By the Numbers

Six in ten industrial operators reported at least one OT security incident in 2025. The threat behind most of those incidents isn’t sophisticated, 40% of IBM X-Force cases that year started with a vulnerability exploit, with public-facing application attacks growing 44% YOY. The ransomware ecosystem driving those intrusions has expanded fast: 119 active groups in 2025, up 49% from 80 the year before, targeting 3,300 industrial organizations.  7 4 6

Methodology note: IBM X-Force statistics are based on incident response activities, dark web intelligence, and global threat telemetry. Fortinet data is based on a global survey of OT security practitioners.8

Ransomware Has Industrialized

When a chemical plant loses visibility into its distributed control system, the shutdown is near-total. Ransomware operators understand this leverage deeply.

Dragos tracked 119 active groups targeting industrial firms across 2025, a 49% jump from the prior year, with production networks accounting for more than two-thirds of all victims.4 

Critically, OT incidents are frequently misclassified as IT-only events because engineering workstations and HMIs run Windows-based operating systems and get catalogued as IT assets in CMDB tools. 9 Security teams close tickets on incidents that have already reached Stage 2 of the ICS Cyber Kill Chain.

The Pre-Positioning Threat

Dragos’s 2026 Year in Review identifies KAMACITE as having systematically mapped control loops inside production environments before initiating any visible disruption. AZURITE explicitly targets engineering workstations where operators modify controller logic, rapidly weaponizing publicly available proof-of-concept exploit code. 4 

A production network can be fully compromised for months while detection tools report no alerts, because most OT monitoring is built to detect device failure, not adversary behavior.

Section 03: The IT/OT Convergence Problem

Logical segmentation policies and physical network reality have diverged in most asset-intensive production environments, creating the primary operational vulnerability.

The hardware of industrial control systems is based on decades-long life cycles. A programmable logic controller installed at the beginning of the 2000s will be able to control an important manufacturing process in 2026, using firmware written before the concept of internet security vulnerabilities. Integrating these brownfield assets with cloud-connected analytics platforms and remote vendor portals creates a seam that attackers walk through routinely.

Fortinet’s 2025 State of Operational Technology and Cybersecurity Report documents a meaningful governance shift: 52% of industrial operators now place OT security under the CISO or CSO, up from just 16% in 2022, with C-suite accountability reaching 95% overall.10 Governance accountability without operational visibility is largely ceremonial, however.

CISA’s CPG Adoption Report, covering 7,791 critical infrastructure firms enrolled in its Vulnerability Scanning service, found OT protocols exposed to the public internet remained persistent, with Government Services and Facilities showing 63% exposure as recently as August 2024. 11 

Dragos further found that 25% of ICS-CERT and NVD vulnerability records carried incorrect CVSS severity scores in 2025, and 26% of advisories came with no patch or vendor mitigation available.9

Section 04: Regulatory and Framework Mandates

Federal enforcement posture has shifted toward penalty-focused action, and the gap between documented policy and verified operational control is where enforcement actions are landing.

The framework stack — NIST SP 800-82, CSF 2.0, IEC 62443, NERC CIP, CIRCIA — is less important than where enforcement is actually landing. Federal posture has shifted toward penalty-focused action, and the gap between documented policy and verified operational control is where the exposure sits. NERC CIP penalties can reach $1 million per day. CIRCIA mandates 72-hour reporting across all 16 critical infrastructure sectors. The frameworks tell you what to build. The enforcement calendar tells you what to build first.2 12 13

CIRCIA mandates 72-hour cyber incident reporting to CISA across all 16 critical infrastructure sectors. 5 CISA CPGs 2.0 establishes cross-sector performance goals on segmentation, zero trust, and lateral movement mitigation. 14

Where implementation consistently breaks down is the intersection of engineering reality and security intent. Patching cycles that work in enterprise IT are operationally implausible for a PLC governing a reactor that cannot go offline without a multi-day shutdown. Building security-aligned champions within plant operations teams, and framing security windows as co-equal with safety testing cycles, is the change management work that no framework document can prescribe, but every implementation requires.

COMPLIANCE RISK: NERC CIP enforcement activity has increased steadily since 2023. CIRCIA reporting failures expose critical infrastructure owners and operators to compounding federal scrutiny. CISOs without tested incident response workflows face the highest exposure.5

Section 05: Zero Trust for OT

Gartner predicts that by 2026, only 10% of large industrial firms will have a mature zero-trust program in place. 15 Through 2026, 75% of asset-intensive production firms will explicitly exclude unmanaged, legacy, and cyber-physical systems from their zero trust strategies entirely. 16 

They are not failing to extend zero trust. They are deliberately excluding legacy assets because the alternative is production disruption. Compensating controls become the real architecture.

In practice, zero trust in OT means a layered set of compensating controls, because the alternative, extending zero trust to legacy PLCs that cannot support agents, halts production. The working architecture looks like this: Purdue Model segmentation for zone isolation. Unidirectional gateways for historian replication. Protocol-constraining firewalls per zone. Application whitelisting on engineering workstations. Ephemeral ZTNA sessions replacing persistent VPN tunnels for all vendor access, with session recording. None of these are new idea. What’s new is that enforcement against environments without them has a timeline now.

IBM’s X-Force states that supply chain and third-party access have nearly doubled in breach frequency since 2020. 3 The access governance framework for vendor access must incorporate the requirement for SOC 2 or ISO 27001 audit attestation, implementation of ZTNA or approved jump-host infrastructure, and a segmented DMZ architecture that prevents vendors from accessing the control network directly.

CISOs must set the baseline MTTD and MTTR targets on the launch of their programs. An appropriate starting point for setting MTTD targets would be below 30 days, with an aim of below 14 days within 12 months. IBM’s 2025 breach data shows AI-augmented security tooling cut breach lifecycles by 80 days and reduced per-incident costs by nearly $1.9 million.1

Section 06: Industry Deep-Dive

Production Networks: Five Years at the Top of the Target List

IBM X-Force has placed OT-intensive production at the top of its global targeting rankings for five consecutive years, with 27.7% of all observed 2025 incidents concentrated there. 17 Production environments accounted for more than two-thirds of all ransomware victims tracked by Dragos in 2025.4 

A threat actor with access to an engineering workstation can alter controller calibration parameters in ways that produce no immediate alert, generating faulty outputs for days before quality deviations surface.2

Energy: Safety and Revenue at Simultaneous Risk

Dragos’s 2026 research documented authentication bypass and command injection vulnerabilities in battery energy storage systems, with over 100 internet-exposed devices confirmed, including inverters designed to supply grid-level power to electric utilities. 9 IBM data places average breach costs for energy sector firms at $4.83 million in 2025, before any regulatory enforcement exposure. 18

Healthcare: The Overlooked OT Attack Surface

Pharmaceutical production lines, hospital HVAC systems, and laboratory automation platforms all sit on operational networks that frequently share physical connectivity with clinical IT. IBM’s 2025 breach data placed healthcare at $7.42 million per incident, the highest of any sector for the 14th consecutive year. 19

Government and Defense Industrial Base

IBM X-Force data shows North America became the most targeted region globally in 2025, accounting for 29% of all incident response cases, up from 24% the prior year. 20 Defense industrial base suppliers operating production OT networks under CMMC scope carry the dual burden of federal security mandates and production availability requirements that do not pause for compliance timelines.

Section 07: CISO Action Roadmap

Phase 1 — Know what you have (Months 1–3) 

You cannot segment what you haven’t mapped. Passive OT asset discovery, tools built for industrial protocols that don’t inject traffic, is the starting point. The output isn’t a spreadsheet. It’s a working asset register: device type, firmware version, protocol, communication pattern, and safety system dependency. Nothing in Phase 2 is credible without it 

Phase 2 — Prioritize by production impact, not CVSS (Months 2–4) 

CVSS scores were built for IT environments. A 6.5 on a PLC governing a safety-critical process is not equivalent to a 6.5 on a file server. Map vulnerabilities against CISA’s Known Exploited Vulnerabilities catalog, then rank by physical and production consequence, not the number alone.  12 21

Phase 3 — Segmentation and vendor access control (Months 3–8) 

Purdue Model segmentation with zone and conduit documentation. ZTNA replacing legacy VPN for all vendor access, with jump-host enforcement and session recording. The implementation challenge here is rarely technical — it’s operational. Engineers who own maintenance windows are the people whose cooperation determines whether this phase succeeds or stalls. Treat them as the primary stakeholder, not a secondary approval. 

Phase 4 — Detection built for OT, not adapted from IT (Months 6–12) 

Protocol-aware OT monitoring integrated with the SOC or MSSP. MTTD and MTTR baselines set at program launch — below 30 days to start, with a 12-month target of below 14. OT incident response playbooks are written separately from IT runbooks, because a ransomware response that works on a file server can cause a safety event on a production line. 

Tabletop exercises are conducted at a minimum twice annually across three scenario categories: ransomware with production halt, long-dwell espionage, and supply-chain compromise via vendor access. Include insurance representatives and regulatory contacts in at least one exercise annually to validate CIRCIA reporting workflows.

Phase 5: Governance and Continuous Improvement (Ongoing)

. Formal OT security governance with CISO accountability and board-level reporting cadence. Patch management is designed around OT maintenance windows. OT risk tracked against CISA CPGs 2.0 performance objectives 14 and integrated into annual enterprise risk management reviews.

Section 08: Budget and Board Alignment

When pitching OT security investments to boards, protocol names should be confined to the technical appendix. What matters to financial executives and board members is the language of protection and money: production continuity, liability risks, insurance expenses, and compliance penalties.

Gartner’s Projection: Information Security, Worldwide predicts global spending on security touching $240 billion by 2026, up 12.5% from 2025. 22

Important Financial Metrics

$240B: predicted global information security expenditure for 2026, up 12.5%. 22

$10.22M: average data breach expense in the United States for 2025, an all-time high. 1

$125,000/hour: average ransomware-driven unplanned downtime cost in high-throughput operational networks. Calibrate to your facility’s actual throughput before board presentation. 2

Up to $1M/day: maximum NERC CIP penalty per violation. Enforcement patterns vary by violation severity and history. 2

Three Arguments That Move Boards

Production continuity arithmetic closes fast. At $125,000 per hour, a 72-hour containment scenario produces approximately $9 million in downtime cost alone, before legal or remediation expenses. Tailor the hourly figure to your actual production economics before the board meeting. 

Personal liability has changed the conversation. SEC disclosure rules, reinforced through multiple enforcement actions since 2023, create direct personal liability for executives and board members who fail to report material incidents within required timeframes.5

The insurance market is repricing OT risk now. Insurers are increasingly pricing around exactly this issue. Gartner projects that 75% of asset-intensive firms will exclude legacy and cyber-physical systems from zero trust strategies through 2026, leaving major visibility and control gaps inside underwriting assessments.16

Section 09: Conclusion

The data has been consistent for five years. Industrial production leads global targeting rankings. Ransomware groups have industrialized their own operations to match. Governance accountability has moved to the C-suite. And zero trust maturity in OT environments remains, for most organizations, a future state.15 The gap between governance intent and operational reality remains wide.

Visibility into what assets exist, how they communicate, and what access pathways connect plant-floor infrastructure to corporate networks is still absent in the majority of production environments. Without that foundation, segmentation produces false confidence, detection tools generate alerts without operational context, and incident response playbooks address scenarios that do not match the actual architecture.

Conduct the asset inventory. Build the segmentation baseline. Stand-up detection with measurable MTTD targets. Develop OT-specific response playbooks and test them before an incident demands them. Bring the board in with safety and revenue language, not protocol acronyms.

A threat actor mapping your control loops isn’t waiting for your next board cycle. The asset inventory is where this starts; everything else depends on it. 

References

[1] IBM Newsroom, “IBM Report: 13% of Organizations Reported Breaches of AI Models or Applications,” July 2025

[2] IBM, “Cost of a Data Breach: The Industrial Sector,” November 2025

[3] IBM X-Force, “2026 X-Force Threat Intelligence Index,” February 2026

[4] Dragos Blog, “Dragos 2026 OT Cybersecurity Year in Review,” February 2026

[5] CISA, “Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA),” 2025

[6] Fortinet, “2025 State of Operational Technology and Cybersecurity Report,” 2025

[7] IBM Newsroom, “IBM 2026 X-Force Threat Index: AI-Driven Attacks Are Escalating as Basic Security Gaps Leave Enterprises Exposed,” February 2026

[8] CISA, “ICS Advisories,” 2025

[9] Dragos Press Release, “Dragos 2026 Year in Review: New OT Threats and Ransomware,” February 2026

[10] Fortinet Newsroom, “Fortinet Report: OT Cybersecurity Risk Elevates Within Executive Leadership Ranks,” July 2025

[11] CISA, “CPG Adoption Report,” January 2025

[12] NIST CSRC, “NIST Publishes SP 800-82 Revision 3,” September 2023

[13] NIST, “Cybersecurity Framework 2.0,” 2024

[14] CISA, “Cross-Sector Cybersecurity Performance Goals,” 2025

[15] Gartner Newsroom, “Gartner Predicts 10% of Large Enterprises Will Have a Mature and Measurable Zero-Trust Program in Place by 2026,” January 2023

[16] Gartner Newsroom, “Gartner Unveils Top Eight Cybersecurity Predictions for 2024,” March 2024

[17] IBM, “Why Manufacturing Companies Are Most Vulnerable to Hacking,” 2026

[18] IBM, “Cost of a Data Breach Report 2025,” 2025

[19] IBM X-Force, “2025 Cost of a Data Breach: Navigating AI,” July 2025

[20] IBM, “Cybersecurity Trends 2026,” 2026

[21] CISA, “Known Exploited Vulnerabilities Catalog,” 2025

[22] Gartner Newsroom, “Gartner Forecasts Worldwide End-User Spending on Information Security to Total $213 Billion in 2025,” July 2025