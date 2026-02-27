Industrial operators continue to run remote access portals, building automation servers, and other operational technology services on public IP address ranges. Palo Alto Networks, Siemens, and Idaho National Laboratory describe the scope of that exposure in the Intelligence-Driven Active Defense Report 2026.

Top TTPs mapped from detected signatures within OT networks (Source: Palo Alto Networks)

Internet exposure keeps growing

Cortex Xpanse made over 110 million observations of OT devices exposed to the internet in 2024, a 138% increase over 2023. From those observations, 19,633,628 unique OT devices and services were fingerprinted, a 332% increase over 2023. Those devices were hosted on 1.77 million IPv4 addresses, a 41.6% increase over 2023.

The geographic breakdown showed the highest concentrations of exposed OT devices in the United States, China, and Germany, with major urban hubs such as Beijing, Frankfurt, and Shenzhen appearing prominently in the city rankings.

The manufacturer table was led by Tridium Niagara, Linear eMerge, and Saia PCD Web Server. Several of the most frequently observed products were tied to building management systems, including Niagara, which commonly interfaces with HVAC and related building controls.

Ports and protocols show common exposure points

The port data highlights how widely used web services remain exposed across OT environments. Standard web ports such as TCP 443 and TCP 80 accounted for the largest volumes of observed services, indicating that many systems are reachable through conventional HTTPS and HTTP connections.

Several OT-specific ports also appeared frequently. These included TCP 5011, TCP 502, and UDP 47808, all commonly associated with industrial protocols and building automation traffic.

Multiple high-volume ports were tied to Tridium Niagara deployments. TCP 4911 is linked to the Niagara FOX secure protocol, TCP 5011 supports Niagara platform connections over TLS, and TCP 3011 serves as the default administrative port for Niagara hosts. Together, these findings show that both general-purpose web services and specialized industrial protocols remain broadly accessible from the public internet.

Early activity dominates OT intrusions

The analysis paired internet exposure with detection telemetry from more than 61,000 firewalls deployed in OT environments. It also referenced 20 years of historical incident data and a curated set of 27 publicly disclosed cyber incidents from 2000 to 2022.

That historical dataset contained 14,039 observables. Separate background findings in the same publication described a path that frequently begins in enterprise networks, with over 70% of OT attacks originating in IT environments before reaching industrial assets. The precursor phase accounted for 82.8% of observables, with an average dwell time of 185 days. Each incident involved an average of 430 precursor observable events spanning 13 unique techniques, and 205 of those observables were classified as highly perceivable.

Xu Zou, SVP of Cloud Delivered Security Services at Palo Alto Networks, told Help Net Security that “the persistent assumption of isolation” remains a central technical barrier. “Many organizations still treat OT as an air-gapped island, which leads to security strategies that only start once an attacker reaches the plant floor. This results in a lack of visibility at the network edge – the convergence layer where 70% of OT-impacting attacks begin.”

He added that organizational barriers compound the issue. “Many industrial security programs are heavily focused on asset inventories and passive telemetry alone. While visibility is essential, it is insufficient without detection capability. To operationalize this at scale, organizations must overcome the siloed nature of IT and OT security. We advocate for IT–OT SOC convergence, which allows for coordinated detection at the edge. By breaking down these organizational silos, teams can identify authentication anomalies, protocol misuse or malicious intents in the IT environment before they ever transition into safety-critical OT functions,” Zou said.

Five dominant precursor technique families were identified as Execution via scripting, Execution via native API, Command-and-control (C2) using standard application-layer protocols, Discovery through remote system discovery, and Execution via a CLI. The text stated that Windows command-line process audit logging is disabled by default and that PowerShell Script Block Logging also is disabled by default.

From prediction to an OT SOC roadmap

Idaho National Laboratory’s Attack Chain Estimator is described as a proof of concept at Technology Readiness Level 4. The tool uses a first order Markov model built from the sequence of MITRE ATT&CK for ICS TTPs across the 27 incidents, producing transition probabilities and path likelihoods.

Zou said the “core strength of predictive analysis and the Markov-based model is the consistency of adversary behavior, specifically the fact that 82.8% of activity occurs in the precursor phase. To keep these predictive chains relevant against evolving tradecraft like AI-assisted intrusions, we envision the model evolving toward edge-integrated OT SecOps.”

He continued, “As adversaries use new techniques to speed up reconnaissance or credential abuse, the model must shift its focus to the strategic control points where these actions generate detectable signals. The latest AI improvements can help us stitch dispersed signals together much more efficiently and help the security analyst understand the whole killchain clearly in near real time. Even with AI assistance, an adversary must still traverse multiple control layers and cross the IT–OT edge. We envision evolving the model to prioritize anomalous access patterns and session deviations at these convergence points. By treating time as a ‘measurable security variable,’ the model can be updated to trigger Active Defense playbooks – such as automated containment or pre-approved response actions – the moment a precursor behavior is detected. This ensures that even if AI accelerates the attack chain, our predictive modeling provides the framework to disrupt the progression at the edge, long before any operational impact occurs.”

The OT-SOC roadmap broke implementation into time windows. The key highlights listed 0 to 3 months for limited data collection supported by an OT dedicated SIEM, 3 to 6 months for baselining and a pilot SOC in a limited plant area, 6 to 18 months for integrating OT and IT playbooks plus tabletop exercises, and 18 to 36 months for maturity into automation, AI analytics, and cross site threat hunts.

These numbers outline two parallel operational realities. Large volumes of OT services remain reachable from the public internet, and long precursor phases create extended periods where observable activity can accumulate across enterprise and industrial layers.

