Breaking Down Guardians of the Government, Volume 2
The Claroty Team
/September 4th, 2025/
3 min read
The findings of Claroty’s report with MeriTalk, published today, "Guardians of Government, Vol. 2: Fortifying the Cyber-Physical Frontier," sends a clear message: federal agencies are seriously stepping up their game when it comes to securing cyber-physical systems (CPS).
We surveyed 100 federal operational technology (OT) and CPS security pros, and their insights highlight where agencies are making strides and where serious ground remains in protecting the nation's critical infrastructure.
91% of Federal CPS leaders replied to the survey that their agency is laser-focused on OT and broader CPS security. What's even better? Every single agency launched new CPS security initiatives last year, with a big push on governance, traditional OT, and IoT. Plus, "zero trust" isn't just a buzzword anymore—it's twice as likely to be driving CPS strategy compared to last year.
But Don't Get Too Comfortable—Vulnerabilities Linger
Here's the sobering part: despite all that investment, we're still facing major risks with 68% of leaders saying they expect a disruptive CPS incident in the next year. IoT devices and building management systems (BMS) and /facilityrelated control systems (FRCS) are particularly vulnerable. And here's the kicker, 36% of agencies have full asset visibility—which is like trying to protect your house when you don't even know what's inside. Add to that a shortage of in-house CPS experts (according to 62% of respondents) and concerns about old, internet-facing OT assets (60%), and you can see why things are a bit uneasy.
The Usual Suspects: Systemic Challenges
We heard a familiar refrain about ongoing hurdles: budget woes (61%), the lack of specialized in-house talent (62%), and a persistent disconnect between CPS and IT teams (45%). Throw in the sheer complexity of OT/CPS environments and the struggle to keep up with new threats, and you've got a tough battle on your hands.
Vulnerability Assessments? Not Enough, Not Continuous
While many agencies are doing vulnerability assessments, only one-third are doing them continuously, creating exposures that attackers may exploit. This is especially alarming when you consider that 97% of OT systems are connected to enterprise IT networks. Advanced technologies and strategies such as artificial intelligence and machine learning integration, 5G, and cloud-based OT management, the attack surface is getting bigger.
What Actually Works? Proven Protection Strategies
A clear pattern emerged in agencies that did not report experiencing an incident: They're more likely to have dedicated in-house CPS leadership, fewer old, unpatchable systems, fully implemented network protection and threat detection, and modern access controls. Plus, they're embracing portable OT security assessment capabilities.
5 Key Strategies to Improve CPS Protection
The report lays out a clear roadmap for beefing up CPS security:
See Everything: You can't protect what you can't see, therefore full asset visibility is non-negotiable and working with experts such as Claroty helps make this achievable.
Assess Constantly: Quarterly assessments aren't cutting it. We need continuous vulnerability monitoring to fix issues fast.
Strengthen from Within: Invest in smart OT/CPS security tools with AI-driven automation and portability to close those knowledge gaps and make the most of limited resources.
Isolate the Risky Stuff: For those old, unpatchable systems, automated virtual segmentation is key to containing threats.
Team Up with Experts: Don't go it alone! Bring in external specialists to boost your internal capabilities and scale your security efforts.
The bottom line? Federal agencies have a huge opportunity—and an urgent need—to really double down on their CPS security. It's all about getting that foundational visibility, assessing continuously, building internal expertise, and forging smart partnerships.
