Freely available open-source utilities have become a primary vector in attacks against manufacturing operational technology (OT) networks, according to industrial cybersecurity firm Claroty, prompting a coordinated regulatory push for software transparency and driving plant operators toward managed-detection services.
Background
Claroty reviewed open-source intelligence covering more than 200 attacks tied to over 20 threat actors during 2025, each resulting in the successful compromise of a cyber-physical system environment across 20 critical sectors.12025 OT/ICS & IoT Cybersecurity Threat Landscape Report | Shieldworkz The findings underscore a persistent vulnerability pattern: attackers targeting OT environments rely on unsophisticated methods and readily available tools.2OT Cybersecurity Threats 2025: Top 10 Risks for Industry
The threat extends beyond individual intrusions. In 2025, supply chain attacks nearly doubled, from 154 incidents in 2024 to 297, as threat actors increasingly compromised smaller vendors, managed service providers, or SaaS platforms to gain indirect access to larger industrial targets. The U.S. emerged as the top global target, accounting for 21% of incidents. Manufacturing was identified as the most attacked industry for the fourth consecutive year; ransomware comprised nearly half of manufacturing breaches, with median costs reaching $500,000.
Legacy infrastructure compounded the exposure. Legacy OT systems remain deeply embedded across industrial environments, with many PLCs, SCADA systems, and industrial IoT devices never designed for modern security controls. In Europe, 80% of manufacturers continue to operate critical OT systems with known vulnerabilities.
Details
The tools enabling these breaches are, in many cases, drawn directly from open-source repositories. Nearly all of the tools attackers used are freely available-sometimes from open-source projects-including VNC clients such as UltraVNC and TightVNC, the penetration testing framework Metasploit, and modbus-cli, designed for use with Modbus, one of the most widely used protocols in OT environments. In 82% of the 2025 verified incidents studied by Claroty, attackers gained access through VNC; two-thirds of the incidents led to compromised HMI or SCADA systems.3Omdia Universe: Operational Technology Cybersecurity Services, 2025–26 Omdia
The software supply chain itself has become an expanded threat surface. According to Kaspersky researchers, approximately 14,000 malicious packages were discovered in popular registries by the end of 2024, a 48% year-over-year increase. Sonatype reported an even sharper surge throughout 2025, detecting over 450,000 malicious packages. Reports from Lineaje indicate that 82% of open-source components are considered risky due to poor maintenance, outdated code, or security flaws, with many projects maintained by small teams or individual volunteers with limited resources.
Regulatory bodies responded with new transparency frameworks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released draft guidance titled "2025 Minimum Elements for a Software Bill of Materials (SBOM)" for public comment, updating earlier guidance to reflect advances in SBOM tooling and growing adoption maturity while incorporating lessons learned. The draft establishes an updated baseline for how software component information should be documented and shared, with additions including component hash, license, tool name, and generation context. In Europe, the EU Cyber Resilience Act legally requires SBOMs for digital products, while NIS2 mandates supply chain security.
Research from OPSWAT and the SANS Institute found that ICS/OT cybersecurity budgets lag even as attacks surge-a shortfall made particularly alarming by the fact that over 50% of organizations have reported experiencing at least one security incident within their ICS/OT environments. Many manufacturers lack the internal resources, expertise, and capacity for continuous threat monitoring. Purpose-built managed detection and response (MDR) services for OT environments have emerged to deliver around-the-clock monitoring, threat detection, and incident response tailored to industrial systems.
Claroty's analysts recommend that plant operators take immediate inventory steps. Defenders should block internet-connected devices from being enumerated by IoT search tools, fix or triage devices with weak or known credentials, and migrate away from or better lock down insecure protocols such as VNC. The SANS Institute's 2025 survey found that top investment areas among industrial organizations over the past year were asset inventory and visibility (50%), secure remote access with MFA (45%), and increased segmentation (32%).
Outlook
European regulatory momentum continues to accelerate. The EU Cyber Resilience Act mandates SBOMs for market access, and Germany's BSI TR-03183-2 guideline provides detailed technical requirements aimed at ensuring software transparency and supply chain security. Over the next 12-24 months, prepared organizations plan to invest heavily in asset visibility (66%) and threat detection (55%), while adding configuration management (55%) to their top three priorities. Manufacturers that fail to implement patch governance, network segmentation, and SBOM programs ahead of regulatory deadlines face both operational disruption risk and potential compliance liability under converging U.S. and EU frameworks.
