Industrial organizations continue to face growing cyber threats from adversaries, from sophisticated state-sponsored groups to hacktivists and financially motivated criminals. These attackers don't just target data or demand ransom, they affect physical processes and critical services. The overall risk for many of these incidents is still underestimated: insufficient asset visibility.
Asset visibility is a fundamental component of any operational technology (OT) security strategy. It provides essential information about what devices exist on your network, how they are configured, and how they interact. Without this, risk assessment, threat detection and even basic incident response will be severely limited.
In Dragos' experience working with industrial infrastructure – oil and gas, electrical grids, water and manufacturing – we continue to find that a significant number of organizations have blind spots. Many people assume that they have systems that are completely isolated or have no resources available online. But as soon as we start monitoring, the reality turns out to be completely different.
In the organizations we work with – from energy suppliers to water utilities – many feel they don't have assets on the open internet. In fact, this is true, and in many cases these assets are unauthenticated and vulnerable to exploitation of decades-old vulnerabilities. These environments are often designed with business continuity rather than security in mind. This is why visibility is so important.
Why OT is especially challenging
OT environments differ from IT environments in that traditional security tools become ineffective. Industrial control systems often run continuously, meaning downtime for scanning or updating is not possible. Equipment is available from a wide range of manufacturers, many of which use proprietary protocols that are not supported by current detection systems. Add to this the level of aging infrastructure and limited monitoring, and you have a situation where defenders are often operating in the dark.
Unlike IT, where patch management and endpoint security are standard, OT networks are often left out, reducing visibility and resulting in questionable security status. This creates an ideal environment for threat actors to become increasingly interested in this environment.
The threats are real and growing
We are no longer talking about hypothetical scenarios. State-sponsored threat groups are increasingly targeting the electricity, oil and gas sectors, while ransomware operators are focusing on manufacturing, where downtime directly results in lost revenue.
Recently there has also been a rise in ideologically motivated groups. Many of these participants are not using cutting-edge tools, but they are still making an impact. Some of the groups we monitor have caused disruptions by simply identifying and attacking Internet-exposed OT assets with well-known vulnerabilities.
One threat group we are monitoring, Bauxite, has successfully gained access to Unitronics programmable logic controllers and used them to deliver politically motivated messages on screen. Organizations targeted by the Bauxite attack, which overlaps with Cyber ​​Avengerswere not necessarily high-ranking or operating in conflict zones, but they did use equipment from an Israeli supplier. This alone made them a target.
This shift is important. Attackers always target organizations not because of who they are, but because of what they use. This raises new questions for asset management and risk planning. If your organization uses certain vendors or technologies, that may be enough to put you in the crosshairs.
Why detection depends on visibility
Many organizations rely on perimeter protection or assume that an air gap is sufficient. But attackers don't always need to get past firewalls or trick users into clicking links. If the vulnerable asset is visible on the open internet, they can connect to it directly.
That's why asset visibility isn't just about compliance or inventory management—it's a vital security need. This allows defenders to identify normal behavior, identify anomalies, and detect the early stages of an attack. Without this, threats may remain undetected for a long time. In some cases, we have seen attackers inject malicious code directly into industrial devices, quietly waiting for a trigger that may not occur for weeks, months, or longer.
You can't protect what you can't see. And in OT environments, where defenders are often less visible than attackers, this becomes a serious risk.
Supply chain visibility is equally important
Even if you have good internal visibility, your organization may still be exposed to supply chain risks. Operating ecosystems supporting critical national infrastructure include managed service providers, cloud platforms, and hardware providers. Any one of them can become a point of compromise.
For example, during my time at Microsoft, we realized that there were only two main communication service providers provided services to approximately 80% of Azure customers. This level of concentration creates a systemic risk, so we have tried to address it. Any organization that does not take sufficient preventative measures or does not respond fairly to compromise risks not only its networks, but also the networks of its partners, customers, and its customers' customers. As a consumer in the supply chain, your organization also has a responsibility to monitor its suppliers and demand transparency from them, otherwise you may be exposed to this type of risk.
The following laws apply here: UK Cyber ​​Security and Resilience Bill becomes important. But for regulation to be effective, it must be accompanied by support. Smaller organizations and those further down the supply chain often lack the resources to interpret and implement complex security controls. Visibility tools, structure and guidance must be available if we are to improve sustainability across the board.
Staying ahead of the threat
Too often, industrial organizations do not adequately invest in OT visibility and threat detection until after an incident has occurred. Whether it's a plant shutdown, a loss of income, or something worse, these events become triggers for action. But by then the damage had already been done.
This reactive attitude must change. Tools and techniques are now available that enable secure passive monitoring of OT networks. Defenders need every advantage they can get. Asset visibility may not be the most sexy aspect of cybersecurity, but it is one of the most important.
Looking to the future, industrial organizations must recognize that protecting mission-critical operations begins with understanding them. From knowing what's connected, how it communicates, and who might want to use it, transparency underpins all other layers of security. Without this we are fighting blind.
Soroka Graham is the Technical Director of Threat Intelligence at Dragos.
:quality(85):upscale()/2025/10/31/673/n/1922153/47646da86904d139b0a3b7.07361244_.png?w=150&resize=150,150&ssl=1 "13 Best Beauty Launches of November 2025, From Editors")
