SANS Institute, a leading provider of cybersecurity training and research, recently unveiled their 2025 ICS/OT Cybersecurity Budget Report, revealing significant gaps in cybersecurity budgets and a surge in ICS/OT-focused attacks. The report highlights how insufficient funding, misaligned priorities, and fragmented defenses are leaving critical infrastructure exposed to increasingly sophisticated threats.
While 55 percent of organizations reported increased ICS/OT cybersecurity budgets over the past two years, much of that investment remains heavily skewed toward technology, with limited focus on operational resilience. This imbalance, combined with the convergence of IT and OT environments, creates new vulnerabilities that adversaries are exploiting. Some key findings include:
- Critical Infrastructure Under Attack: Over the past year, more than 50 percent of organizations experienced at least one security incident involving ICS/OT systems. Among the top vulnerabilities exploited were internet-accessible devices (33 percent) and transient devices (27 percent), often used to bypass traditional defenses.
- Budget Gaps Leave ICS/OT at Risk: Despite growing recognition of OT cybersecurity as a priority, only 27 percent of organizations place budgetary control under CISOs or CSOs. Without dedicated leadership, budget allocation often overlooks critical ICS/OT-specific needs, exposing infrastructure to evolving threats.
- Silos persist. While cybersecurity budgets have increased, much of the investment remains focused only on traditional business support systems such as IT, leaving ICS/OT environments under-protected.
- IT as a Primary Attack Vector: The report identifies IT compromises as the most common entry point, responsible for 58 percent of ICS/OT incidents. This highlights the urgent need for integrated security strategies that address cross-domain vulnerabilities.
- Insufficient Budgets for ICS/OT Security: Many organizations continue to underfund ICS/OT-specific protections. Less than half allocate only 25 percent of their cybersecurity budgets to safeguarding critical infrastructure, leaving systems exposed to attacks.
Dean Parsons, Principal Instructor and CEO and Principal Consultant of ICS Defense Force stated, “The evolving threat landscape in ICS/OT demands more than just deploying the five ICS Cybersecurity critical controls. Effective critical infrastructure defense requires a strategic investment in ICS/OT-specific security training, ensuring that those responsible for monitoring ICS controls have a deep understanding of control system networks.
“Organizations that fail to reevaluate their threats to their ICS environments leave critical infrastructure vulnerable to increasingly sophisticated attacks. Protecting these engineering systems isn’t optional—it’s essential for operational resilience and national security.” The full report can be downloaded by clicking here.