The digitalisation of the industrial sector and the consolidation of interconnected architectures have created more efficient ecosystems, but also more vulnerable ones in the face of malicious actors. To address this challenge, the Industrial Cybersecurity Observatory of AMTEGA has published the Cyber-Alerts Report – I.
This document not only monitors the current state of threats, but also provides an essential theoretical-practical framework for industrial organisations.
Below, I summarise the most critical points and conclusions we have drawn from this first report:
The OT Attack Landscape: Greater Frequency and Impact
The threat landscape targeting industrial control systems (ICS) shows sustained growth in both the severity and volume of vulnerabilities.
- According to ENISA, vulnerability exploitation accounts for 21.3% of intrusion vectors in Europe.
- Recent global surveys reveal that 22% of organisations experienced at least one ICS/OT incident in the past year.
- The most exploited vectors are unauthorised external access (50%) and ransomware (38%).
- One alarming finding stands out: in ransomware incidents, the average time between intrusion and encryption activation has dropped to just 16 hours, demanding 24×7 early detection capabilities in OT environments.
Monitoring and Discovery: The Role of CPS Platforms
The report highlights the importance of cyber-physical system protection platforms (CPS PP), such as Guardian, developed by InprOTech — Galician technology with dual-use capabilities.
These tools are essential because they enable:
- Automatic discovery of OT assets (PLCs, HMIs, drives, etc.).
- Identification of firmware versions for correlation with known vulnerabilities.
- Network anomaly detection without interfering with industrial process availability, through an active-passive approach.
Pragmatic Prioritisation: The “Now / Next / Never” Philosophy
Since availability is paramount in industrial environments, immediate patching is not always feasible. The report highlights the Now/Next/Never operational strategy for prioritisation:
- Now: Critical vulnerabilities affecting process safety, remotely exploitable and without active compensating controls. Require immediate mitigation.
- Next: Relevant flaws that depend on less probable factors or already have certain barriers in place. Planned for the next maintenance window.
- Never: Vulnerabilities that, in the specific context of the plant (e.g. a fully isolated asset), pose no real risk. Documented and monitored.
Return on Investment (ROI) in OT Cybersecurity
One of the report’s most valuable contributions is the financial quantification of operational risk. Mitigating vulnerabilities in high-value assets (such as a SCADA system) offers an exceptionally high economic return. Reducing the Exposure Factor (EF) and the Annual Rate of Occurrence (ARO) through segmentation and patching more than offsets implementation costs, ensuring business continuity.
Conclusion
Galicia’s OT ecosystem — strongly represented by critical sectors such as energy, automotive, food, naval and logistics — faces increasingly sophisticated and targeted threats. Adopting defensible architectures, improving configuration hygiene and implementing a realistic patch management strategy aligned with plant constraints are unavoidable steps.
InprOTech and AMTEGA will continue to drive the strengthening of Galicia’s business fabric through technology initiatives and the dissemination of actionable intelligence.
You can download the full report from the official AMTEGA portal.