The future is now for management to implement OT cybersecurity strategies, including training of IT staff.
adam121/Adobe Stock
Investments in cybersecurity tools are paying off. In the recent 2025 SANS State of ICS/OT Security Survey, the study revealed that nearly half (49%) of all incidents were detected within 24 hours, and 55% were contained within 48 hours in the manufacturing and industrial sectors. The study suggests investments in threat detection services are working, and visibility into OT processes, with the help of Information Technology (IT) departments, is making substantial gains.
However, the 2025 SANS report reveals that visibility into deeper operational levels of the ISA-95 (Purdue model) manufacturing standard is lacking.
Below are the results: (Source: SANS report):
Level 3 (Operations Systems): 19.7% report full visibility
Level 2 (Supervisory Control - SCADA/HMI): Just 10% report full visibility
Level 1 (Basic Control - PLCs/RTUs): Coverage is even thinner
Remote Sites: 17.5% report coverage across distributed operations
Recent studies show OT cybersecurity investments are coming from IT departments. The reason for these cybersecurity investments are legacy devices that were never meant to be online and to prioritize OT asset inventory initiatives since experienced operators and plant managers are retiring.
With numerous industrial networking protocols at food plants, threat detection services deliver much needed visibility at this level for OT and IT personnel.2025 SANS Report
“As IT and OT environments continue to converge, organizations must focus on foundational security practices that improve visibility and resilience without disrupting operations,” says Sean Tufts, Field CTO at Claroty, a supplier of cyber-physical systems protection and asset visibility services, enabling brands to automatically map and virtually segment networks. “This includes maintaining accurate asset inventories, securing remote and third-party access, improving network segmentation, and continuously monitoring asset behavior across geographically dispersed facilities.”
Growing OT cybersecurity investments
The 2025 SANS report ranked asset inventory/visibility as the top investment category, with 50% of respondents citing asset inventory as their main investment. Another 54% responded that it will remain the top priority for 2026-27.
“The initial customer goal with threat monitoring is to create and automate OT asset inventory,” says Alexandre Peixoto, Cybersecurity Business Director at Emerson. “IT has said to OT that IP addresses are showing up in our networks, so what kind of asset inventory and protection mechanics are in place for your devices?” Emerson works with multiple reputable cybersecurity vendors to deliver native OT tools to food manufacturers.
In addition, Emerson enables plants to conduct OT asset inventory using its Guardian Digital Platform before implementing any threat monitoring solution. “The most important piece of threat monitoring is to perform threat and vulnerability management, but many companies are still in the asset inventory phase,” adds Peixoto.
“Our clients still need more data about all assets,” adds Rick Kaun, Global Director of Cybersecurity Services at Rockwell Automation. “They also need to provide context to that asset list, such as the asset criticality to operations, information about the obsolescence (support or capabilities) of the asset, vulnerabilities present, configuration, redundancy, location in the network, manufacturer type, etc.”
Rockwell Automation announced the launch of the Secure Digital Operations (SDO) organization, which is a collection of Rockwell expertise that combines manufacturing, cyber security and digital optimization skill sets under one roof.
While asset inventory investments increase, the SANS report also shows an alarming time gap between attack and remediation. Twenty-two percent of incidents took two to seven days to fully remediate, while 19% took over a month and 3% over a year.
“Faster resolution depends on security teams having operational context, like understanding which assets are critical, how they normally behave, and what impact disruption would have on production, safety, or compliance,” says Claroty’s Tufts.
“In food and beverage environments in particular, organizations often lack full insight into how vendors connect to operational systems, which can slow containment and remediation efforts,” Tufts adds. “Lean OT teams, combined with limited cross-training between IT and OT, also make coordinated incident response more difficult, extending downtime and recovery timelines.”
Also, C-Level executives understand the importance of OT security investments in their own language. “It’s an operational availability and a financial risk problem,” says Phil Tonkin, Field CTO at Dragos, in a recent analysis of the SANS report. “Extended recovery times translate directly to lost production, emergency contractor costs, regulatory scrutiny and potential safety implications.”
According to Dragos, IT discovery tools often require active scanning that can disrupt industrial processes, lack the protocol-specific knowledge to identify ICS devices accurately, and don’t provide the depth needed to understand PLC configurations, firmware versions, or backplane-level details that matter for vulnerability management.
What works? A cyberattack case study
Cybersecurity maturity varies across food and beverage, and the SANS report reinforces this fact. According to the 2025 SANS survey, “half of all reported incidents this year began with unauthorized external access. Even as multifactor authentication (MFA) becomes commonplace, fewer than 15% of organizations have implemented advanced ICS-aware controls, including session recording, device-specific access, or real-time approvals.”
MFA is one of the foundations of Zero Trust security, along with air gaps between IT and OT networks. E Tech Group, a system integrator, offers IT/OT cybersecurity services and revealed details of a recent attack with a food and beverage manufacturer. The system integrator’s services include traditional automation services and the implementation of third-party threat detection technology providers, such as Nozomi Networks, Claroty, and Dragos.
This specific attack focused on unexpected traffic between the IT domain controller and the backup system, a common ransomware target used to disable systems and pressure victims to pay ransom. Due to the air gap network design, the plant minimized the damage that allowed the manufacturer to operate fully while mitigating the attack at the enterprise network.
The OT network firewall implemented by E Tech Group relied on enhanced access control that restricted access to sensitive areas of the building network, while delivering protocol filtering, segmentation, zoning, monitoring, and logging. Operating deep within the OT network, a threat detection engine monitored and analyzed network traffic for unusual or suspicious activity.
“Without the threat detection engine monitoring the network, the attackers could have remained unnoticed for a much longer period,” says Kevin Romer, Solutions Architect at E Tech Group. “This delay would have allowed them to gather extensive knowledge about the facility’s operations before executing a full-scale attack.”
The future: IT and OT knowledge sharing
Retaining IT talent is a challenge for manufacturers and so is training and leveling up new hires about the complexities of an OT network. “The younger generation embraces IT technology, and they’re coming to help on the OT side,” said Kevin Kumpf an OT/ICS Strategist at Hard Hat Cybersecurity Services during the ARC Advisory Industry Leadership Forum. “However, they don't understand safety, uptime, and all the areas of OT within critical infrastructure.”
The next couple of years should see greater knowledge sharing between IT and OT experts, especially as older plant staff retire.2025 SANS Report
The future is now for management to implement OT cybersecurity strategies, including training of IT staff. For this to happen, experienced plant staff need digital tools to share and document OT security controls, such as identity and access management, and network segmentation.
“From a leadership standpoint, effective OT security programs require translating cyber risk into operational and financial risk that resonates with executive stakeholders,” says Tufts. “Aligning security initiatives with business priorities helps ensure investments support productivity and operational continuity while reducing exposure.”
With numerous industrial networking protocols at food plants, threat detection services deliver much needed visibility at this level for OT and IT personnel.2025 SANS Report
