The SANS Institute, a global leader in cybersecurity training and research, in collaboration with OPSWAT, a renowned provider of critical infrastructure protection (CIP) solutions, has released the findings of the 2025 ICS/OT Cybersecurity Budget Report. The report sheds light on critical gaps in cybersecurity budgets and highlights the growing frequency and sophistication of cyberattacks targeting industrial control systems (ICS) and operational technology (OT).
One of the key insights from the report is that while there has been an increase in cybersecurity funding for ICS/OT, much of the investment is disproportionately focused on technology rather than operational resilience. Over the past two years, 55% of organizations reported an increase in their ICS/OT cybersecurity budgets. However, this funding has primarily been allocated to IT-driven security measures, leaving ICS/OT environments vulnerable. As IT and OT systems become more interconnected, attackers are exploiting new vulnerabilities at an alarming rate, taking advantage of security weaknesses created by this convergence.
The report reveals that more than half of the surveyed organizations experienced at least one cybersecurity incident involving ICS/OT systems within the past year. Among the primary vulnerabilities targeted by attackers, internet-accessible devices accounted for 33% of incidents, while transient devices—often used to bypass traditional security measures—were exploited in 27% of cases. These figures highlight the urgent need for stronger security controls to prevent unauthorized access to critical infrastructure.
Despite the growing recognition of OT cybersecurity as a priority, the report points to a significant challenge in leadership and decision-making when it comes to budget allocation. Only 27% of organizations have placed their ICS/OT cybersecurity budget under the direct control of Chief Information Security Officers (CISOs) or Chief Security Officers (CSOs). Without clear leadership oversight, budgetary decisions often fail to address the specific security needs of ICS/OT environments, leaving critical systems inadequately protected against evolving threats.
Another major concern identified in the report is the role of IT networks as a primary attack vector. IT security breaches were responsible for 58% of ICS/OT security incidents, reinforcing the need for an integrated approach to cybersecurity that considers both IT and OT vulnerabilities. Many organizations still underfund ICS/OT-specific security protections, with fewer than half dedicating even 25% of their total cybersecurity budgets to safeguarding critical infrastructure. This lack of financial commitment further exacerbates the risks faced by ICS/OT environments.
The findings emphasize the need for organizations to reassess their cybersecurity strategies and ensure that sufficient resources are allocated to ICS/OT security. A crucial step in addressing these challenges is the proper allocation of cybersecurity budgets to protect ICS/OT devices and endpoints from attacks. Strengthening defenses against cross-domain threats is essential, as attackers are increasingly targeting the interconnected nature of IT and OT systems. Organizations must also ensure that cybersecurity leadership has direct oversight of budgetary decisions, ensuring that financial investments align with the actual operational risks faced by ICS/OT environments.
Dean Parsons, Principal Instructor and CEO and Principal Consultant of ICS Defence Force, underscored the critical nature of these challenges and the urgent need for a strategic approach to ICS/OT cybersecurity. He emphasized that defending critical infrastructure requires more than just implementing standard cybersecurity controls. Instead, organizations must invest in specialized ICS/OT security training, equipping professionals with a deep understanding of control system networks and the unique risks associated with industrial environments.
One of the most alarming findings in the report is that although cybersecurity budgets have increased, the majority of the investment remains concentrated on traditional IT security measures. This leaves ICS/OT environments—the core of industrial operations—dangerously underprotected. Parsons stressed that in ICS-driven organizations, the security of ICS systems is fundamental to the business itself. Organizations that do not actively reevaluate the threats facing their ICS environments risk exposing critical infrastructure to increasingly sophisticated cyber threats.
The protection of ICS/OT systems is no longer optional but an essential requirement for ensuring operational resilience and national security. As cyber threats continue to evolve, organizations must take immediate steps to bridge the ICS/OT cybersecurity budget gap. Investing in stronger security measures, enhancing leadership oversight, and building a highly skilled workforce are essential steps to securing the future of critical infrastructure. By prioritizing these efforts, organizations can develop a robust defense strategy that mitigates risks and ensures the long-term stability of their ICS/OT environments.