Industrial organisations continue to face growing cyber threats from adversaries – ranging from sophisticated state-sponsored groups to hacktivists and financially motivated criminals. These actors are not just targeting data or demanding ransoms, they are affecting physical processes and critical services. A common risk across many of these incidents is one that is still underestimated: insufficient asset visibility.
Asset visibility is a foundational component of any operational technology (OT) security strategy. It provides the necessary awareness of what devices exist in your network, how they are configured, and how they communicate. Without it, risk assessments, threat detection, and even basic incident response are severely limited.
In Dragos’s experience working with industrial infrastructure – oil and gas, electric grids, water utilities, and manufacturing – we continue to find that a significant number of organisations have blind spots. Many assume they have systems that are fully air-gapped or have no internet-exposed assets. But once we begin monitoring, the reality proves very different.
Across the organisations we work with – from energy providers to water utilities – many believe they have no assets on the open internet. In truth, they do, and in many cases those assets have no authentication and are vulnerable to be exploited for weak spots that have existed for decades. These environments are often built with operational continuity in mind, not security. This is what makes visibility so critical.
Why OT is particularly challenging
OT environments differ from IT in ways that make traditional security tools ineffective. Industrial control systems often run continuously, meaning downtime for scans or updates is not an option. Equipment comes from a wide range of manufacturers, many using proprietary protocols that are not supported in modern detection systems. Add to this a layer of legacy infrastructure and limited monitoring, and you have a situation where defenders are often operating in the dark.
Unlike in IT, where patch management and endpoint protection are standard, OT networks are often left out, reducing visibility and falling into questionable security status. This creates ideal conditions for threat actors who are increasingly taking interest in these environments.
The threats are real and rising
We are no longer talking about hypothetical scenarios. State-sponsored threat groups increasingly target electric, oil, and gas sectors, while ransomware operators are focusing on manufacturing, where downtime translates directly into lost revenue.
More recently, there has also been a rise in ideologically motivated groups. Many of these actors are not deploying advanced tools, but they are still having impact. Some of the groups we track have caused outages simply by identifying and attacking Internet-exposed OT assets with well-known vulnerabilities.
One threat group we monitor, BAUXITE, successfully accessed Unitronics’ Programmable Logic Controllers and used them to deliver politically motivated messages on screen. The organisations targeted by BAUXITE, which has overlaps with CyberAv3ngers, were not necessarily high-profile or operating in conflict zones, but they did happen to use equipment from an Israeli vendor. That alone made them a target.
This shift is important. Adversaries are not always targeting organisations because of who they are, but because of what they use. This raises new questions for asset management and risk planning. If your organisation uses certain vendors or technologies, that could be enough to bring you into the crosshairs.
Why detection depends on visibility
Many organisations rely on perimeter defences or assume that air-gapping is sufficient. But attackers do not always need to breach firewalls or trick users into clicking links. If a vulnerable asset is visible on the open internet, they can connect to it directly.
This is why asset visibility is not just about compliance or inventory management, it is a vital security need. It allows defenders to baseline normal behaviour, identify anomalies, and detect the early stages of an attack. Without it, threats can reside undetected for extended periods. In some cases, we have seen threat actors implant malicious code directly onto industrial devices, waiting quietly for a trigger that might not arrive for weeks, months, or longer.
You cannot defend what you cannot see. And in OT environments, where defenders often have less visibility than attackers, that becomes a serious risk.
Supply chain visibility is equally vital
Even if you have good visibility internally, your organisation may still be at risk through the supply chain. The operational ecosystems that support critical national infrastructure (CNI) include managed service providers, cloud platforms, and equipment suppliers. Any of these can become points of compromise.
For example, during my time at Microsoft, we recognized that just two major CSPs [communication service providers] provided services to around 80% of Azure customers. That level of concentration introduces systemic risk, so we attempted to address it. Any organization that does not take sufficient preventative measures or respond justly to a compromise, risks not only their networks, but those of their partners, customers and customers of their customers. As a consumer in a supply chain, there is also responsibility bestowed upon your organisation to monitor your suppliers and demand transparency from them, or otherwise you could be open to this type of risk.
This is where legislation such as the UK’s Cyber Security and Resilience Bill becomes important. But for regulations to be effective, they need to be paired with support. Smaller organisations and those further down the supply chain often lack the resources to interpret and implement complex security controls. Visibility tools, frameworks, and guidance must be made accessible if we are to improve resilience across the board.
Getting ahead of the threat
Too often, industrial organisations don’t adequately invest in OT visibility and threat detection until after an incident has occurred. Whether it is a plant shutdown, a loss of revenue, or worse, these events become the trigger for action. But by then, the damage is already done.
This reactive posture must change. There are now tools and techniques available that allow for safe, passive monitoring of OT networks. Defenders need every advantage they can get. Asset visibility may not be the most glamorous aspect of cybersecurity, but it is one of the most essential.
Looking ahead, industrial organisations must recognise that protecting critical operations begins with understanding them. From knowing what is connected, to how it communicates, to who might want to exploit it, visibility underpins every other layer of defence. Without it, we are fighting blind.
Magpie Graham is the technical director of threat intelligence at Dragos.
