KEY FINDINGS AT A GLANCE

• 82% of ICS advisories published in 2025 were rated HIGH or CRITICAL severity — up from 75% historically (Forescout / CISA, Feb 2026)
• Ransomware activity against industrial organizations increased 49% year-on-year, impacting 3,300 organizations globally (Dragos, Feb 2026)
• 96% of OT security incidents originate from IT-level compromises (TXOne Networks / Frost & Sullivan, Mar 2026)
• Only 46% of OT network assessments found adequate real-time monitoring deployed (Dragos, Feb 2026)
• OT cyber risk is projected to cost the global economy hundreds of billions of dollars annually, with North American manufacturing as the primary exposure hotspot (Dragos-Marsh McLennan, Aug 2025)
• Attacks on OT protocols increased 84% in 2025 over the prior year, led by Modbus (57%) and Ethernet/IP (22%) (Forescout / TechTarget, Apr 2026)
• Three new nation-state-linked threat groups — SYLVANITE, PYROXENE, and AZURITE — were identified in 2025, each targeting US critical infrastructure (Dragos, Feb 2026)

The central implication for senior leaders is structural: OT cybersecurity can no longer be managed as a niche engineering concern. It is a material business risk with direct consequences for operational continuity, regulatory standing, and national security posture.

(Sources: As per references shown above, Cyber Tech Intelligence Analysis)

Threat Landscape

1. The Kill Chain Has Advanced

For years, the “air gap” and the sheer complexity of industrial environments provided a thin layer of security by obscurity. But according to the Dragos 2026 OT/ICS Cybersecurity Report, that era is officially over.

In 2025, adversaries crossed a chilling threshold: they are no longer just breaking into networks and waiting; they are actively mapping the physical control loops of critical infrastructure.

KAMACITE systematically mapped control loops across US infrastructure, while ELECTRUM targeted distributed energy systems in Poland with deliberate attempts to affect operational assets. Dragos elevated VOLTZITE to Stage 2 of the ICS Cyber Kill Chain after observing the group manipulate engineering workstation software to extract configuration files and alarm data.

The practical implication: an intruder who has mapped a facility’s control loop dependencies can cause physical disruption without deploying ICS-specific malware. The “air gap” and “security by obscurity” that historically buffered OT systems are functionally obsolete.

2. Nation-State Threat Groups

The findings demonstrate a maturation in adversary operations, with threat groups working as coordinated ecosystems and advancing from isolated device targeting to mapping entire industrial control systems.

(Sources: As per references shown above, Cyber Tech Intelligence Analysis)

3. Ransomware as an OT Disruptor

Ransomware remains the most operationally consequential threat vector in the US critical infrastructure. Ransomware targeting industrial organizations jumped 49% in 2025, impacting 3,300 organizations globally. Critically, many of these incidents are systematically misclassified as IT incidents despite inducing OT shutdowns — a classification failure that distorts organizational risk registers and industry statistics alike.

The frequency of ransomware incidents rose by 355% between 2020 and 2025, going up from almost 1,400 to almost 6,500. There were 57 new ransomware groups. ²

Manufacturing has been the most targeted industry for five consecutive years, accounting for 27.7% of incidents across critical sectors. Ransomware attacks on manufacturers surged 61% compared to 46% across all sectors, driven by low downtime tolerance and tight security budgets.

4. IT/OT Convergence as Attack Surface Amplifier

The structural driver underlying virtually every major attack vector in this report is IT/OT convergence. 96% of OT incidents in 2025 could be traced back to IT system compromises. Forescout found that attacks on OT protocols increased by 84% in 2025 over the previous year, led by Modbus (57% of attacks) and Ethernet/IP (22%).

Industry 4.0 pushes toward the merging of the OT environments with enterprise IT and internet environments for real-time analysis and predictive maintenance. This merger is not without its potential problems, as Industry 4.0 creates an air gap between industrial systems and corporate systems. Any risk present in the corporate IT environment could be brought into the industrial system through the laptop, USB drive, or remote access.

Key Findings

Finding 1: Vulnerability Volume is Outpacing Defender Capacity

ICS cybersecurity risk hit a record in 2025, with 508 advisories covering 2,155 vulnerabilities — the highest volume since tracking began and a sharp rise in high-severity flaws affecting core assets such as field controllers, PLCs, and SCADA systems.

ICS vulnerability disclosures reached 2,451 across 152 vendors in 2025, almost double the 2024 numbers, which saw 1,690 such vulnerabilities across 103 vendors. Siemens was the vendor with the products most affected by ICS vulnerabilities, with 1,175 reported.

Despite this volume, Dragos determined 25% of ICS-CERT and NVD vulnerabilities had incorrect CVSS scores in 2025, and 26% of advisories contained no patch or mitigation from vendors. Only 2% of ICS-relevant vulnerabilities qualified as “Now” priority requiring immediate action under Dragos’s risk-based “Now, Next, Never” model. ³

Finding 2: The Monitoring Gap is Operationally Disqualifying

Only 46% of assessments found adequate OT network monitoring deployed. Without real-time network telemetry, organizations cannot determine what happened during incidents — the critical data is transient and disappears once commands are sent.

This is not a theoretical limitation: it means that in more than half of the assessed environments, forensic reconstruction of an attack is structurally impossible. The analysis highlights dangerous visibility gaps, with many disclosures lacking corresponding central advisories, potentially leaving defenders unaware of serious risks.

Finding 3: The Ecosystem Model Has Replaced the Solo Actor

SYLVANITE operates as an access broker, rapidly exploiting vulnerabilities in Ivanti, F5, SAP, and ConnectWise products, then handing established footholds to VOLTZITE for deeper OT intrusions. The ecosystem model — specialists establishing access for more capable adversaries — is now the dominant operational pattern.

This division-of-labor architecture reduces the skill threshold for any individual actor while increasing aggregate lethality. Initial access specialists, OT reconnaissance teams, and operational disruption actors now function as a supply chain.

Finding 4: Legacy Infrastructure Creates a Structural Vulnerability Floor

The pace of exploitation is now outstripping the pace of defense. In 2025, the median time from a vulnerability disclosure to a public exploit was just 24 days. More concerning is the gap in remediation — 26% of advisories offered no patch.

Legacy PLCs, RTUs, and HMIs that lack patch support, strong authentication, or encrypted communications are exposed to exploitation at a pace the industrial maintenance cycle cannot match. The structural mismatch between 20–30 year OT asset lifecycles and sub-30-day exploit timelines is one of the sector’s most intractable risk factors.

Finding 5: Incident Response Planning Remains Critically Underdeveloped

Only ~30% of manufacturers maintain a formal incident response plan. Less than 50% conduct regular penetration testing on control networks. The Dragos-Marsh McLennan Financial Risk Report identifies incident response planning as the single highest-value OT security control for reducing financial exposure — and it remains the least deployed.

Root Causes

The threat data does not emerge from random organizational failure. It reflects a consistent set of structural conditions that persist across sectors and geographies.

Sources: As per references shown above, Cyber Tech Intelligence Analysis

Business Impact

1. Financial Exposure

OT cyber risk is rising quickly and is projected to cost the global economy hundreds of billions of dollars each year. Much of this risk stems from indirect impacts on OT networks and operations, whether through disruptions to supporting systems or precautionary shutdowns. Manufacturing operations in North America have become ground zero for OT cyberattacks.

Key financial benchmarks:

• $300B+ — Projected annual global OT cyber risk exposure (Dragos-Marsh McLennan, 2025)
• $5.56M — Average breach cost in the industrial sector, +18% YoY (IBM / DataIntelo, 2026)
• $22,000/min — Automotive assembly line downtime cost per minute (Industry benchmark, 2025)

The number of OT sites experiencing cyberattacks with physical consequences surged 146% year-on-year, fundamentally changing how organizations must approach industrial cyber risk. The Q3 2025 incident cluster — estimated by DeNexus at $329.5B in industrial losses — demonstrated that tail risk is not theoretical. The Jaguar Land Rover compromise was documented as the costliest single industrial cyberattack on record at £882 million ($1.1B).

2. Operational Continuity Risk

60% of organizations experienced OT security incidents in 2025. Ransomware’s operational impact in industrial environments is categorically distinct from its IT counterpart: where IT ransomware triggers data recovery workflows, OT ransomware can render physical processes uncontrollable, forcing manual operations or complete shutdown.

In sectors with continuous-process requirements — petrochemicals, power generation, water treatment — uncontrolled shutdowns carry not only financial but safety and regulatory consequences.

3. Regulatory and Insurance Implications

CISA positioned Zero Trust as the new baseline for federal agencies and critical infrastructure. For manufacturers, healthcare organizations, and critical infrastructure operators, CISA guidance sets de facto standards even without legal mandates. Organizations demonstrating CISA/NIST alignment report 15–30% cyber insurance premium reductions and faster audit cycles.

Conversely, organizations unable to demonstrate basic OT monitoring capability face increasing premium surcharges and sublimit clauses that may leave them materially underinsured for a material OT incident.

Investment and Maturity

1. Spending Trends

As per the Global Cybersecurity Outlook 2026 survey, 87% of the participants have considered AI-based cybersecurity threats as the fastest-growing threat in cyber. ⁴

However, aggregate market growth obscures the distribution problem. The organizations most exposed to OT risk — legacy industrial operators in water utilities, smaller manufacturers, and rural energy cooperatives — are disproportionately underrepresented in spending growth.

The CISA FY2026 budget includes $302.9M for Infrastructure Security — a figure that, relative to the $300B+ annual risk exposure, illustrates the structural gap in public-sector resourcing.

2. Maturity Distribution

Using the CISA Zero Trust Maturity Model as a reference framework, the OT sector skews heavily toward “Traditional” maturity — characterized by perimeter-based controls, limited asset inventory visibility, and reactive patch management.

Strategic Recommendations

The following recommendations are sequenced by foundational dependency — organizations should not attempt to implement advanced controls without the visibility infrastructure that makes them effective.

1. Establish Complete OT Asset Inventory Before Any Other Initiative

You cannot protect what you cannot see. CISA issued specific OT asset inventory guidance in 2025 precisely because most critical infrastructure operators lack a comprehensive inventory of their OT assets, software versions, and network connections.

Asset inventory is the prerequisite for risk-based vulnerability prioritization, network segmentation, and monitoring deployment. Commission a passive OT discovery scan across all sites within 90 days. Document all Level 1–3 Purdue Model assets, remote access points, and IT/OT boundary connections.

2. Deploy Continuous OT Network Monitoring — The Monitoring Gap Is the Maturity Gate

With only 46% of OT environments adequately monitored, the majority of organizations lack the forensic capability to determine what happened during an incident. Target state: 100% coverage of Purdue Level 1–3 networks with passive, protocol-aware monitoring tools capable of alerting on anomalous command sequences, new device appearances, and lateral movement indicators. This capability is also the prerequisite for advancing CISA Zero Trust Maturity from Traditional to Advanced.

3. Harden IT/OT Boundaries — The 96% Rule Is an Actionable Finding

If 96% of OT incidents originate from IT-layer compromise, hardening the IT/OT boundary is the highest-leverage single intervention available to most organizations. This means: enforcing robust network segmentation between corporate IT and OT DMZs; eliminating or strictly controlling remote access pathways into OT networks; implementing multi-factor authentication on all IT/OT boundary access points; and monitoring all IT-side systems with OT-adjacent connectivity.

Prioritize engineering workstations, remote access gateways (especially those running Ivanti, F5, or ConnectWise products — SYLVANITE’s preferred entry points), and IT systems with read/write access to historian or SCADA databases.

4. Adopt Risk-Based Vulnerability Prioritization — Reject Raw CVSS Scores

With 25% of ICS vulnerability CVSS scores assessed as incorrect and 26% of advisories lacking any patch or mitigation, organizations that triage remediation solely by published severity will both over-invest in low-risk items and under-invest in high-risk ones.

Recommended framework: Dragos’s “Now / Next / Never” model — or equivalent risk-contextualized approaches that account for asset exposure, exploitability in the OT context, and availability of compensating controls. Only 2% of ICS vulnerabilities require immediate action under this model.

5. Develop and Exercise an ICS-Specific Incident Response Plan

The single highest-value OT security control identified by the Dragos-Marsh McLennan financial risk model is incident response planning — yet fewer than 30% of organizations have one. A generic IT IR playbook is insufficient for OT incidents, where response decisions require process engineering knowledge, safety system awareness, and regulatory notification protocols specific to the industrial environment.

Minimum viable plan: clearly defined escalation paths and decision authorities for OT incidents at each site; pre-negotiated contracts with OT-capable IR firms; documented safety instrumented system independence from SCADA; and tabletop exercise conducted at least annually with both security and operations personnel.

6. Elevate OT Security to Board-Level Risk Governance

The threat landscape in 2025 reached a new level of maturity. Adversaries are mapping how control systems work, understanding where commands originate, how they propagate, and where physical effects can be induced.

The convergence of $300B+ annual exposure, 146% growth in attacks with physical consequences, and tightening regulatory expectation (CISA CPG 2.0) means OT cybersecurity now meets any reasonable materiality threshold for board-level oversight.

Boards should receive regular OT-specific risk reporting alongside IT cyber metrics; site-level monitoring coverage status; incident response plan currency; and insurance coverage adequacy relative to modeled exposure.

Appendix A | Sector Risk Summary

 Sources: As per references shown above, Cyber Tech Intelligence Analysis

Methodology

Source Window and Inclusion Criteria

All quantitative claims in this report derive from primary sources published between July 1, 2025 and April 30, 2026. Sources published before July 2025 are excluded unless they establish a longitudinal baseline. No secondary aggregations or legacy statistics are cited without a corresponding primary source.

Sources: As per references shown above, Cyber Tech Intelligence Analysis

Scope Definitions

OT/ICS: Hardware and software systems that monitor or control physical equipment, processes, and infrastructure — including SCADA, DCS, PLCs, RTUs, HMIs, and associated industrial networks, as defined by NIST SP 800-82 Rev. 3.

Critical Infrastructure: US critical infrastructure per CISA’s 16-sector model, with primary analytical focus on Energy, Manufacturing, Water & Wastewater, Transportation, and Healthcare.

Limitations

• Vendor-published threat reports carry inherent selection bias toward environments their platforms monitor.
• Underreporting of OT incidents remains a material limitation — regulatory disclosure obligations for OT incidents are inconsistent and, in many sectors, voluntary.
• Cost and downtime figures vary across methodologies; ranges are presented where sources diverge.

References

1. Dragos Inc. (2026a) Dragos OT Cybersecurity Report: Adversaries Increase Real-World Impact, Map Control Loops Across Industrial Infrastructure [Press release]. 17 February. Hanover, MD: Dragos Inc. Available at: https://www.dragos.com/resources/press-release/dragos-2026-year-in-review-new-ot-threats-ransomware (Accessed: 28 May 2026).
2. Dragos Inc. (2026b) 2026 OT/ICS Cybersecurity Year in Review. Hanover, MD: Dragos Inc. Available at: https://www.dragos.com/ot-cybersecurity-year-in-review (Accessed: 28 May 2026).
3. Cyble Research and Intelligence Labs (2026) Annual Threat Landscape Report 2025. 15 January. Alpharetta, GA: Cyble Inc. Available at: https://cyble.com/resources/research-reports/annual-threat-landscape-report-2025/ (Accessed: 28 May 2026).
4. World Economic Forum (2026) Global Cybersecurity Outlook 2026. Insight Report, January. Geneva: World Economic Forum, in collaboration with Accenture. Available at: https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2026.pdf (Accessed: 28 May 2026).