Industrial Sector Overconfident on Cybersecurity

The "State of Industrial Remote Access 2026" report, which surveyed 400 senior leaders, highlights a significant "confidence-to-evidence gap." While most organizations believe their visibility and compliance are good, full auditability of vendor sessions is rare, suggesting confidence often outpaces actual control. This issue is compounded by fragmented access paths using a mix of VPNs, OEM tools, and other solutions. Vendor access is identified as the primary risk multiplier; organizations managing 21–100 external vendors face the highest levels of exposure. The report indicates that a combination of partial vendor session visibility and infrequent credential reviews creates concentrated areas of risk. This aligns with broader trends, as 12% of Operational Technology (OT) devices are expected to have known exploitable vulnerabilities. The financial consequences of a breach in this sector are severe. Nearly one in four industrial organizations estimates that a single cyberattack could lead to damages exceeding $5 million over a two-year period. These costs include not just ransom payments but also lost revenue (19.4%), unplanned downtime (16.9%), and equipment repair (16.8%). Recent incidents underscore the vulnerability of industrial control systems (ICS). Between November 2023 and April 2024, cyber actors affiliated with Iran and Russia successfully manipulated ICS in U.S. water and wastewater systems. These attacks often exploit basic security weaknesses like outdated software and the use of default credentials. The number of published vulnerabilities in industrial control systems is also on the rise, with 2,155 CVEs across 508 advisories in 2025 alone. This is a dramatic increase from the 103 CVEs reported in 2011. The average severity score of these vulnerabilities has also climbed, exceeding 8.0 (out of 10) in both 2024 and 2025. In response to these growing threats, regulatory frameworks are becoming more stringent. The European Union's NIS2 Directive, for instance, expands cybersecurity obligations to more sectors and holds senior leadership directly accountable for infringements. This directive mandates stronger risk management and stricter incident reporting for essential services like energy, transport, and manufacturing. The global industrial cybersecurity market reflects this urgency, with its value projected to grow from $26.70 billion in 2025 to approximately $61.18 billion by 2035. This growth is driven by increased investment in security to protect interconnected IT and OT infrastructures from escalating cyber threats.