The OT Blind Spot: Everyday Devices
Everyday Devices, Extraordinary Risk
Every year, surveys highlight the same reality: one of the biggest threats to industrial networks doesn’t come from hackers breaching firewalls but from devices brought in by people. The 2025 SANS ICS/OT Cybersecurity Budget Report1 found that 27% of security incidents can be traced back to “transient devices,” an analyst term referring to USB sticks and contractor laptops that move in and out of plants daily.
Imagine a maintenance day at a power plant. A technician arrives with a laptop, ready to perform a software update. The schedule is tight, downtime is costly, and the patch can’t wait. In the moment, no one pauses to consider whether the laptop has picked up malware elsewhere. It connects. The work proceeds.
One in four incidents reminds us: the danger isn't only at the perimeter. It often walks in through the front door.
This isn’t hypothetical. In 2012, a U.S. power plant experienced a three-week outage after an outside technician’s infected USB introduced malware into turbine control systems, according to a DHS ICS-CERT case summary reported by PCWorld.2 More than a decade earlier, in Australia, the Maroochy Water breach3 demonstrated the devastating impact of a compromised transient asset. A stolen field laptop allowed an insider to spill millions of liters of sewage into local waterways.
These cases reflect what engineers and operators quietly understand: USB-connected and portable devices are essential, but they also pose risks. Production frequently takes precedence over caution. Without controls that naturally fit into daily workflows, this tension leaves security decisions unresolved and inconvenient.
A virus infection in a US power company's turbine control systems resulted in a three week delay in restarting the plant. The virus was introduced by a third-party technician's USB drive being used to upload software updates into the system.6
If a Quarter of OT Incidents Start with USB devices, Why Aren’t Budgets Following?
The Disconnect Between Risk and Spend
Organizations spend heavily on firewalls and monitoring, while everyday entry points remain exposed. Within those budgets, protections for removable media rank lower than network segmentation, incident response, and visibility tools.
That creates an odd imbalance: organizations reinforce the perimeter while one of the most effective attack routes, USBs and laptops carried onsite, remains underfunded. It’s like locking the fence while the back door is propped open. Attackers know it, too. Honeywell’s analysis shows USB-based malware isn’t just surviving; it’s thriving and is deliberately engineered to bypass air gaps and disrupt critical systems.5
Budgets Still Undervalue OT Security
OT security continues to be deprioritized compared to IT. In the SANS survey, 41% of organizations allocate less than a quarter of their security budget to ICS/OT, while only 9% dedicate three-quarters or more.1
This 4.5x gap highlights the ongoing undervaluation of operational risk and emphasizes the need to shift spending toward essential OT environments.
Spend less than a quarter of their security budget on ICS/OT.
Invest heavily (75%+) in ICS/OT security.
Persistent Weak Spots in OT Security
Despite growing awareness, structural gaps and cultural myths keep everyday devices underprotected
Structure Divides
IT controls the budget for OT security in 31% of organizations1
In many organizations, IT leaders hold budget authority: 31% report IT fully controls OT security spending, while 26% say ICS/OT teams lead. When decisions are made off the plant floor, portable devices often receive less attention than firewalls or dashboards.
Human Factors
Only 9% of organizations have dedicated OT security staff1
Only 9% of professionals dedicate their full-time effort to ICS/OT security. Without staff focused solely on these environments, tasks like managing vendor laptops or scanning USB drives can be overlooked.
Cultural Myths
The Security Illusion of Air Gaps Persists
Many people still believe that air-gapped systems are completely secure. However, research shows that USBs are being weaponized precisely because they can bypass those perceived barriers.4 In practice, the myth of isolation has become one of the most dangerous blind spots.
The most effective protections are those designed for the people who actually plug devices in. These are the engineers, technicians, and contractors on the plant floor.
Perimeter Defenses Can’t Stop Everyday Device Risks
Why Security Has to Start Where Devices Connect
The SANS survey shows that incidents from everyday devices are a top priority, yet protections for removable media rank below network segmentation, incident response, and visibility. Traditional defenses stop at the perimeter, leaving USBs and contractor laptops as exposed entry points.
These incidents aren’t stopped by firewalls or monitoring dashboards. They’re prevented when frontline teams have simple, OT-ready tools to check devices before they connect. Security has to begin at the point of use, not after the fact.
That’s why SANS recommends ICS-specific controls and engineering-led incident response. If the only line of defense is in an IT office, too far from where the devices connect, the risk remains. But when the tools are put into the hands of operators, the situation changes. Checking a laptop or scanning a USB becomes a natural part of the workflow.
The best practice is clear: make the safe choice the easy one. Secure kiosks, portable scanning devices, and simple inspection steps enable frontline teams to protect operations without needing IT help or interrupting production. Security becomes part of the routine, not an interference.
When scanning a USB is easier than skipping it, adoption becomes natural.
