2026年情报驱动主动防御报告：保障运营技术环境安全

Securing Operational Table of Contents OT Threat Landscape6 OT Devices Exposed to the Internet6Findings7 Foundations of the OT Cyber Analysis Approach9Findings10Precursor Technique Families10 Mapping OT Detection Signatures to MITRE ATT&CK TTPs Threat Detection Event and Signature Mapping11Lower-Volume Techniques12 TTP Mapping, Predictive Analysis with Attack Chain Estimator Revised Transition13Description of Predictive Attack Chains14Bridge to the OT-SOC Framework15 Key Highlights16Coherent and Resilient Operational Security Delivery17Roadmap18 Exposed Device to the Internet21Signature-Based Telemetries21Analytical Constraints21Analysis Biases21 Voices from the Partnership Adam Robbie, Head of OT Threat Research, Palo Alto Networks “Leading this partnership as the primary author has been a rewarding journey incollaborative researchAt Palo Alto Networks, we recognize that the complexityof the OT threat landscape cannot be solved in isolationThis whitepaper bringstogether the brightest minds from our partner organizations to provide a compre- Priyanjan Sharma, Senior Key Expert, Technology Orchestration forSecurity Services, Siemens “Grounded in collaboration, serving as a lead author in this effort has been ameaningful experience in advancing OT security researchAt Siemens, we under-stand that effective OT security demands an understanding of both adversary be-havior and the operational realities of industrial systems, where availability, safety,and integrity are paramountThis whitepaper reflects the value of organizations Scott Bowman, Technical Lead, Cyber-Physical Systems,Idaho National Laboratory “Contributing to this whitepaper as Technical Lead for Cyber-Physical Systemsat Idaho National Laboratory and lead analyst for the DOE CESER–sponsoredCyOTE Program has been a meaningful opportunity to translate national labora-tory research into practical value for industryAs the product owner and creator ofthe Attack Chain Estimator, my role focused on bridging rigorous, publicly fundedOT research with the operational realities faced by asset owners and operators Meet the Authors Palo Alto Networks Team Siemens Team INL Team Scott BowmanJames CerkovnikSam FarnanAlycia Honas Priyanjan SharmaTilo PinkertGaurav Srivastava Adam RobbieYiheng AnMatthew Tennis Martin OttoEnrico Lovat Executive Summary Bring the fight to the edge.In an OT environment, defense is about time, and the edge is where you Joint research by Palo Alto Networks, Siemens, and the Idaho National Laboratory (INL) analyzedglobal telemetry from over 61,000 firewalls deployed in OT environments, alongside 20 years ofhistorical incident dataThe analysis shows that industrial threats emerge and persist well before Based on the Idaho National Laboratory Cybersecurity for the Operational Technology Environment(CyOTE™) reports, our research indicates that 828% of adversary activity occurs during an extendedprecursor phase, long before operational impact is realized, with an average dwell time of 185 days At the same time, the traditional assumption of an air-gapped industrial environment is no longer val-idOur research identified a 332% increase in unique internet-exposed OT devices and services, withnearly 20 million OT-related devices now observable on the public internetPrevious studies further Taken together, these findings show that early adversary activity becomes visible upstream of OT •Use edge-focused threat intelligence to understand where adversary activity becomesrelevant to OT risk.Threat intelligence provides visibility into exposed services, early-stagetechniques, and access paths that surface before adversaries interact with operational systems, Observed behavior follows statistically repeatable paths, with hundreds of observable precur-sor actions per incident, enabling organizations to forecast likely next steps and focus attention •Enable an edge-driven OT-SOC function to operationalize active defense.By combiningthreat intelligence and predictive insight at network edges—where enterprise compromise transi-tions into industrial risk—OT-SOCs can intervene during the precursor phase and disrupt attacks Introduction In a recent collaboration, Palo Alto Networks OT Threat Research Lab, Siemens Cybersecurity Re-search Lab, and Idaho National Laboratory met to examine threats and defense strategies acrossindustrial environmentsEach entity brings unique expertise in operational technology (OT) security, •Palo Alto Networksfirewall and product telemetry provide large-scale insights into observedattack surfaces and security-relevant activity•Idaho National Laboratory’spredictive analysis methodologies and historical threat landscaperesearch through CyOTE analysis identify long-term adversary behaviors and trends•Siemenscontributes their knowledge and skills in OT-SOC managed services and best practices Detection within the OT environment represents a later stage in the attack lifecycle,after adversary acce