Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Industrial control systems run power grids, water treatment plants, manufacturing lines, and oil refineries. These systems were never designed to be connected to the internet, yet the push toward IT-OT convergence has exposed them to the same threats that plague enterprise networks. The result: a rapidly expanding attack surface that traditional vulnerability management programs were never built to handle.
According to Bitsight’s 2025 TRACE research, roughly 180,000 ICS and OT devices are currently accessible from the public internet, a figure that grew 12% year over year. At the same time, CISA published 508 ICS advisories covering 2,155 CVEs in 2025 alone, a record year for industrial vulnerability disclosures (Forescout, 2026). Security teams responsible for these environments face a compounding problem: more exposed assets, more disclosed vulnerabilities, and fewer options for remediation than their IT counterparts.
This article explains why OT and ICS environments need a fundamentally different approach to cybersecurity, one centered on threat exposure management rather than traditional vulnerability scanning and patching cycles.
The convergence of IT and OT networks has created exposure pathways that did not exist a decade ago. Remote monitoring, cloud-connected SCADA systems, and IoT sensors feeding operational data back to enterprise dashboards all introduce new entry points for attackers.
The numbers tell a clear story. Bitsight’s research found that internet-exposed ICS/OT devices span protocols like Modbus, BACnet, and EtherNet/IP, with the trajectory pointing toward 200,000 exposed devices within the next year if current trends hold. Claroty’s Team82 analysis of nearly one million OT devices found that 40% of organizations have OT assets insecurely connected to the internet, and 12% of those assets communicate with domains linked to threat actors in China, Russia, and Iran (Claroty, State of CPS Security 2025).
New ICS-specific malware families compound the risk. FrostyGoop, which targets Modbus communications, and Fuxnet, designed to attack Meter-bus and S7 protocol devices, represent a shift from general-purpose malware toward tools purpose-built for industrial environments (Bitsight, 2025). These tools do not rely on traditional IT attack vectors; they exploit the protocols and communication patterns unique to operational technology.
Most vulnerability management programs were designed around a simple cycle: scan, identify CVEs, prioritize by CVSS score, and patch. That cycle breaks down in OT for several reasons.
Patching disrupts operations. In IT, patching a server might mean a brief maintenance window. In OT, patching a programmable logic controller (PLC) on a production line can halt manufacturing. Patching a safety instrumented system at a chemical plant introduces risk to human safety. The cost of downtime in OT environments, both financial and operational, makes the “patch everything” approach impractical.
Many devices cannot be patched at all. CISA’s own data indicates that roughly 30% of ICS vulnerabilities have no vendor-supplied patch or update available. These devices, often running legacy firmware or proprietary operating systems, may remain in production for 15 to 20 years. A risk-based vulnerability management approach that relies on patch availability leaves these assets perpetually unaddressed.
CVSS scores do not reflect OT risk context. A CVSS 9.8 vulnerability on an air-gapped PLC inside a segmented network represents a different risk than the same vulnerability on an internet-facing human-machine interface (HMI). Generic severity scores ignore asset criticality, network reachability, and whether a vulnerability is actively being exploited in the wild.
CISA advisory coverage is shrinking. Forescout’s 2026 analysis of the ICS Advisory Project revealed that only 22% of vendor-published OT/ICS vulnerabilities in 2025 had an associated CISA advisory, down from 58% in 2024. Meanwhile, 134 vendors published ICS vulnerabilities with zero CISA advisories. Organizations relying solely on CISA’s ICS-CERT as their vulnerability intelligence source are missing the majority of known threats.
Learn why leading organizations are shifting from vulnerability management to exposure management.
Exposure management expands the lens beyond individual CVEs to assess the full picture of organizational risk. Where vulnerability management asks “What CVEs exist on our assets?”, exposure management asks “Which of our assets are reachable by attackers, exploitable with available tools, and critical enough to our operations that a compromise would cause real damage?”
Exposure equals vulnerability plus reachability plus exploitability plus business impact. A vulnerability on a device that sits behind three layers of network segmentation, has no known exploit code, and controls a non-critical process represents minimal exposure. The same vulnerability on an internet-facing device running a safety-critical function, with active exploit code circulating on dark web forums, represents severe exposure.
This distinction matters enormously in OT. Claroty’s research found that 111,000 OT devices across manufacturing, logistics, and natural resources contain Known Exploitable Vulnerabilities (KEVs). Of those, 68% are linked to ransomware groups, and 31% of organizations have devices with ransomware-linked KEVs exposed directly to the internet (Claroty Team82, 2025). Knowing you have a KEV is one thing. Knowing that KEV sits on a device reachable from the internet, targeted by active ransomware campaigns, and controlling a production line worth $2 million per hour of downtime, that is the difference between a vulnerability and an exposure.
Gartner’s Continuous Threat Exposure Management (CTEM) framework provides a structured, five-stage approach that maps well to OT security challenges. Gartner predicts that by 2026, organizations prioritizing security investments based on CTEM programs will be three times less likely to suffer breaches. Here is how each stage applies to OT/ICS environments:
1. Scoping. Define what matters. In OT, scoping goes beyond IP addresses to include Purdue Model levels, safety zones, production cells, and business-critical processes. A power generation facility might scope its CTEM program around turbine control systems and grid interconnection points rather than by network segments alone.
2. Discovery. Find every asset and exposure. OT discovery requires passive network monitoring rather than active scanning, which can crash sensitive devices. Discovery also means mapping connections between IT and OT networks, identifying remote access pathways, and cataloging devices that may not appear in traditional asset inventories. Attack surface intelligence plays a critical role here, revealing externally visible assets and shadow OT connections that internal scans miss.
3. Prioritization. Not all exposures carry equal risk. OT prioritization must factor in asset criticality to physical processes, active exploitation status (KEV data), ransomware linkage, threat actor targeting of specific OT sectors, and whether compensating controls exist. This is where threat intelligence becomes essential, going beyond CVSS scores to answer the question: “Is someone actively exploiting this in OT environments right now?”
4. Validation. Test whether exposures are actually exploitable in your specific environment. Breach and attack simulation (BAS) tools can model attack paths through converged IT-OT networks to determine whether a vulnerability identified in discovery can actually be reached and exploited by an attacker. For OT, validation must be non-disruptive; simulations should model attacks without sending live exploit traffic to production PLCs.
5. Mobilization. Act on validated exposures. In OT, mobilization rarely means “apply the patch.” Instead, it might mean deploying virtual patches through NGFW rules, adjusting micro-segmentation policies, restricting remote access to compromised device types, or coordinating a maintenance window for critical patches during planned downtime. The goal is to reduce exposure through the fastest, safest remediation path available.
Explore how Hive Pro operationalizes all five CTEM stages for OT/ICS environments.
The single biggest shift OT security teams can make is moving from CVSS-based prioritization to threat intelligence-driven prioritization. Here is why this matters and how to implement it.
The average CVSS score for ICS advisories climbed to 8.07 in 2025, with 82% reaching high or critical severity (Forescout, 2026). When nearly every vulnerability is scored as critical, CVSS scores lose their ability to differentiate. Everything looks urgent, so nothing gets prioritized effectively.
Threat intelligence adds the missing context:
By layering these intelligence signals on top of vulnerability data, security teams can reduce the noise from thousands of CVEs down to the tens or hundreds of exposures that represent real, immediate risk to their OT operations.
Based on the challenges and frameworks discussed above, here are practical steps OT security teams can take to implement exposure management:
Build a unified IT-OT asset inventory. You cannot manage exposures you do not know about. Integrate OT-specific discovery (passive monitoring, protocol-aware scanning) with IT asset management to create a single source of truth that spans both environments. This inventory should include device type, firmware version, network connectivity, Purdue level, and business process dependency.
Adopt risk-based prioritization using real threat data. Replace CVSS-only triage with multi-factor scoring that includes KEV status, ransomware linkage, active APT campaigns, asset criticality, and network reachability. This approach turns a list of 2,000 CVEs into a focused queue of the 50 exposures that actually threaten your operations.
Plan for devices that cannot be patched. For the 30% of ICS vulnerabilities without patches, build a compensating controls playbook. Options include virtual patching through firewall rules, network segmentation to isolate vulnerable devices, restricting communication protocols to known-good traffic patterns, and increasing monitoring on affected network segments.
Validate exposures before acting. Use attack path analysis and breach simulation to confirm which exposures can actually be reached by an external or lateral attacker. This prevents wasting limited OT maintenance windows on vulnerabilities that are already mitigated by existing controls.
Coordinate across IT, OT, and leadership. OT exposure management is not a security-only function. Remediation requires cooperation between IT security teams (who understand the threat landscape), OT engineers (who understand operational impact), and executive leadership (who authorize maintenance windows and budget). Establish shared dashboards and reporting that translate exposure risk into business terms.
Monitor continuously, not periodically. Annual or quarterly vulnerability assessments are insufficient for OT environments where the threat landscape changes daily. Continuous monitoring ensures new exposures, such as a newly disclosed CVE affecting your specific PLC firmware or a newly discovered internet-facing connection, are identified and prioritized in real time.
Hive Pro’s Uni5 Xposure platform was built to operationalize the complete CTEM framework across both IT and OT environments. Rather than requiring separate tools for vulnerability scanning, threat intelligence, exposure validation, and remediation tracking, Uni5 Xposure unifies all five CTEM stages into a single platform.
For OT/ICS environments specifically, the platform addresses the challenges outlined in this article:
The result is a measurable reduction in exposure: Hive Pro customers report 70% faster remediation times (from three weeks to three days) and 80% reduction in overall threat exposure through validated prioritization.
Book a demo to see how Uni5 Xposure can protect your OT/ICS environment.
Operational technology (OT) refers to hardware and software that monitors and controls physical processes in industrial environments, including manufacturing plants, power grids, water treatment facilities, and oil refineries. Industrial control systems (ICS) are a subset of OT that includes SCADA systems, PLCs, distributed control systems (DCS), and safety instrumented systems (SIS). In cybersecurity, OT and ICS security focuses on protecting these systems from cyberattacks that could disrupt physical operations or endanger human safety.
Vulnerability management identifies known CVEs on assets and prioritizes patching based on severity scores. Exposure management goes further by assessing whether those vulnerabilities are actually reachable by attackers, actively being exploited, and critical to business operations. In OT environments where 30% of vulnerabilities have no patch available, exposure management provides actionable alternatives like compensating controls and network segmentation rather than leaving unpatchable devices unaddressed.
Continuous Threat Exposure Management (CTEM) is a framework defined by Gartner that structures security programs into five stages: Scoping, Discovery, Prioritization, Validation, and Mobilization. For OT security, CTEM matters because it moves organizations beyond periodic vulnerability scans toward continuous assessment and response. Gartner predicts organizations using CTEM will be three times less likely to suffer breaches by 2026.
OT systems often run legacy firmware, use proprietary operating systems, and control physical processes that cannot tolerate downtime. Patching a PLC on an active production line risks halting manufacturing, and patching safety-critical systems introduces risks to human safety. Additionally, roughly 30% of ICS vulnerabilities have no vendor-supplied patch available, leaving many OT devices permanently unpatched regardless of intent.
Threat intelligence adds context that CVSS scores alone cannot provide. It reveals whether a vulnerability is being actively exploited, whether ransomware groups are targeting it, and whether APT actors are using it in campaigns against specific OT sectors. This context helps security teams focus limited remediation resources on the exposures that represent the greatest real-world risk to their operations.
