2025年ICS/OT安全现状调查报告

State of ICS/OTSecurity 2025 Written byJason D. ChristopherNovember 2025 Foreword For nearly a decade, these surveys have tracked the industry’sprogress toward cybersecurity maturity and identified the keydrivers behind actions, both taken and not taken, within eachsector. In collaboration with industry experts, the SANS team Over the years, the world has evolved: organizations havedeepened their capabilities, adversaries have adapted, andexpectations for corporate cybersecurity performance continue to In this year’s survey, Jason Christopher delivers a true masterclassfor the industry, capturing historical trends, identifyingthe current state of the field, and forecasting where it’sheading. His work provides the ICS/OT community withvaluable context on where peers stand today, why, and This report is essentialreading for anyone in aleadership role across critical I am excited to see how leaders across the industryput these insights into action, and I look forward to watching this Tim ConwaySANS Fellow SANS 2025 STATE OF ICS/OT SECURITY SURVEYKey Findings Incidents remain high and disruptive. More than one in five organizations (22%) reported a cybersecurityincident in the past year, with 40% causing operational disruption and Detection is improving, but recovery lags. Nearly half of incidents were detected within 24 hours and 60% containedwithin 48 hours, yet remediation often stretches into days or weeks (and Regulation drives maturity. Sites under mandatory compliance had similar incident rates as peers butexperienced ~50% fewer financial losses and safety impacts. Threat intelligence pays dividends.Organizations leveraging ICS-specific threat intelligence were more likely toadjust defensive priorities—improving monitoring, segmentation, and detection. Remote access remains a top risk. Unauthorized external access accounted for half of all incidents, yet only 13%of organizations have fully implemented advanced controls such as session Preparedness is uneven. Just 14% of respondents felt fully prepared for emerging threats, but thosethat included frontline technicians in exercises were nearly 1.7 times more Investment momentum is clear. Asset visibility, threat detection, and secure remote access dominate both2025 deployments and 2026–2027 planned investments, showing where Over the past 20 years, Jason D. Christopher has workedacross multiple industries in unique roles ranging fromengineering to incident response and national security.Most notably, Jason was the federal technical lead forthe NERC CIPv5 while at the Federal Energy RegulatoryCommission, where he was involved in several rulemakingsand policy statements. Jason was also the program leadfor the US Department of Energy Cybersecurity CapabilityMaturity Model (C2M2). He has served as a C-level executive, Jason ChristopherSANS Certified Instructor CURRENTLY TEACHING ICS418:ICS Security Essentialsfor LeadersICS456:Essentials for Expert Corner SANS Faculty Fellow The 2025 SANS State of ICS/OT Security Survey rightfully highlights theincreasing frequency of disruptive incidents to OT organizations despitethese incidents going underreported in media and traditional sources.Practitioners in this space have long understood that when we lookmore we start to find more; threats have gone undetected for far toolong and we’ve had more “near misses” in the community than we canafford in the future. Leveraging the SANS ICS Five Critical Controls is agreat baseline for organizations to follow to enhance their security COURSES TAUGHTICS310:ICS CybersecurityFoundations Introduction Since 2017, theSANS State of ICS/OT Security Surveyhas tracked the practices, challenges,and progress of organizations securing critical infrastructure worldwide. Over nearly adecade, these annual benchmarks have documented how the industry has matured—from This year’s survey, based on responses from 330 professionals across diverse industrialsectors, arrives at a pivotal moment. Threat activity against operational environmentscontinues to rise, with ransomware, supply chain compromise, and nation-state alignment The report explores the state of ICS/OT security through three lenses: past trends, currentpractices, and future plans—offering practitioners, executives, and policymakers a clearview of progress, gaps, and the actions needed to build sustainable, resilient operations. 2025 Trends: Increased Threats andEvolving Regulations Historically, ICS/OT cybersecurity programs have responded to two major external factors:threats and regulations. As explored in previous years, the most mature organizations forindustrial security leverage ICS-specific threat intelligence and standards. This year’s data Similar to previous years, 22% of respondents suffered a cybersecurity incident. Of those,a majority (50%) came from unauthorized external access and/or ransomware (38%). A full Did your organization experience any security incidents in your ICS/OTenviro