The Honeywell 2025 Cyber Threat Report delivers a sobering snapshot of today's industrial cybersecurity landscape: cyberattacks targeting operational technology (OT) environments are no longer rare or speculative—they're persistent, highly targeted, and increasingly sophisticated. This year's report is a must-read for practitioners defending OT-heavy sectors like manufacturing, energy, logistics, and critical infrastructure.
Here are the key takeaways for defenders on the front lines.
Honeywell observed that 40% of analyzed threats were high or critical in severity—up from 32% the previous year. This indicates a marked increase in intentional, high-impact targeting of industrial control systems (ICS) and OT networks.
"The growing sophistication of malware and attacker objectives means OT-focused organizations must rethink how they segment, detect, and respond to threats," the report states.
The report highlights the alarming frequency of malware capable of disrupting OT systems. Key observations:
24% of observed malware enabled remote access or control, facilitating lateral movement from IT to OT.
19% enabled data exfiltration, indicating espionage or extortion intent.
USB-borne threats are resurging: 13% of threats were introduced via removable media—still a glaring vulnerability in many industrial settings.
Honeywell continues to track high-risk threats delivered via USB devices. These threats often bypass traditional perimeter defenses due to:
Legacy systems with poor EDR/AV coverage
Air-gapped environments with outdated patching
Insider mishandling or social engineering
The report stresses implementing secure media transfer protocols and advanced scanning stations as part of basic hygiene for critical environments.
One of the most important practitioner insights is that malware doesn't respect IT/OT boundaries. OT defenders must plan for:
Hybrid threats (e.g., IT ransomware that laterally moves into OT)
Shared credentials and access paths between domains
The need for integrated IT/OT incident response plans
Honeywell provides actionable recommendations, including:
Enforce strict segmentation between IT and OT networks
Enhance USB/media policies with control systems-grade security
Deploy OT-aware detection technologies to catch lateral movement early
Regularly test backup and recovery procedures with OT-specific constraints in mind
Train OT and ICS engineers in basic cybersecurity hygiene and response coordination
The report emphasizes that traditional enterprise tools aren't enough. OT teams need specialized threat detection and anomaly monitoring solutions that understand ICS protocols (e.g., Modbus, DNP3, OPC UA).
"Conventional IT defenses are blind to the nuance and priorities of OT environments—this visibility gap is where attackers thrive," Honeywell warns.
Al Lindseth, Principal, CI5O Advisory Services LLC, worked in the energy sector for more than 20 years and had this take on the report and its findings:
"It's important that companies don't just think of OT as another element of their cyber programs. Developing a balanced and effective program is really a matter of rapid catch-up and dramatic transformation. Until 7-8 years ago, BlackEnergy in Ukraine, the acceptable strategy was all prevention, to segment and isolate. No visibility, therefore no means to detect. If you can't detect, you can't respond and certainly can't predict or get ahead of threats. So in terms of defense in depth, companies were operating with 1/4 capabilities expected."
Lindseth continued, "After BlackEnergy, our government and industry challenged whether that could happen here, and people in the know said absolutely it could because of the lack of visibility into OT systems. OT was where IT had been decades earlier. That lit a fire to have a more balanced cyber program."
"What does it take to catch up? Money, attention, resources, change leadership, innovation... boards and leadership teams need to understand and appreciate this," he concluded.
As cyber-physical systems become more connected and digitized, the attack surface will continue to expand. With geopolitical tensions, ransomware-as-a-service, and nation-state threat actors increasingly targeting critical infrastructure, 2025 will likely set new records for OT-targeted attacks.
The Honeywell report doesn't just raise alarms—it offers a clear mandate for industrial security teams: tighten segmentation, modernize detection, eliminate USB blind spots, and plan for cross-domain threats.
For OT defenders, the message is clear: assume you're already in the crosshairs—and act accordingly.
To learn more about defending cyber-physical networks, to attend the SecureWorld Critical Infrastructure virtual conference on August 28, 2025. Register for free here.