The air gap still shapes how many teams think about operational technology (OT). They picture critical systems sealed off from the public web. Reality looks different. Nearly 20 million operational technology-related devices sit directly online, visible and reachable.
Collaborative research from Palo Alto Networks, Siemens, and the Idaho National Laboratory (INL) reveals a staggering 332 percent surge in unique, fingerprinted industrial devices exposed to the internet, from 6 million in 2023 to 20 million in 2024. The OT attack surface no longer stays inside the plant.
The Scale of Exposure
In 2024, Cortex Xpanse recorded more than 110 million observations of OT devices exposed to the internet, a 138 percent increase over the prior year. Those observations tracked what was exposed to the internet at the time, not what a quarterly report captured.
Tridium Niagara was the most frequently observed OT application on the internet, often tied to HVAC and facilities systems. With systems like this, exposure spikes during summer months in the Northern Hemisphere, aligning with installation and servicing cycles. So, risk often flows from routine operations, not from sophisticated intent.
The 185 Day Warning
The best opportunity to defend often arrives long before impact. The whitepaper notes that 82.8 percent of adversary activity occurs during the precursor phase. On average, threat actors linger for 185 days after first observation, probing ports, testing authentication paths, and building access routes.
Xpanse maps that precursor window by scanning the public IPv4 space multiple times per day and fingerprinting exposed services. When an internet-facing management portal appears, defenders can respond while an attacker still searches.
Active Defense Through Visibility
Static snapshots fail because the perimeter changes faster than reporting cycles. Xpanse provides continuous discovery and attribution, separating deliberate exposure from accidental leakage. Paired with internal context, defenders gain two lenses:
- External exposure: internet observable hosts, ports, services, and applications
- Internal context: asset role, business criticality, and reachable paths
Case Study: Real-World Resilience
This isn’t just a theoretical exercise; it is the cornerstone of defense for organizations managing complex, sprawling infrastructures. CBTS, a leading technology provider, leveraged Cortex Xpanse as part of its platformization strategy to gain 100% visibility into its network boundaries.
During a major organizational split, the security team used Xpanse to discover and catalog every internet-facing asset across their new environment, identifying and remediating thousands of accidental exposures in real time. By moving from a "detect and ticket" model to an automated platform, they were able to consolidate 20 disparate tools into a single source of truth and reduce their median time to resolution from days to just 13 seconds.
Read the full CBTS case study here.
From Reactive Response to Strategic Mitigation
Visibility alone does not fix the backlog. Many programs treat every vulnerability as urgent, even when existing defenses already break the exploit path. Cortex Exposure Management addresses this with Security and Compensating Controls, letting teams validate mitigation, capture attestation, and prioritize only exposures that remain truly reachable.
For security leaders, this shift matters in two ways:
- Optimized operations: less false urgency, more focus on unmitigated threats that require action
- Empowered decision making: clearer residual risk that supports budget justification and risk acceptance
A New Source of Truth
The hidden industrial network belongs to the past. Cortex Xpanse provides the external map. As OT converges with IT, that platform view helps teams automate workflow handoff, measure residual risk, and act before precursor activity matures.
Read the Intelligence Driven Active Defense white paper and schedule a personalized Cortex Xpanse demo to close the 185 day gap.