As critical infrastructure continues to digitalize, industrial organizations are facing a growing and often underestimated risk: the direct exposure of OT assets to the public internet. While connectivity enables operational efficiency, remote services and data-driven decision-making, it also introduces new pathways for cyber threats—particularly when exposure is unintended, undocumented or unmanaged.
Bitsight’s latest research shows a sharp rise in the number of internet-accessible OT and ICS devices with known vulnerabilities, reaching well over 180,000 unique IP addresses exposed globally each month, with the trend continuing to accelerate. This level of exposure significantly expands the attack surface of critical infrastructure and increases the likelihood of compromise before defenders are even aware of the risk.
Why OT internet exposure happens
In most cases, exposed OT assets are not the result of negligent behavior, but rather of system complexity. Industrial environments have evolved over decades, combining legacy systems with modern technologies, multiple vendors and layered responsibilities.
Common causes of exposure include:
- Temporary internet connectivity introduced during system commissioning or troubleshooting that becomes permanent.
- Remote access solutions deployed without proper segmentation or monitoring.
- Aging systems updated to support new use cases, without reassessing cyber risk.
- Inconsistent alignment between IT, OT, integrators and telecom providers.
These lapses often remain undetected, especially in environments with limited asset visibility. According to a recent Forester report, close to two-thirds of OT organizations report that they lack full visibility into all connected OT assets, while more than 60% express concern about their ability to even detect compromised systems.
Exposure is a value-chain problem
Internet-facing OT devices rarely exist in isolation. They sit within a complex ecosystem of stakeholders, each influencing the cybersecurity posture of the deployed system. Reducing exposure therefore cannot be addressed by asset owners alone.
A sustainable solution requires clearly defined roles across the value chain:
- Technology providers must embed security into products, manage vulnerabilities proactively and provide clear secure deployment guidance.
- System integrators play a critical role in translating security intent into secure architecture, configurations and handover documentation.
- Telecommunication providers influence exposure through connectivity design, routing and network controls.
- Asset owners and operators are responsible for operating, monitoring and maintaining systems securely over time.
- National authorities and industry bodies help define expectations, promote information sharing and align regulatory incentives. When roles are unclear or assumptions are made across boundaries, exposure persists.
A step-by-step collaborative approach
Addressing OT internet exposure requires a systematic, repeatable and collaborative process, integrated into normal operations rather than treated as a one-off exercise.
Key steps include:
- Discovery and visibility: Identify internet-exposed OT assets using a combination of internal inventories, network monitoring and external detection methods. Visibility must extend beyond corporate boundaries to account for upstream and downstream dependencies.
- Risk contextualization: Not all exposure represents equal risk. Vulnerability severity, asset criticality, access paths and operational impact must be assessed together to prioritize action.
- Coordinated remediation: Remediation often involves multiple parties, like technology providers, national agencies, system integrators, etc., working collaboratively to ensure timely detection of the exposed OT asset and identification of the asset owner at risk.
- Validation and monitoring: Exposure reduction must be verified and continuously monitored, as environments evolve and connectivity changes over time. Across real-world experiences, organizations that succeed treat exposure management as a shared operational discipline, not a technical firefighting exercise.
- Reducing future risk across the lifecycle: Beyond remediation, long-term risk reduction depends on embedding controls throughout the OT and ICS lifecycle:
- Secure configurations by default.
- Network segmentation and access management aligned with least privilege.
- Continuous monitoring and anomaly detection tailored to OT.
- Clear change management processes for connectivity.
- Regular validation that intended architectures still reflect operational reality: Nearly three-quarters of OT leaders acknowledge that current practices leave their environment vulnerable. Addressing this gap requires moving beyond awareness toward consistent execution.
The need for an industry-wide initiative
Reducing OT internet exposure at scale will ultimately require an industry-wide, programmatic approach. No single organization, technology or regulation can solve the problem alone.
By aligning responsibilities across the value chain and adopting collaborative, operational practices, the industrial community can significantly reduce unnecessary exposure and strengthen the resilience of critical infrastructure.
Cyber resilience in the OT world is achieved not through intention — but through collective action executed consistently over time.
