* [Blog](https://www.paloaltonetworks.com.au/blog) * [Security Operations](https://www.paloaltonetworks.com.au/blog/security-operations/) * [Product Features](https://www.paloaltonetworks.com.au/blog/security-operations/category/product-features/) * The Cartography of Risk: ... # The Cartography of Risk: Operational Technology and the Public Internet [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fthe-cartography-of-risk-operational-technology-and-the-public-internet%2F) [](https://twitter.com/share?text=The+Cartography+of+Risk%3A+Operational+Technology+and+the+Public+Internet&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fthe-cartography-of-risk-operational-technology-and-the-public-internet%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fthe-cartography-of-risk-operational-technology-and-the-public-internet%2F&title=The+Cartography+of+Risk%3A+Operational+Technology+and+the+Public+Internet&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/security-operations/the-cartography-of-risk-operational-technology-and-the-public-internet/&ts=markdown) \[\](mailto:?subject=The Cartography of Risk: Operational Technology and the Public Internet) Link copied By [Brendan Powers](https://www.paloaltonetworks.com/blog/author/brendan-powers/?ts=markdown "Posts by Brendan Powers") and [Adam Robbie](https://www.paloaltonetworks.com/blog/author/adam-robbie/?ts=markdown "Posts by Adam Robbie") Feb 24, 2026 3 minutes [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Active Defense](https://www.paloaltonetworks.com/blog/tag/active-defense/?ts=markdown) [Attack Surface Discovery](https://www.paloaltonetworks.com/blog/tag/attack-surface-discovery/?ts=markdown) [Cortex Xpanse](https://www.paloaltonetworks.com/blog/tag/cortex-xpanse/?ts=markdown) [EASM](https://www.paloaltonetworks.com/blog/tag/easm/?ts=markdown) [External Attack Surface Management](https://www.paloaltonetworks.com/blog/tag/external-attack-surface-management/?ts=markdown) [ICS Security](https://www.paloaltonetworks.com/blog/tag/ics-security/?ts=markdown) [Idaho National Laboratory](https://www.paloaltonetworks.com/blog/tag/idaho-national-laboratory/?ts=markdown) [Industrial Control Systems](https://www.paloaltonetworks.com/blog/tag/industrial-control-systems/?ts=markdown) [Infrastructure Protection](https://www.paloaltonetworks.com/blog/tag/infrastructure-protection/?ts=markdown) [OT security](https://www.paloaltonetworks.com/blog/tag/ot-security/?ts=markdown) [OT-IT Convergence](https://www.paloaltonetworks.com/blog/tag/ot-it-convergence/?ts=markdown) [Palo Alto Networks](https://www.paloaltonetworks.com/blog/tag/palo-alto-networks/?ts=markdown) [Siemens](https://www.paloaltonetworks.com/blog/tag/siemens/?ts=markdown) The air gap still shapes how many teams think about operational technology (OT). They picture critical systems sealed off from the public web. Reality looks different. Nearly 20 million operational technology-related devices sit directly online, visible and reachable. [Collaborative research from Palo Alto Networks, Siemens, and the Idaho National Laboratory (INL)](https://www.paloaltonetworks.com/resources/whitepapers/securing-ot-environments) reveals a staggering 332 percent surge in unique, fingerprinted industrial devices exposed to the internet, from 6 million in 2023 to 20 million in 2024. The OT attack surface no longer stays inside the plant. ## **The Scale of Exposure** In 2024, Cortex Xpanse recorded more than 110 million observations of OT devices exposed to the internet, a 138 percent increase over the prior year. Those observations tracked what was exposed to the internet at the time, not what a quarterly report captured. Tridium Niagara was the most frequently observed OT application on the internet, often tied to HVAC and facilities systems. With systems like this, exposure spikes during summer months in the Northern Hemisphere, aligning with installation and servicing cycles. So, risk often flows from routine operations, not from sophisticated intent. ![Fig. 1 Cortex Xpanse provides ~40% more attack surface visibility per organization](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/02/word-image-352772-1.png) Fig. 1 Cortex Xpanse provides ~40% more attack surface visibility per organization ## **The 185 Day Warning** The best opportunity to defend often arrives long before impact. [The whitepaper notes](https://www.paloaltonetworks.com/resources/whitepapers/securing-ot-environments) that 82.8 percent of adversary activity occurs during the precursor phase. On average, threat actors linger for 185 days after first observation, probing ports, testing authentication paths, and building access routes. Xpanse maps that precursor window by scanning the public IPv4 space multiple times per day and fingerprinting exposed services. When an internet-facing management portal appears, defenders can respond while an attacker still searches. ## **Active Defense Through Visibility** Static snapshots fail because the perimeter changes faster than reporting cycles. Xpanse provides continuous discovery and attribution, separating deliberate exposure from accidental leakage. Paired with internal context, defenders gain two lenses: * **External exposure**: internet observable hosts, ports, services, and applications * **Internal context**: asset role, business criticality, and reachable paths ## **Case Study: Real-World Resilience** This isn't just a theoretical exercise; it is the cornerstone of defense for organizations managing complex, sprawling infrastructures. CBTS, a leading technology provider, leveraged Cortex Xpanse as part of its platformization strategy to gain 100% visibility into its network boundaries. During a major organizational split, the security team used Xpanse to discover and catalog every internet-facing asset across their new environment, identifying and remediating thousands of accidental exposures in real time. By moving from a "detect and ticket" model to an automated platform, they were able to consolidate 20 disparate tools into a single source of truth and reduce their median time to resolution from days to just 13 seconds. **Read the full CBTS case study [here](https://www.paloaltonetworks.com/customers/cbts-resolves-incidents-in-seconds-with-platformization).** ## **From Reactive Response to Strategic Mitigation** Visibility alone does not fix the backlog. Many programs treat every vulnerability as urgent, even when existing defenses already break the exploit path. Cortex Exposure Management addresses this with Security and Compensating Controls, letting teams validate mitigation, capture attestation, and prioritize only exposures that remain truly reachable. For security leaders, this shift matters in two ways: * **Optimized operations**: less false urgency, more focus on unmitigated threats that require action * **Empowered decision making**: clearer residual risk that supports budget justification and risk acceptance ## **A New Source of Truth** The hidden industrial network belongs to the past. Cortex Xpanse provides the external map. As OT converges with IT, that platform view helps teams automate workflow handoff, measure residual risk, and act before precursor activity matures. **Read the [Intelligence Driven Active Defense white paper](https://www.paloaltonetworks.com/resources/whitepapers/securing-ot-environments) and schedule [a personalized Cortex Xpanse demo](https://www.paloaltonetworks.com/cortex/request-demo) to close the 185 day gap.** *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Rage Against the (IP Enabled) Machines: Using Attack Surface Management to Discover Exposed OT and ICS Systems](https://www.paloaltonetworks.com.au/blog/security-operations/rage-against-the-ip-enabled-machines-using-attack-surface-management-to-discover-exposed-ot-and-ics-systems/) ### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Beyond the Cloud Dashboard: Exposure Management Requires Full-Scope Visibility and Real Action](https://www.paloaltonetworks.com.au/blog/security-operations/beyond-the-cloud-dashboard-exposure-management-requires-full-scope-visibility-and-real-action/) ### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown) [#### AI in OT Security --- Balancing Industrial Innovation and Cyber Risk](https://www.paloaltonetworks.com.au/blog/2024/08/ai-in-ot-security/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Automate Insecure OpenSSH vulnerability patching in Ubuntu AWS EC2 with Cortex Xpanse](https://www.paloaltonetworks.com.au/blog/security-operations/automate-insecure-openssh-vulnerability-patching-in-ubuntu-aws-ec2-with-cortex-xpanse/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Get Ahead of Chrome Changes with Cortex Xpanse](https://www.paloaltonetworks.com.au/blog/security-operations/get-ahead-of-chrome-changes-with-cortex-xpanse/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### What's Next in Cortex - New Wave of Innovations in Cortex (June 2024 Release)](https://www.paloaltonetworks.com.au/blog/security-operations/whats-next-in-cortex-new-wave-of-innovations-in-cortex-june-2024-release/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language