67% of malicious OT activity targets perimeter devices — not PLCs. With 430,000+ exposed firewall interfaces and coordinated multi-vendor scanning campaigns, the OT perimeter is the real attack surface.
When people talk about OT security threats, they tend to jump to the dramatic stuff: ICS malware manipulating PLCs, protocol exploitation against Modbus devices, zero-day attacks on engineering workstations. Those threats are real. But the data paints a different picture of where OT compromises actually begin.
67% of malicious OT activity targets perimeter devices — routers and firewalls — not the PLCs and HMIs behind them, according to Forescout Vedere Labs research based on a network of OT honeypots including industrial routers and control devices. Attackers are not going after industrial controllers first. They are going after the network equipment that provides access to industrial controllers.
Over the past two years, critical vulnerabilities have been actively exploited in every major perimeter vendor: SonicWall, Fortinet, Ivanti, Palo Alto, Citrix, and Cisco. The attackers include ransomware operators who encrypt both IT and OT environments, nation-state groups who establish persistent access to critical infrastructure, and initial access brokers who sell that access to the highest bidder.
For most critical infrastructure organizations, the perimeter device is simultaneously the most exposed and least monitored thing in the architecture.
Every major OT compromise in recent years follows a remarkably consistent pattern:
The specific CVE changes every few months. The pattern does not. The perimeter device sits at the intersection of internet accessibility and OT network access, and it keeps being the weakest link.
Since 2023, critical vulnerabilities have been actively exploited in every major perimeter vendor deployed at critical infrastructure sites:
| Vendor | CVE | CVSS | Description | Exploited By |
|---|---|---|---|---|
| SonicWall | CVE-2024-40766 | 9.3 | Improper access control in SonicOS SSLVPN | Akira, Fog |
| Fortinet | CVE-2024-47575 | 9.8 | Missing authentication in FortiManager fgfmd | UNC5820 |
| Ivanti | CVE-2024-21887 | 9.1 | Command injection in Connect Secure (chained with CVE-2023-46805) | UNC5221 |
| Ivanti | CVE-2025-22457 | 9.0 (vendor) / 9.8 (NVD) | Stack buffer overflow in Connect Secure | UNC5221 |
| Palo Alto | CVE-2024-3400 | 10.0 | OS command injection in PAN-OS GlobalProtect | UTA0218 |
| Citrix | CVE-2023-4966 | 9.4 | Session token leakage in NetScaler (Citrix Bleed) | LockBit 3.0 |
Sources: Arctic Wolf (SonicWall), Mandiant (Fortinet, Ivanti), Unit 42 (Palo Alto), CISA (Citrix). Full links in Further Reading. Note: VOLTZITE and SYLVANITE have been linked to Ivanti exploitation broadly by Dragos, though specific CVE attribution is not always confirmed.
Every score on that table is 9.0 or higher. All of them give an unauthenticated attacker remote access. All of them have been exploited against production infrastructure. And this is just the highlight reel — dozens of additional perimeter CVEs have been weaponized in the same timeframe.
The velocity is increasing. Dragos observed that threat groups like SYLVANITE weaponize edge device vulnerabilities within 48 hours of public disclosure.
SonicWall makes a good case study because it shows the perimeter problem at scale. Over 500,000 organizations use SonicWall products globally, per SonicWall, and the install base skews toward small and mid-sized critical infrastructure: regional utilities, water districts, manufacturing facilities, building management operations. Organizations that need a firewall but do not have the budget for Palo Alto or Fortinet enterprise deployments.
Bishop Fox conducted an internet-wide scan of SonicWall devices and found 430,363 unique SonicWall interfaces exposed to the public internet — login pages for management and SSLVPN services visible to anyone who scans for them. Of those:
These are live login portals accepting authentication attempts from the public internet, right now.
Arctic Wolf documented at least 30 confirmed Fog and Akira ransomware intrusions beginning in August 2024, all using SonicWall SSLVPN as the initial access vector. Their findings:
The SSLVPN functionality is specifically what makes this an OT problem. These VPN services provide remote access for OT engineers maintaining SCADA systems, vendor technicians accessing PLCs and HMIs, and plant operators monitoring processes remotely. When a threat actor compromises the SSLVPN, they get the same remote access path that OT personnel use — often with direct routes to the OT environment.
Ransomware crews move fast and encrypt everything they can reach. Nation-state groups are quieter, more patient, and focused on persistence. What they have in common: both start at the perimeter.
Dragos identified SYLVANITE, a China-nexus initial access broker, exploiting Ivanti Connect Secure VPN vulnerabilities at U.S. electric and water utilities. SYLVANITE extracted Active Directory credentials and established persistent access, then handed off established footholds to VOLTZITE for deeper OT intrusion.
VOLTZITE — elevated to Stage 2 of the ICS Cyber Kill Chain in Dragos's 2026 assessment — was subsequently observed manipulating engineering workstation software to extract configuration files and alarm data, and investigating what conditions trigger process shutdowns. In a separate campaign, VOLTZITE compromised Sierra Wireless Airlink cellular gateways to access U.S. midstream pipeline operations and pivoted to engineering workstations.
The VPN appliance was just the door. What they were after was on the other side: the industrial process.
CISA confirmed that Volt Typhoon compromised multiple U.S. critical infrastructure organizations by exploiting public-facing network appliances. At Littleton Electric Light and Water Departments in Massachusetts, the attackers maintained persistence for over 300 days through a compromised FortiGate 300D firewall, extracting Active Directory credentials that provided access paths to operational systems, per The Record.
The utility had network segmentation. On the diagram, everything looked right. The attacker found a way through the perimeter device regardless.
When threat actor UTA0218 exploited CVE-2024-3400 in Palo Alto PAN-OS, they did not just gain access through the firewall. They got root-level code execution on the firewall itself and deployed a custom Python backdoor (UPSTYLE) directly on compromised devices, as documented by Unit 42.
Think about that: the device your organization bought to protect the OT network became the attacker's foothold inside it.
This is not about one vendor or one CVE. Threat actors are running coordinated campaigns that hit multiple perimeter platforms from shared infrastructure, at the same time.
In October 2025, GreyNoise documented a coordinated scanning campaign targeting Cisco, Palo Alto, and Fortinet devices simultaneously:
GreyNoise noted that historically, these kinds of scanning surges have preceded new vulnerability disclosures within six weeks. In other words: the scanning is preparation, not opportunism.
Analysis of leaked Black Basta internal chat logs by EclecticIQ revealed BRUTED, a PHP-based automated brute-forcing framework in use since at least 2023, targeting seven perimeter platforms simultaneously:
BRUTED extracts SSL certificate Common Names and Subject Alternative Names from target devices to generate domain-contextual password guesses, enumerates subdomains with VPN-related prefixes, and routes traffic through SOCKS5 proxies. This is what industrialized perimeter compromise looks like: automated, multi-vendor, running 24/7.
Each of the cases above — SonicWall, Ivanti, Fortinet, Palo Alto — gets treated as its own incident. A CVE drops, a vendor issues a patch, defenders scramble to update, and the cycle resets. But zoom out and the pattern becomes hard to ignore.
The share of ICS/OT vulnerabilities that are perimeter-facing rose from 16% to 22% in a single year, per the Dragos 2025 Year in Review. That is not a blip — it reflects an industry that keeps adding remote access, cloud connectivity, and vendor management portals to environments that were designed to be isolated. Every new integration adds another edge device, and every edge device is one CVE away from becoming the front door.
At the same time, the number of groups walking through that door is growing. Dragos tracked 119 ransomware groups targeting industrial organizations in 2025 — a 49% increase over the prior year — collectively hitting more than 3,300 industrial organizations globally. Those numbers do not include nation-state groups like VOLTZITE and SYLVANITE, who operate quietly and rarely trigger the kind of incident that makes the ransomware statistics.
Meanwhile, the attack surface itself is enormous and largely unmonitored. Bishop Fox's scan found 430,363 SonicWall interfaces exposed to the internet — and that is a single vendor. Add Fortinet, Palo Alto, Ivanti, Cisco, and Citrix and the total number of internet-facing perimeter devices at critical infrastructure sites is significantly larger. Forescout's honeypot study gives a sense of what that exposure attracts: over 60 million inbound requests in 90 days. Most of that was automated scanning and SNMP enumeration, but roughly 3.5 million were substantive attack events — brute-force attempts, exploit payloads, and malware delivery. Of the targeted attacks, 72% used SSH/Telnet brute force and 24% used HTTP/HTTPS exploits, overwhelmingly aimed at perimeter devices.
The average dwell time in OT environments sits at 42 days (Dragos). That is six weeks between initial compromise and detection — more than enough time to move from a VPN appliance to an engineering workstation to a process controller. And with fewer than 10% of OT networks running any form of network monitoring, most of that movement happens in the dark.
Several things make perimeter devices at critical infrastructure sites uniquely targetable:
The OT security community has spent years focused on PLC vulnerabilities, protocol insecurity, and ICS malware. Those are real concerns. But if you look at where OT compromises actually start, the answer is less exotic: a vulnerable VPN appliance, a stolen credential, and a flat network that lets the attacker walk from IT to OT.
Every major perimeter vendor has been hit. The campaigns are coordinated and automated. Nation-state groups and ransomware operators are using the same front door. And 430,000+ firewall interfaces are sitting on the internet right now.
Securing OT starts with knowing what is exposed at the perimeter. Not what the diagram says — what the internet sees.
ShiftSix Security discovers internet-facing perimeter devices across critical infrastructure and correlates them against active exploitation campaigns. Request a complimentary external exposure assessment to identify your OT perimeter risk.
ShiftSix discovers internet-facing perimeter devices and correlates them against active exploitation campaigns.
Continuous attack surface intelligence for IT, OT, and ICS environments — purpose-built for enterprise security teams and critical infrastructure operators.