New Claroty data found that 49% of security professionals believe global economic policies and geopolitical tensions increase risk to cyber-physical environments. This comes as 45% are concerned about their ability to reduce risk to key CPS (cyber-physical systems) assets, and in their overall understanding of their risk posture. Additionally, 67% said that they are reconsidering the geography of their supply chain to mitigate CPS risks posed by economic and geopolitical uncertainties.
Titled ‘The Global State of CPS Security 2025: Navigating Risk in an Uncertain Economic Landscape,’ the Claroty report identifies that a ‘ripple effect’ of shifting supply chains is the escalation of CPS risks associated with third-party remote access, as organizations re-evaluate their vendors and introduce new remote access tools into already complex and exposed CPS environments.
Additionally, 69% of respondents said their current CPS security programs closely adhere to international and local cybersecurity standards or mandates. However, 76% said emerging regulations may require them to overhaul their current security strategies.
Claroty noted that this may exacerbate existing security challenges involving third-party access to CPS, as 46% of respondents said they’ve been breached in the last 12 months because of third-party access, and 54% report they’ve discovered security gaps or weaknesses in vendor contracts post-incident. As a result, 73% of respondents said they are re-evaluating third-party remote access to CPS operations.
Respondents also highlighted regulatory changes as a source of uncertainty. Depending on the regions in which they operate, organizations may be grappling with swift deregulation or growing momentum for more regulation.
The research showed that despite successful efforts to follow established frameworks such as the NIST Cybersecurity Framework and ENISA in Europe, there are concerns over what’s to come from the regulatory environment. Although nearly 70% of respondents said their current CPS security programs adhere to cybersecurity standards, 76% said that emerging regulations, be it government, international, or industry-specific, may require their organizations to overhaul their strategies, which could cause massive disruptions to operational efficiency.
Claroty mentioned that uncertainty doesn’t arise just from economic confrontations, but also from the potential for shifts in the regulatory landscape. “The complexity has only grown since the start of the year. The Trump administration, for example, has indicated an appetite for deregulation through the rolling back of some Biden-era executive orders, including several mandates within EO 14144, whose aim was to strengthen and promote innovation in the country’s cybersecurity. While in Europe, the Cyber Resilience Act and NIS2 are mandates that enterprises in the European Union and United Kingdom are developing compliance initiatives in order to meet upcoming deadlines.”
It added that NIS2 implementation deadlines, for example, vary by state, while CRA compliance features have phased compliance deadlines aimed at a December 2027 full compliance deadline.
“The offshoot is that CPS security programs built on established frameworks such as the NIST Cybersecurity Framework, or ENISA in the European Union, may soon be headed back to the drawing board,” according to the report. “Disruption is expected to impact current compliance programs that are currently guided by a mix of industry standards and government regulations, according to respondents. The large majority of respondents, meanwhile, believe that while their current CPS security strategies may adhere to regulations (69%), any upheaval in the regulatory landscape could upend existing investments and established best practices that ensure compliance (76%).”
“Attackers often see times of instability as opportunities to strike. Distracted defenders are ineffective defenders. This, combined with the impact of critical infrastructure on economic stability, national security, and public safety, makes it a particularly attractive target.” Sean Tufts, field chief technology officer at Claroty, observed in a Wednesday media statement. “The survey results show that economic uncertainty and geopolitical tensions are making it harder for security teams to protect critical systems, compounded by third-party vulnerabilities that are further driving up risk. While the challenge is great, the opportunity for organizations to fundamentally shift how they approach their CPS security is greater.”
These findings highlight the importance of taking an impact-centric approach to risk reduction that focuses on regulatory outcomes and exposure management, with the top risk mitigation strategies being regular security audits (49%) and process improvements for providing change approvals (45%). This will enhance compliance efforts and uncover vulnerabilities, particularly where there may be blind spots among third-party vendors.
Another interesting highlight of the Claroty report was that key components of CPS security programs going forward are artificial intelligence (AI) and machine learning (ML). Organizations are keen to leverage these advanced technologies for various crucial capabilities in defending CPS environments.
“AI, for example, should figure heavily as a foundational risk-reduction strategy going forward, especially as CPS security programs mature,” Claroty reported. “Organizations can leverage its capabilities to improve threat detection, response, and recovery. Automation in these areas lowers mean-time-to-detect and reduces the potential for disruption or damage to key processes. Resources can also be allocated in more efficient ways with AI augmenting human capabilities and allowing smaller teams to manage complex CPS environments.”
Tactically, AI can deliver significant efficiency gains in multiple ways. Its speed in analyzing sensor data and network traffic allows organizations to rapidly detect anomalies and threats to CPS environments, including zero-day vulnerabilities that have not yet been disclosed to or remediated by vendors. Beyond detection, AI serves as a predictive tool, enabling CISOs to plan proactive defensive measures against emerging threats. This capability also extends to identifying risky exposures, such as misconfigurations that could be exploited in attacks, and prioritizing the remediation of flaws most likely to be targeted first.
Claroty identified that AI can also be an effective tool in incident response, by isolating compromised network segments or systems, blocking risky IP address ranges, and analyzing logs and alerts for other risky network behaviors.
When it comes to supply chain security, Claroty said that attackers understand these ramifications all too well and could seize upon the risk introduced via this onslaught of new suppliers and technology in much the same way they did during the pandemic, by targeting the excessive remote access being afforded to keep businesses afloat.
“Already in May 2025, we saw state-level attacks targeting supply chains,” Claroty reported. “Reports surfaced then of a two-year campaign targeting logistics, defense, and technology companies that were part of the supply chain supporting Ukraine in its war against Russia. Russian military intelligence carried out attacks that compromised more than 10,000 surveillance cameras near critical transportation points in Ukraine and in the region surrounding it, the Associated Press reported. The aim was to learn more about the assistance coming into Ukraine from the West.”
Supply chains and the digital infrastructure that support them can be fragile and are targets for economic disruption and the destabilization of services within critical industries such as manufacturing, logistics, pharmaceuticals, or food suppliers, among many others.
“46% of our respondents, for example, echo these concerns, reporting they had experienced breaches that leveraged third-party vendor access as an initial entry point to the network,” the report noted. “These attacks led to malware, including ransomware, being installed, disrupting business operations along the way. Attackers were also able to exploit vulnerabilities by using the access afforded by a compromised supplier or partner.”
Claroty reported that remote access security audits evaluate the effectiveness of existing controls to prevent unauthorized access to, and the availability and integrity of, CPS assets. “Audits can be expansive and include security testing of remote devices such as off-the-shelf and enterprise-grade remote access solutions, penetration testing in order to identify exploitable vulnerabilities, and assessments on policy enforcement. In addition to regular audits, process improvements for providing change approvals were cited by 45% of respondents. These may include streamlined approvals for remote access requests and policies that define controls such as multifactor authentication, enforcement of the principle of least privilege, encrypted connections, and regulatory compliance.”
The report identifies that economic instability complicates the management of CPS risks, making collaboration between cybersecurity leaders and business executives increasingly important. Current asset-centric approaches focus on device properties and overall risk but can overlook the business impact of potential exploits.
With global market disruptions and geopolitical tensions, organizations have an opportunity to adopt an impact-centric approach that prioritizes mitigation and remediation based on potential business and regulatory consequences. This method aligns security, IT, and OT teams, improves compliance, and allows cybersecurity leaders to communicate effectively with business stakeholders. By framing risks in terms of their effect on operations, such as production lines or hospital operations, organizations can better protect mission-critical systems while supporting business objectives and minimizing disruption, downtime, and financial loss.
The report outlines three key outcomes of an impact-centric approach to CPS security. First, impact-centric risk reduction emphasizes prioritizing vulnerabilities based on their business context, allowing remediation efforts to focus on assets that pose the greatest operational or financial risk, such as critical PLCs or life-support machines in healthcare. Second, contextual prioritization involves creating device purpose hierarchies and conducting business impact analyses so security teams can understand the significance of alerts and prioritize fixes appropriately.
Finally, risk benchmarking and business comparisons provide visibility into the organization’s security posture, enable industry comparisons, and help track risk reduction over time, supporting informed decisions by executives and boards.
