Palo Alto Networks, in partnership with Siemens and Idaho National Laboratory, have released a new research report examining how the industrial risk landscape is evolving. The work brings together Palo Alto Networks’ OT Security and network insights, predictive incident research informed by Idaho National Laboratory’s Cybersecurity for the Operational Technology Environment (CyOTE™) methodology, and Siemens’ operational experience supporting OT security programs and services across industrial environments.

Viewed together, these perspectives provide a data-driven view into how modern OT environments are changing. The research indicates that exposure is expanding rapidly, and in many cases adversary activity becomes visible well before operational impact occurs. Taken as a whole, the findings highlight a growing opportunity for OT security leaders to act earlier in the attack lifecycle and apply proactive risk mitigation before threats translate into operational disruption.

How the Industrial Perimeter Is Evolving

For many industrial organizations, the idea of a fixed perimeter has begun to blur. Research shows that facilities are increasingly shaped by remote access, third-party connectivity and data flows that move between OT and IT environments as part of day-to-day operations.

Engineers routinely access systems from outside the plant. Vendors connect to support maintenance and upgrades. Frontline teams increasingly rely on mobile and BYOD-enabled applications for work management, inspections and maintenance workflows. Process data is shared across enterprise systems to support analytics, optimization and resilience. Over time, these patterns have expanded the boundaries of what was once considered the industrial perimeter.

This research report illustrates how far this shift has progressed. In 2024, researchers observed a 332 percent increase in unique internet-exposed OT devices and services, with about 19.6 million unique OT-related systems visible on the public internet. Those devices and services were hosted across roughly 1.77 million IPv4 addresses. Rather than reflecting a short-term anomaly, these data points to a broader change in how industrial environments are being connected and operated.

What also stands out is the mix of systems and access paths that show up most often in public internet observations. Remote access and externally reachable services are a common thread across industrial environments, reflecting how maintenance and support workflows increasingly extend beyond plant boundaries. The dataset also shows strong representation from building management-related platforms, underscoring how systems at the intersection of facilities, IT and operations can become visible as environments modernize.

In practical terms, while levels of isolation vary across organizations, the assumption that industrial environments are broadly air-gapped is becoming harder to sustain. Exposure is increasingly a condition that security leaders must plan for, rather than an exception to be eliminated.

The Advantage of Recognizing Risk Early

Exposure is an important signal, but it is not the same as disruption. The research underscores why understanding that difference matters in industrial environments.

Analysis of historical OT incidents shows that many disruptions driven by adversaries unfold over time rather than occurring suddenly. Across the data analyzed, 82.8 percent of adversary activity takes place during an extended precursor phase, well before attempts are made to interfere with physical processes. On average, this analysis identified a 185-day gap between early adversary activity and OT impact.

At the same time, not all operational risk stems from adversaries. Misconfigurations, unintended connectivity, legacy access paths and routine operational changes can also introduce exposure or weaken defenses without malicious intent. These conditions often develop gradually and remain unnoticed until they intersect with other failures or external pressure.

What connects these risks is not intent, but visibility. Whether exposure arises from adversary behavior or operational drift, it often leaves observable signals as patterns emerge and indicators accumulate. In many environments, this creates an opportunity to identify and address risk before it escalates into disruption.

As digital transformation and IT and OT connectivity expand the OT attack surface, exposure becomes harder to eliminate and traditional air gap assumptions become harder to rely on. At the same time, many OT systems remain unmanaged and outside the reach of common endpoint controls like EDR. That is why visibility and exposure management matter. They create an advantage by helping leaders recognize risk earlier and take action before it escalates into disruption or affects safety and operational continuity.

Turning Early Signals into Informed Decisions

Early signals of risk are often present in modern industrial environments. The harder part is turning those signals into decisions that hold up under operational constraints.

OT environments are shaped by IT integration, remote access workflows, third-party connectivity and shared infrastructure. Risk can originate across these domains, and when insight is fragmented across teams or tools, response can slow and critical context can be lost.

One takeaway from this research that becomes hard to ignore is how often risk crosses boundaries. Early indicators might surface in IT, remote access or shared infrastructure, then progress toward systems that can affect operations. That is why full IT and OT attack path visibility is increasingly important for security operations, including OT SOCs. It helps teams see how signals relate to one another, rather than treating them as isolated events. The report reinforces the need for coordination across enterprise and industrial security functions, and our view is that this coordination becomes more durable when teams can operate from a unified picture of risk.

The research also reflects the realities observed across industrial organizations that operate and secure complex OT environments at scale. These environments demand a safety-first mindset, a strong focus on operational reliability and disciplined processes for detecting and responding to risk without disrupting operations. That perspective underscores the importance of OT-specific context and operating rigor within modern industrial security programs.

In practice, the findings suggest that early indicators can be correlated across environments, access can be adjusted based on identity and context, and response can occur before issues escalate into events that affect safety, availability or operational continuity.

Let’s Continue the Conversation at S4x26

Download the full report to explore the data and analysis behind these findings. If you’re attending S4x26 this week, we also invite you to continue the conversation in person.

The Palo Alto Networks team will be on-site throughout the event in the Prime Room, hosting OT security deep dives, practitioner conversations, and a customer panel grounded in real operational experience. Select sessions will build on this research through continued discussion.

View the Prime Room agenda here. We look forward to discussing how early visibility, operational insight and informed decision-making come together in practice.