SANS and OPSWAT Report Exposes Gaps in ICS/OT Cybersecurity Budgets

SANS Institute, the global cybersecurity training and research institute, in partnership with OPSWAT, a global critical infrastructure protection (CIP) solutions provider, has announced the findings of the 2025 ICS/OT Cybersecurity Budget Report, highlighting critical gaps in cybersecurity budgets and a sharp rise in ICS/OT-focused cyberattacks. The report reveals that insufficient funding, misaligned priorities, and fragmented defenses are leaving critical infrastructure exposed to increasingly sophisticated cyber threats.

According to the report, while 55% of organizations have increased their ICS/OT cybersecurity budgets over the past two years, much of the investment is still heavily focused on technology, with limited attention to operational resilience. This imbalance, combined with the ongoing convergence of IT and OT environments, is creating new vulnerabilities that cyber attackers are exploiting at an alarming rate.

The report highlights that more than 50% of organizations experienced at least one cybersecurity incident involving ICS/OT systems in the past year. Key vulnerabilities exploited include internet-accessible devices (33%) and transient devices (27%), which are commonly used to bypass traditional cybersecurity defenses. Despite the growing recognition of the importance of OT cybersecurity, only 27% of organizations have placed budgetary control under CISOs or CSOs. Without clear leadership, budget allocation often overlooks critical ICS/OT-specific needs, increasing the risk to essential infrastructure.

The research also identifies IT compromises as the most common entry point for ICS/OT cyber incidents, accounting for 58% of attacks. This finding underscores the urgent need for organizations to implement integrated cybersecurity strategies that address vulnerabilities across both IT and OT environments. However, many organizations continue to underfund ICS/OT-specific protections, with less than half dedicating even 25% of their cybersecurity budgets to safeguard critical infrastructure, leaving these systems exposed to ongoing threats.

The 2025 ICS/OT Cybersecurity Budget Report emphasizes the importance of allocating appropriate budgets for ICS/OT defenses, strengthening protection against cross-domain attacks, and ensuring cybersecurity leadership is responsible for budget decisions to align spending with operational risk.

Dean Parsons, Principal Instructor at SANS Institute and CEO of ICS Defense Force, stressed the need for strategic investment in ICS/OT-specific security training and resources. He stated, “The evolving threat landscape in ICS/OT demands more than just deploying the five ICS Cybersecurity Critical Controls. Effective critical infrastructure defense requires a strategic investment in ICS/OT-specific security training, ensuring that those responsible for monitoring ICS controls have a deep understanding of control system networks. One of the most concerning findings in the report is that while cybersecurity budgets have increased, much of the investment remains focused only on traditional business support systems such as IT, leaving ICS/OT environments, the business itself, dangerously under-protected. After all, in an ICS organization, the ICS is the business. Organizations that fail to reevaluate their threats to their ICS environments leave critical infrastructure vulnerable to increasingly sophisticated attacks. Protecting these engineering systems isn’t optional—it’s essential for operational resilience and national security.”

This latest report from SANS Institute and OPSWAT reinforces the urgent need for organizations managing critical infrastructure to prioritize ICS/OT cybersecurity, align budget strategies with operational risks, and invest in specialized training to protect against the growing threat of cyberattacks targeting industrial control systems.