, often without the ability to receive frequent patches without factory revalidation. This creates persistent exposure windows.
- Interdependency and lack of telemetry: Many OT environments lack centralized logging and SOC integration. Detection can be slow, and forensic evidence may be erased by sophisticated intruders before defenders can respond.
- Misaligned incentives: IT security budgets typically outstrip OT spending. OT teams prioritize uptime over security testing, leading to a mismatch between the controls needed to reduce catastrophic risk and where money is actually allocated. Insurers and regulators are beginning to penalize this gap.
What Actually Reduces OT Risk: Evidence-Driven Measures
The good news is that the most effective risk moderators are concrete and achievable. The Dragos/Marsh modeling, Fortinet survey insights, and industry best practices converge on a prioritized set of controls:
- Incident response and recovery planning: Pre-drilled, OT-specific runbooks with pre-positioned forensic tools reduce recovery time and limit business interruption exposure.
- Defensible architecture: Enforce strict segmentation (zones and conduits), deploy brokered jump hosts, and harden bastion access for engineering tools. Microsegmentation limits lateral movement.
- Continuous monitoring and protocol-aware detection: Deploy OT-capable IDS/IPS and behavioral sensors that understand industrial protocols (EtherNet/IP, Modbus, OPC UA) to flag anomalous command sequences.
- Patch and vendor management mapped to asset inventories: Many attacks succeed because organizations don’t know which devices embed vulnerable components (Erlang/OTP, OPC SDKs, etc.). Maintain a centralized asset registry.
- Secure remote access controls: Replace broad VPN access with identity-centric, short-lived session brokering using bastion hosts with MFA, session recording, and strict authorization.
A Practical Remediation Checklist for OT Operators
- Inventory every device and cross-reference for vulnerable components.
- Prioritize emergency patching for internet-exposed gateways.
- Apply compensating controls when immediate patching is infeasible: firewall rules, IP allowlists, disabling unused services.
- Execute OT tabletop exercises simulating BI scenarios to validate recovery playbooks.
- Elevate OT risk to the C-suite with measurable KPIs and allocate budget for SOC–OT integration.
Governance and Insurance: The Business Case
Insurers and national regulators increasingly treat OT exposure as insurable only when demonstrable controls are in place. The Dragos/Marsh report provides a financial framework that directly maps to carrier loss histories. Organizations unable to demonstrate adequate incident response and segmentation face higher premiums or limited coverage for business interruption claims. Boards must therefore view OT security as an enterprise risk-management problem with measurable financial consequences—not merely a plant-level engineering issue.
Counterarguments and Limits of Current Research
- Survey bias and methodology variance: Vendor surveys differ in sample size, industry mix, and question phrasing. Always refer to the primary report’s methodology before treating a headline number as definitive.
- Rapidly shifting exploit telemetry: Exploit volumes can change dramatically day-to-day. Once a proof-of-concept becomes public, the attack surface expands fast, making vulnerability triage time-sensitive.
- Vendor vs. independent measurements: Vendors with product portfolios in OT security may emphasize metrics that showcase their platforms’ efficacy. Cross-reference with neutral sources and incident timelines.
Technical Deep Dive: Mitigation Priorities for Highlighted CVEs
CVE-2025-32433 (Erlang/OTP SSH RCE)
- Identify any product or appliance that bundles Erlang/OTP SSH.
- Apply official Erlang/OTP patches (OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20 or newer).
- If immediate patching is infeasible, block SSH access at the network perimeter and disable the SSH server where not needed.
NetScaler Critical Vulnerabilities (CVE-2025-5777 & related)
- Apply vendor-released builds and terminate persistent sessions after upgrades.
- Audit for signs of web shell installation and unusual configuration changes.
- Consider temporary replacement with hardened bastion hosts for OT remote access until full assurance testing is complete.
OPC UA Implementation CVEs
- Update OPC UA stacks and SDKs to patched versions; disable Basic128Rsa15 and other deprecated policies.
- Restrict OPC UA endpoints to internal networks, apply IP allowlisting, and enforce mutual TLS.
Operational Playbook: 90-Day Tactical Roadmap
Weeks 0–2: Emergency Triage
- Run targeted discovery for internet-exposed assets and known vulnerable fingerprints.
- Apply immediate firewalling and IP allowlists for externally facing OT interfaces.
Weeks 2–6: Patch and Vendor Coordination
- Implement vendor firmware and stack updates for high-severity CVEs.
- Validate patches in staged environments with rollback plans.
Weeks 6–12: Detection and Recovery Hardening
- Integrate OT telemetry into the SOC; deploy protocol-aware network sensors.
- Run OT tabletop exercises with engineering, legal, and executive stakeholders.
Ongoing: Governance and Investment
- Consolidate OT security under a clear executive owner (CISO/CRO) with budgetary authority.
- Adopt a risk-based roadmap that maps Dragos/Marsh loss modeling to concrete control investments.
Strengths and Risks in the Current Ecosystem
Strengths:
- Growing executive awareness and stronger vendor coordination are accelerating remediation cycles when organizations prioritize OT security.
- Richer threat telemetry provides early warning and prioritized indicators for defenders.
Risks:
- Legacy device ecosystems and operational friction of patching remain the sector’s most persistent weaknesses.
- Expanding attack surface from consolidated remote access tooling (VPN gateways, remote engineering portals) elevates the impact of a single exploited gateway, as the NetScaler incidents prove.
Action, Not Alarm
The evidence is clear: OT threats are rising in frequency and financial consequence, with a small number of high-severity technical failures capable of causing outsized business interruption. But the pathway out of this exposure is also practical and well-documented. Inventory, patching paired with compensating controls, OT-aware monitoring, and regular incident response rehearsals materially reduce modeled loss and real-world recovery pain. The final, non-technical step matters most: treat OT risk as enterprise risk. Elevate ownership, fund recovery readiness, demand secure-by-design from vendors, and prioritize controls that demonstrably reduce business interruption. The window for decisive action is now—delays compound risk, and the cost of doing nothing is measured not just in dollars but in disrupted services and public harm.