Many organizations have embraced greater connectivity across their operational technology environments, often without fully realizing the level of risk they are introducing. Systems that were once isolated are now accessible from corporate networks or the internet, expanding the potential attack surface in ways that are difficult to track and even harder to secure.
OT Security Insights, a recent report from Palo Alto Networks and Siemens, explores how increased connectivity is exposing OT systems to greater risk, what types of threats are already active inside these environments, and which steps can help reduce that risk without slowing down operations. The report concludes that as the attack surface expands, organizations must build a layered, resilient security framework that scales with the growth of risks.
This research builds on a broader technology partnership between the Palo Alto Networks OT Threat Research Lab in Santa Clara, California and Siemens Cyber Security Research Lab in Princeton, New Jersey. We deliver secure segmentation, consistent policy enforcement and real-time threat prevention by combining Palo Alto Networks VM-Series software firewalls with Siemens Ruggedcom Multi-Service Platforms. Together, these integrated technologies help industrial organizations reduce exposure, contain threats, and maintain resilient operations in even the most demanding environments.
What Greater OT Connectivity Means for Security
At a glance, many industrial environments appear well-defended, largely due to long-standing assumptions about air-gapped networks and physical isolation. But in reality, these boundaries have gradually eroded. Growing connectivity, remote access demands and IT/OT convergence have created an expanding network of connected OT systems that few organizations actively manage.
This joint research effort uncovered millions of signals from SCADA and OT devices, revealing that more than one million unique IP addresses were accessible from the public internet. These included OT application servers, many of which were never intended to operate beyond the plant floor, introducing a risk that is easy to underestimate.
OT systems power energy production, manufacturing operations, transportation and other essential services. When connected without adequate controls, they can become entry points for threats that move quickly from digital compromise to real-world disruption.
Insights from Inside the OT Environment
External exposure is only part of the challenge. The same research revealed signs of significant exploit activity within OT environments themselves. Analysis of more than 50,000 OT firewalls showed that sectors like manufacturing, energy and retail face persistent threats inside the network perimeter, often due to poor segmentation and misconfigurations that allow adversaries to move laterally.
Mapped to the MITRE ATT&CK® for ICS framework, common tactics explored in our research include Initial Access, Lateral Movement and Privilege Escalation. Exploitation of remote services was particularly prevalent, accounting for a large portion of observed incidents. Privilege escalation was also a frequent factor, seen in over 12 percent of the top 100 exploits, allowing attackers to access systems and functions that should remain protected.
Notably, over 60 percent of exploit attempts were tied to known vulnerabilities dating back six to ten years. These legacy gaps remain common in OT environments, where patching can be complex and operational disruption is a constant concern.
At the same time, threats are becoming more difficult to identify. Nearly 80 percent of the malware detected across the analyzed networks could not be classified into known categories. This rise in unknown and evolving threats underscores the need for greater visibility and adaptive defenses.
Strengthening Security Through Visibility and Control
While the risks are clear, the path forward does not require overhauling entire systems or pausing progress. The joint research conducted by Palo Alto Networks and Siemens highlights several practical approaches organizations can consider as they look to strengthen their OT security posture. These insights reflect what we see in the field, where progress often starts with visibility and builds toward layered, scalable protections that support security and operational continuity.
Start with visibility.
In our joint research with Siemens, we have found that meaningful progress starts with visibility. At Palo Alto Networks, our approach begins by helping organizations map their operational environments. That means understanding which devices are connected, which are exposed, and how traffic flows across the network. This foundational step makes it possible to identify potential vulnerabilities before attackers do.
Strengthen network boundaries.
Separating OT networks from IT and internet-facing systems, segmenting environments into automation zones, and deploying purpose-built remote access controls are all proven ways to contain risk. This includes implementing demilitarized zones (DMZs), which are controlled interfaces for secure communication between OT and enterprise environments. DMZs enable essential services like remote access and data exchange while keeping core automation systems isolated and protected.
Secure the edge.
Our partnership with Siemens supports these goals through integrated technology solutions built for mission-critical and harsh industrial environments. By combining Palo Alto Networks VM-Series virtual firewalls with Siemens Ruggedcom Multi-Service Platforms, we help organizations enforce consistent security policies across IT, OT and ICS layers. These platforms can be deployed at the edge to provide robust perimeter protection, enable secure remote access and block lateral threat movement without compromising operational performance.
Extend beyond the network.
Technical controls are only part of a resilient OT security strategy. True risk reduction also depends on how organizations manage identity, monitor activity, maintain system integrity, and secure the physical environment.
Manage identity and trust.
One key recommendation is to decouple OT domain controllers from enterprise Active Directory. This eliminates unnecessary pathways attackers can exploit and helps isolate critical systems from broader network exposure.
Monitor proactively.
OT environments require continuous visibility, not only to detect threats in real time but also to understand where defensive investments are most needed. We help organizations implement threat detection that fits industrial operations without creating noise or operational overhead.
Prioritize patching.
Operational maturity also depends on addressing long-standing issues. Patch management in OT systems is difficult, but it can be made manageable with the right prioritization and process. We work with organizations to focus patching efforts where they matter most, reducing the most exploitable risks first. These efforts support the broader objective of improving system integrity as outlined in the Siemens framework.
Secure the physical environment.
Plant security includes physical access protection, operational processes and clear governance. These often overlooked controls are essential to a comprehensive OT security strategy, especially in distributed or remote sites.
Building Resilience with a Proven Framework
Strengthening security posture in OT environments is not about reacting to the latest threat. It is about building resilience over time, with the right controls in place, the right insights available and the right team guiding the process. The Siemens Foundation of Industrial Security Concept provides a clear and actionable structure for doing exactly that.
Grounded in IEC 62443, it brings together physical safeguards, technical controls and organizational practices across three domains: plant security, network security and system integrity.
The Palo Alto Networks and Siemens OT Security Insights Report reflects more than shared research. It represents the combined experience of two technology leaders working together to protect industrial environments. Through interoperable solutions deployed at the edge, which combine firewall intelligence with ruggedized infrastructure, we help organizations stay ahead of threats, strengthen resilience, and protect what matters most.
Putting OT Security Insights into Practice
Building on these insights, Palo Alto Networks has introduced OT security capabilities that help organizations address some of the toughest challenges highlighted in this research. This includes Industrial OT Security, a unified solution for asset discovery and risk management that combines passive and active detection methods with next-generation firewalls to deliver comprehensive visibility without the need for additional hardware. These insights help organizations identify vulnerabilities, prioritize risk, and drive segmentation strategies that align with operational requirements.
These capabilities are part of a broader platform approach designed to protect OT environments without disrupting operations. Our Guided Virtual Patching solution is the industry's only fully integrated, risk-based approach for OT environments. It uses machine learning, deep learning and generative AI to protect unpatched legacy assets at scale.
In parallel, Privileged Remote Access delivered through Prisma Access Browser extends zero trust network access into OT environments. These OT-specific workflow capabilities provide secure, seamless access to IT, OT and cloud applications for distributed workforces, supporting compliance through features like just-in-time access, audit trails and browser-based session management.
Together, these innovations provide real-time threat prevention, access control and visibility into the environments where uptime, safety and continuity matter most.
See Industrial OT Security in Action
The challenges facing OT environments are complex, but the right tools make all the difference. Start your free trial of Industrial OT Security to see how Palo Alto Networks can help you gain visibility, reduce risk, and protect critical operations without disruption.