OT and ICS Vulnerability Management

OT Vulnerability Management for New York Organizations

New York's critical infrastructure profile is unlike any other metropolitan area in the United States. The Port Authority operates transportation infrastructure connecting New York and New Jersey that relies on supervisory control systems managing tunnels, bridges, and transit facilities. The MTA's rail and bus networks depend on signaling and control systems spanning five boroughs. Con Edison's electric distribution grid serving Manhattan, the Bronx, and Westchester incorporates substation automation and distribution management systems that are simultaneously critical to public safety and attractive targets for nation-state actors like VOLTZITE, which in 2025 was actively pre-positioning within electric utility networks for potential destructive use. Water treatment facilities in the New York metro area fall under EPA AWIA recertification requirements with deadlines running through June 2026. Healthcare networks operating building management systems, HVAC controls, and medical gas distribution throughout New York City carry operational technology that directly affects patient safety.

The financial sector dimension is equally significant and often overlooked in OT security planning. Major banks, trading firms, and financial services organizations maintain data centers and operations facilities throughout Manhattan, Long Island, and Westchester. These facilities contain operational technology in the form of building management systems, precision cooling controls, power distribution units with embedded firmware, and physical access control systems that directly affect the availability of regulated financial services. Organizations subject to NYDFS 23 NYCRR 500 cannot treat these OT components as outside the scope of their cybersecurity programs: regulators have made clear that the information systems subject to Part 500 encompass the physical infrastructure on which covered services depend.

The scale of the problem is substantial. In 2025, 60% of organizations globally reported experiencing OT or ICS security incidents, a figure that reflects the maturation of ransomware groups specifically targeting industrial entities. Those groups grew from 80 to 119 tracked entities in 2025, with ransomware incidents against industrial organizations increasing 64% year over year. Manufacturing alone accounted for more than two-thirds of all industrial ransomware victims. For New York organizations, this threat landscape intersects with a dual regulatory burden: federal frameworks including NERC CIP, TSA pipeline directives, and EPA AWIA on one side, and New York-specific obligations under NYDFS 23 NYCRR 500 and the NY SHIELD Act on the other. A vulnerability management program that addresses only one of these dimensions leaves significant gaps in both security posture and regulatory compliance.

Why OT Vulnerability Management Differs from IT

The conventions that govern IT vulnerability management do not translate to operational technology environments. In IT, a vulnerability with a CVSS score of 9.0 receives immediate patching priority, automated deployment tools push fixes across hundreds of systems overnight, and a four-week remediation window is considered slow. In OT, the same CVSS score may describe a vulnerability in a PLC firmware version that has been running continuously for fifteen years, that controls a physical process whose interruption would cost millions per hour, and for which the vendor has recommended hardware replacement rather than a software patch. These are not comparable situations, and treating them as such is the single most common failure in OT vulnerability programs.

CISA published 508 ICS advisories in 2025, a 20.6% year-over-year increase, representing 2,207 unique advisories across all sources when vendor PSIRTs and international CERTs are included. Of the 2,203 High and Critical ICS CVEs tracked across those sources, only 29, representing 1.32% of the total, appear in CISA's Known Exploited Vulnerabilities catalog. That small fraction of confirmed exploited vulnerabilities demands immediate response. The remainder requires careful operational analysis before any action. Separately, independent research has found that 25% of ICS advisories from CISA and NVD contain incorrect CVSS scores, typically because the scoring was performed by analysts applying IT-context assumptions to vulnerabilities in OT protocols and devices where the threat model is entirely different. Acting on those incorrect scores without correction wastes remediation effort and can introduce operational risk.

The implication of this data is that an OT vulnerability program that borrows IT methodology will either paralyze operations by chasing an unachievable patching backlog or ignore genuine threats by treating all low-KEV-representation OT vulnerabilities as low priority. Neither outcome is acceptable for New York organizations with both operational continuity and regulatory obligations at stake. The correct approach is risk-based prioritization that accounts for the specific operational context of each vulnerability: where the affected asset sits in the Purdue Model hierarchy, whether it has any exposure path that an attacker could realistically use, what compensating controls are already in place, and what the actual consequences of exploitation would be in your specific environment.

NYCF's Vulnerability Management Methodology

NYCF's OT vulnerability management methodology is structured around the operational realities of New York industrial and critical infrastructure environments. It is not a platform product or a tool license: it is a professional services engagement delivering the human analysis, operational context, and regulatory-grade documentation that automated platforms alone cannot provide. The methodology proceeds through five structured phases, each building on the outputs of the prior phase to produce a program that is both technically rigorous and operationally practical.

Compensating Controls for Systems That Cannot Be Patched

The practical reality of OT vulnerability management is that most vulnerabilities in most OT environments will not be remediated by patching. This is not a failure of security programs or organizational will: it is an inherent characteristic of industrial systems with 15 to 25 year operational lifespans, availability requirements measured in nines, and vendors who in 45% of 2025 advisory cases recommended hardware replacement rather than a software fix. An OT vulnerability management program that treats unpatched vulnerabilities as open findings without addressing compensating controls is producing documentation that overstates actual risk and fails to capture the real security posture of the environment. NYCF's compensating control methodology translates each unpatched vulnerability into a specific, implementable risk reduction strategy.

Network segmentation is the foundational compensating control for OT environments, but effective segmentation in an industrial network requires more precision than firewall rules that simply block traffic between VLAN segments. NYCF specifies segmentation at the zone and conduit level consistent with IEC 62443-3-2, defining exactly which communication relationships between defined zones are permitted and which must be blocked. A vulnerable Modbus-enabled PLC that communicates legitimately only with a specific HMI and a historian can be protected by allowing only those two source addresses to reach it on port 502, with all other Modbus traffic blocked. This approach eliminates the attack surface for an attacker who has gained access elsewhere on the network and is attempting to reach the vulnerable device, without disrupting the legitimate operational communication the device requires.

Virtual patching through IDS and IPS rule sets provides a second layer of protection that operates independently of network segmentation. Where a vulnerability has a known exploit pattern, an inline IPS placed in the communication path to a vulnerable device can block packets matching that pattern before they reach the device. This approach is most effective for vulnerabilities in standard protocols like Modbus TCP, DNP3, and OPC-UA where exploit patterns are well-characterized in public research. Protocol whitelisting extends this concept further: rather than blocking specific known-bad patterns, it allows only specifically permitted protocol operations. A Modbus device that should receive only read requests from a single HMI can be protected by a whitelisting rule that passes Modbus FC01, FC02, FC03, and FC04 from the HMI address and drops all other Modbus traffic, including the write function codes an attacker would need to manipulate the device. Programming writes outside of defined maintenance windows can be blocked at the network layer, preventing an attacker from reprogramming a PLC even if they reach it.

Microsegmentation carries segmentation principles to the device level, isolating individual process cells or functional groups so that a compromise in one area of the OT network cannot directly reach adjacent areas without traversing a control point. Jump server architectures with mandatory session recording provide read-only access models for engineering tools: instead of allowing engineering software direct access to PLCs from workstations with broad network connectivity, all engineering sessions originate from a hardened jump server that records every command, providing both access control and forensic evidence of any unauthorized activity. For the most sensitive assets, physical controls including tamper-evident cabinet locks, USB port blockers on engineering workstations, and access logging for control room entry supplement network-layer measures. NYCF documents the complete compensating control framework for each vulnerable asset, creating a defensible record that demonstrates meaningful risk reduction independent of the patching status of the underlying device.

Regulatory Compliance for New York OT Operators

New York organizations face a regulatory environment for OT security that is more complex than in most other jurisdictions, because state-level financial services regulation applies alongside federal sector-specific requirements in ways that require both to be addressed simultaneously. NYCF's vulnerability management documentation is structured to satisfy this dual compliance burden rather than forcing organizations to choose between frameworks.

NYDFS 23 NYCRR 500 is the framework that most surprises financial services firms when its OT scope is explained. The regulation defines "information systems" broadly enough to encompass building management systems, data center power and cooling infrastructure, physical access control systems, and other OT components in facilities that support covered operations. Section 500.05 requires annual penetration testing and vulnerability assessments of covered systems, and NYDFS examiners have asked questions about OT components during examinations of large banks and insurance companies. Section 500.07 requires limiting access privileges for information systems to only those needed, which applies to engineering access to OT systems in data centers. Section 500.14 requires monitoring information systems for anomalies that could indicate a cybersecurity event, applicable to OT network monitoring. NYCF's deliverables map findings and controls to these specific provisions, supporting both annual certifications and examination responses.

The NY SHIELD Act's data security requirements apply to any organization handling private information of New York residents, creating a floor of reasonable security practices that encompasses OT environments where sensitive data passes through or is stored in operational systems. For organizations that cross both the SHIELD Act threshold and sector-specific regulations, NYCF's documentation addresses both without duplication.

NERC CIP remains the primary mandatory framework for bulk electric system assets, with CIP-007-6 requiring security patch management programs that document vulnerability identification, assessment, and either patching or compensating control implementation within defined timeframes. CIP-010-4 requires vulnerability assessments for electronic access control and monitoring systems. NYCF's program produces the specific documentation these standards require, including the assessment results, patch applicability determinations, and compensating measure documentation that NERC auditors examine. The TSA Security Directive SD Pipeline-2021-02F, renewed through 2026, requires pipeline operators to maintain patch management programs with risk methodology, prioritize CISA KEV patches, and document compensating controls where patching is not feasible: requirements that align precisely with NYCF's program structure.

Water utilities serving New York communities face EPA AWIA recertification deadlines that vary by system size: large systems serving 100,000 or more residents completed recertification by March 2025, those serving 50,000 to 99,999 by December 2025, and smaller systems serving 3,301 to 49,999 residents by June 2026. These Risk and Resilience Assessments must address cybersecurity risks to electronic and automated systems, including OT and ICS components in treatment and distribution operations. NYCF's assessments produce the OT cybersecurity documentation component of an AWIA-compliant RRA. For organizations with operations touching European markets, NIS2's 24-hour incident reporting requirements and the EU Cyber Resilience Act's vulnerability management obligations for products with digital elements create additional compliance dimensions that NYCF's reporting accommodates within a unified framework alongside NIST SP 800-82 Rev. 3 and IEC 62443.

The 2025 Threat Landscape for OT Environments

The threat environment facing New York OT operators in 2025 and 2026 is qualitatively different from prior years in ways that make vulnerability management more urgent, not less. Ransomware groups targeting industrial entities grew from 80 tracked groups in 2024 to 119 in 2025, a 49% increase, with total ransomware incidents against industrial organizations rising 64% year over year. December 2025 set a single-month record with 814 successful ransomware attacks, a 42% increase from the prior year's same period. Manufacturing accounted for more than two-thirds of all industrial ransomware victims, but utilities, transportation, and facilities management organizations throughout the New York metro area have not been spared.

The critical insight from incident data is that 96% of OT security incidents originate from IT-level compromises, not from direct attacks on OT protocols or devices. An attacker who establishes a foothold in an organization's IT environment through a phishing email, a VPN vulnerability, or compromised vendor credentials does not need specialized ICS attack tools to cause operational impact. Once inside the IT network, the attacker moves laterally toward OT-adjacent systems: process historians that bridge IT and OT networks, engineering workstations that are connected to both environments, jump servers used for remote access to control systems. From those positions, the attacker either deploys ransomware that encrypts virtualization infrastructure on which SCADA systems run, producing denial of view and denial of control without ever touching a PLC directly, or gains the access needed to manipulate control systems using legitimate protocols that carry no authentication. This attack path is why IT/OT network architecture and compensating controls matter as much as device-level patching in any comprehensive OT security program.

Nation-state pre-positioning represents a distinct and more serious threat for certain New York organizations, particularly electric utilities and transportation operators. VOLTZITE, the threat group linked to China's Volt Typhoon campaign, spent 2024 and 2025 compromising small-office routers at electric utilities and telecommunications providers, exfiltrating GIS data, OT network diagrams, and operational instructions in what FBI Director testimony characterized as preparation for destructive attacks in a major crisis or conflict. The threat is not theoretical: VOLTZITE and related actors have demonstrated the capability to persist undetected in utility networks for extended periods, and the vulnerability management program's role in limiting that persistence is critical. A vulnerability in a network device at the IT/OT boundary that would receive low priority under a pure CVSS-based program may represent a pre-positioning opportunity for an advanced persistent threat actor that elevates its actual priority significantly. NYCF's threat-contextualized prioritization incorporates current threat intelligence on active threat group TTPs, not just generic vulnerability scores.

Internet-exposed OT assets remain a systemic problem that affects New York organizations alongside the broader national population. Analysis of approximately one million OT devices found that 40% of organizations had assets with Known Exploited Vulnerabilities insecurely connected to the internet. For New York organizations with remote access infrastructure supporting facilities management, vendor maintenance, and emergency operations, the exposure surface is larger than most organizations realize. NYCF's discovery methodology specifically identifies internet-exposed OT assets as a priority finding category, regardless of their individual CVE scores, because exposure to the open internet elevates the practical exploitability of any vulnerability to a level that demands immediate compensating control implementation.

Forensic Documentation and Expert Support After an OT Incident

When an OT security incident occurs, whether it is ransomware reaching a control network, unauthorized access to a building management system, or anomalous traffic suggesting threat actor pre-positioning, the organizations with pre-existing vulnerability management documentation are substantially better positioned in the litigation, insurance, and regulatory proceedings that follow. NYCF's vulnerability management program is designed with this post-incident use case in mind from the outset: every finding, every risk assessment, every compensating control recommendation is documented with the precision and chain-of-custody discipline that legal proceedings require.

Post-incident forensic analysis of OT environments presents challenges that IT forensics does not. Control systems often lack the logging capabilities of IT systems, forensic acquisition of PLC firmware and configuration data requires specialized tools and knowledge, and the operational constraints that limited security controls before the incident may also limit the forensic evidence available after it. NYCF's analysts, drawing on the same OT protocol expertise and tooling used in vulnerability assessments, examine the artifacts available from OT environments including network traffic captures, historian records, engineering workstation event logs, and the configuration states of affected devices to reconstruct the timeline and scope of a compromise. This analysis produces the technically accurate, chain-of-custody-documented record that insurance carriers require for cyber liability claims and that regulators examine when assessing whether an organization's pre-incident security posture met applicable standards of care.

Insurance coverage for OT incidents is an area of increasing dispute between policyholders and carriers. Carriers have challenged claims on the basis that the affected OT systems were excluded from the policy scope, that the incident originated in OT systems rather than "information systems" covered by the policy, or that the organization failed to implement security controls that the policy required. NYCF's forensic analysis of OT incidents provides technically grounded documentation of the incident's scope, causation, and the relationship between identified pre-incident vulnerabilities and the losses claimed, supporting the policyholder's position in coverage proceedings. Expert testimony is available for civil litigation, arbitration, and regulatory hearings, translating OT security technical findings into terms that non-technical audiences including judges, juries, and regulatory hearing officers can evaluate accurately. NYCF's expert witnesses cross-reference findings from OT vulnerability assessments with the incident's specific attack path, providing the causal chain from vulnerability existence through exploitation through operational and financial loss that expert testimony in OT cases requires.