Significant gaps in cybersecurity budgets and a jump in ICS/OT-focused attacks show how insufficient funding, misaligned priorities, and fragmented defenses are leaving critical infrastructure exposed to threats, a new report found.
While 55 percent of organizations reported increased ICS/OT cybersecurity budgets over the past two years, much of that investment remains heavily skewed toward technology, with limited focus on operational resilience, according to the SANS Institute and OPSWAT 2025 ICS/OT Cybersecurity Budget Report.
This imbalance, combined with converging IT and OT environments, means there is a plethora of new vulnerabilities adversaries can leverage.
However, by following some key ICS/OT controls it is possible to boost return on investment for critical infrastructure protection.
One case in point is an ICS/OT defensible network architecture which is crucial for robust segmentation, as per survey respondents, 58 percent of attacks stem from IT compromises breaching over into ICS/OT networks.
Engineering-Driven Recover
Additionally, ICS-specific incident response emphasizes engineering-driven recovery within the ICS network, ensuring response plans cover standard ICS assets and specialized engineering devices.
Moreover, architectures that support visibility reflect the priority placed on preparing for real-time network visibility and monitoring-situational awareness deep inside operational technology networks.
Furthermore, transient device security protects engineering laptops and portable tools used for ICS maintenance, as well as protecting ICS network operations, crucial as 27 percent of attacks revealed emanate from this vector.
Survey data revealed other insights into ICS/OT cybersecurity:
Initial attack vectors:
58 percent of respondents identified IT compromises as a leading initial attack vector for ICS/OT incidents, reflecting the interconnected and risky nature of IT and OT environments. Additionally, 33 percent pointed to Internet-accessible devices as an attack vector, and 27 percent identified transient devices as another attack vector of concern.
Incident frequency:
27 percent of organizations reported experiencing one or more security incidents involving ICS/OT systems in the past year.
Prioritization challenges:
While 65 percent of respondents view OT cybersecurity as a primary responsibility, only 27 percent of budget decisions end up led by CISOs or CSOs.
Budget control and responsibility:
37 percent of respondents reported a shared budget between IT and OT. In contrast, 31 percent indicated IT controls the budget, while 26 percent said ICS/OT is responsible.
Critical Infrastructure Under Attack
In the end, the report found critical infrastructure remains under attack. Over the past year, over 50 percent of organizations experienced at least one security incident involving ICS/OT systems. Among the top vulnerabilities exploited were Internet-accessible devices (33 percent) and transient devices (27 percent), often used to bypass traditional defenses.
As industry experts pointed out in the past, IT is a primary attack vector. The report identifies IT compromises as the most common entry point, responsible for 58 percent of ICS/OT incidents. This highlights the urgent need for integrated security strategies that address cross-domain vulnerabilities.