Uptime Intelligence has highlighted the growing number of high-profile ransomware incidents involving data center owners, operators and third-party vendors in recent reports (see Seven fallacies of data center cybersecurity and Cybersecurity and the cost of human error). Despite the rise in reported incidents, many operators and industrial facilities continue to use outdated security systems and practices, leaving them vulnerable to internal and external threats.
In the first quarter of 2025, Honeywell (the US supplier of control systems) discovered 2,472 new ransomware incidents on industrial control (ICS/OT) systems — a steep 46% increase from the previous quarter. Ransomware accounted for 39% of all threats (see The 2025 Honeywell Cyber Threat Report, June 2025; Table 1 and Table 2). While ransomware incidents are increasing across IT generally, these incidents are mostly not associated with OT/control systems.
Another report from cybersecurity software supplier Claroty found that 50% of 270 industrial organizations have known exploitable vulnerabilities (KEVs) linked to ransomware (see State of CPS security 2025: OT exposures, February 2025). Ransomware was detected in 7% (approximately 6,000) of all devices, with one-third (approximately 2,000) of devices insecurely connected to the internet. KEVs represent significant risks because they are vulnerabilities that have either been exploited or are under active exploitation.
The data in Table 1 and Table 2 below is taken from a Honeywell survey based on telemetry data from its Secure Media Exchange (SMX) system. SMX checks for malware and blocks corrupt files transferring from a compromised removable media device, such as USB drives, mice, charging cords and laptops, into ICS/OT systems.
SMX is deployed on-premises at industrial sites. Personnel are required to scan their devices before entering the facility; and then when visitors or employees check-out, SMX rechecks the device and logs any anomalies.
Table 1 Cyber-physical threats, incidents, and unique incidents using Honeywell SMX
Table 2 provides a more granular view of the most common types of threats identified and blocked, as well as their most common attack routes into the ICS/OT system.
Table 2 Most common ICS/OT threats involving removable devices
The key findings from the Honeywell report include the following:
The recent Honeywell and Claroty reports highlight two critical issues that Uptime and other security specialists have consistently emphasized. Firstly, many data center facilities continue to use outdated computer hardware and legacy Windows operating systems for ICS/OT interfaces, such as SCADA, programmable logic controllers or building management systems. These systems are often embedded and may escape IT inventory checks.
Secondly, many operators assume that if they are not connected to the internet, their systems remain securely air-gapped. However, USB devices and mobile devices such as laptops are widely used to download and upload information and transfer files for data-related queries. Engineers and third-party contractors commonly use removable devices when performing on-site system updates and maintenance. Table 3 shows the prevalence of risk associated with update approaches on software and firmware.
Table 3 Prevalence and risks with software/firmware update approaches
At a minimum, OT systems should be up-to-date, properly patched, and network-protected, both within and outside the data center, to guard against all threats, including those introduced via removable media. The following steps can significantly enhance the security of existing ICS/OT systems:
Effective data center cybersecurity is complex and requires constant diligence. Some data center operators are concerned that adding new security layers onto critical equipment, or into management operations, could impact their ability to respond to events or emergencies.
This may be a valid argument, but it can no longer be a reason for inaction. The steady rise in ransomware and never-before-seen incidents highlights the need for more proactive defense strategies to prevent threats from breaching the data center.
Other related reports published by Uptime Institute include:
Seven fallacies of data center cybersecurity
Cybersecurity and the cost of human error