For enterprise security leaders, the manufacturing exposure pattern matters beyond that single sector. Attackers targeting plant environments gain access to supplier networks, logistics systems, and downstream operational partners, turning a single industrial compromise into a multi-organization event.

NATION-STATE ACTORS ARE PRE-POSITIONING FOR DISRUPTION

CISA and the FBI have confirmed that China-linked groups Volt Typhoon and Salt Typhoon are employing living-off-the-land techniques, using legitimate system tools to traverse IT environments and pivot toward OT assets without triggering standard detection. In August 2025, the FBI identified Russia’s Federal Security Service targeting Cisco infrastructure using custom-built tools, while CISA simultaneously tracked both groups operating across U.S. telecommunications, energy, and transportation networks.² 

Security leaders should frame two distinct threat profiles for their boards. U.S. agencies characterize Salt Typhoon’s activity as primarily surveillance and Volt Typhoon’s presence as likely intended to enable future disruption. U.S. intelligence agencies assess that Volt Typhoon’s presence inside IT networks is specifically built to enable lateral movement into OT assets, ready to activate disruption during geopolitical tension. In early 2025, U.S. agencies assessed that Volt Typhoon sustained unauthorized access that enabled mapping of OT operations at the Littleton Electric Light and Water Department in Massachusetts (confirmed early 2025). The goal was not immediate disruption. Attackers were building operational intelligence for future use.³

In August 2025, the FBI, NSA, CISA, along with other partner nations’ agencies, issued a Cybersecurity Advisory about the operations of Salt Typhoon within the telecommunications, transportation, and healthcare industries in the United States. The private sector contributed to the advisory through companies such as Cisco Talos, Google Mandiant, Microsoft, and PwC Threat Intelligence. ⁴

HACKTIVIST PRESSURE ON WATER, ENERGY, AND FOOD SECTORS

Nation-state groups are not the only active threat. In December 2025, CISA joined the FBI, NSA, Department of Energy, and EPA to identify four pro-Russia hacktivist groups as active threats to U.S. essential services: Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16. These threats utilize VNC connections that are internet-connected in OT systems with default or weak passwords to gain entry to SCADA and HMI components of water and wastewater, energy, and food and agriculture facilities.⁵

A different alert issued by CISA in May 2025 showed that unsophisticated hackers were attacking ICS/SCADA systems within the oil, natural gas, and transportation sectors in the United States. In a 2024 EPA report, there were more than 100 drinking water systems in the US with critical and high cybersecurity vulnerabilities. ⁶ 

Despite the fact that low-sophistication attacks may occur, such breaches could lead to operational disruption due to the fact that OT infrastructure is not properly segmented or hardened.

THE IDENTITY PROBLEM INSIDE OT NETWORKS

IBM X-Force 2025 data confirms a decisive shift toward credential-based intrusion across OT-dependent sectors. Nearly one in three incidents in 2024 resulted in credential theft, with identity abuse serving as the preferred initial access technique in 30% of cases. IBM X-Force recorded an 84% increase in infostealer-delivering emails in 2024 versus the prior year, with early 2025 data showing a 180% increase compared to 2023. 

Stolen infostealer credentials listed on the dark web rose 12%, and the top five infostealers generated more than 8 million advertisements across dark web forums in 2024 alone. Public-facing application vulnerabilities accounted for a further 26% of industrial-sector breaches. ¹

The identity surface across industrial environments has expanded significantly beyond corporate IT. Remote engineering access, cloud-based OT monitoring platforms, unmanaged vendor VPNs, Industrial IoT connectivity, and centralized orchestration tools have all created new pathways into operational networks. 

Vendor accounts, engineering workstations, and third-party support connections routinely fall outside standard identity governance programs. IBM’s April 2025 release stated that organizations must shift away from ad-hoc prevention and focus on modernizing authentication management, closing MFA gaps, and conducting real-time threat hunting to uncover hidden access before sensitive systems are exposed.¹

REGULATORY AND RESILIENCE PLANNING: WHAT CISA NOW REQUIRES

CISA’s “CI Fortify” initiative, launched in May 2026, directs water utilities, transportation operators, and industrial infrastructure entities to plan explicitly for geopolitical cyber crises. CI Fortify is a CISA initiative that elevates operational expectations. Organizations should treat their isolation and recovery objectives as planning baselines that will influence future regulatory and procurement requirements. Isolation means proactive disconnection from third-party and business networks. Recovery means restoring operations when control systems have been compromised.⁷

In April 2025, CISA published separate guidance accelerating zero-trust adoption within OT environments. Air-gap assumptions are no longer reliable. Organizations should assume IT/OT interconnections exist or will be created. NIST’s Cybersecurity Framework remains the primary voluntary standard, though inconsistent sector application continues to create measurable gaps. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) implementation is advancing, with CISA refining mandatory incident reporting thresholds by sector. Enterprise security teams should assume CIRCIA compliance will demand faster disclosure than most current programs support.⁸

It is expected that by 2025, the global expenditure for information security will be $213 billion, rising to $240 billion in 2026 at an additional growth rate of 12.5%.⁹ The segment experiencing the highest rate of growth is infrastructure security, moving from $31.3 billion in 2024 up to $51.2 billion by 2028.¹⁰

WHAT SECURITY LEADERS SHOULD PRIORITIZE NOW

Five actions stand out based on current threat intelligence and guidance from CISA, NIST, and the intelligence community.

Develop an accurate “as-operated” inventory of OT assets involving all internet or IT network-connected devices. CISA, NIST, and IBM repeatedly indicate that it is the first missing control discovered after a compromise occurs.

Implement multi-factor authentication for all remote access to OT systems, including vendor accounts, engineering stations, and other third-party access. IBM’s 2025 dataset indicates that credential abuse is currently the most common method of obtaining initial access to OT systems.

Review patching cadence against CISA’s 508 confirmed advisories from 2025. With 82% of those advisories classified as high or critical severity, annual or multi-year patching cycles create unacceptable exposure windows.

Document isolation and recovery procedures aligned with CI Fortify, specifically the ability to operate without external connectivity.

Eliminate IT-to-OT lateral movement pathways through disciplined network segmentation. This remains the most structurally effective control against both nation-state actors and ransomware operators.

Board Asks

Approve funding for a 90-day OT asset discovery and monitoring program.

Mandate MFA for all third-party and vendor OT access within 120 days.

Fund a CI Fortify tabletop and offline recovery test on a semiannual cadence.

Authorize accelerated OT patch SLAs for all advisories rated high or critical severity.

CONCLUSION

There are no simple patches to address the threat landscape of the 2025 time horizon for industrial assets in the United States. State-backed adversaries show enough patience to remain undetected within an OT network infrastructure for several months. Ransomware groups favor attacking industrial entities since operational impact generates much more power than any other type of threat vector. 

As evidenced by Gartner’s forecast of $240 billion in global spend on security measures in 2026, enterprises understand the necessity to take action. Those who are prepared for future challenges will view OT resilience not as an obligation, but as a strategic objective at the same level as business continuity and logistics risks.

References

1. IBM, IBM X-Force Threat Intelligence Index 2025, April 17, 2025
2. CSIS, Securing U.S. Critical Infrastructure Against Evolving Cyber Threats, March 2026
3. CISA, PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, Advisory AA24-038A, February 7, 2024
4. Perkins Coie, Salt Typhoon Cyberattacks: Updated Threat Assessment and Recommended Mitigations, September 2025
5. CISA, Opportunistic Pro-Russia Hacktivists Target U.S. and Global Critical Infrastructure, December 9, 2025
6. CISA, Unsophisticated Cyber Actors Targeting Operational Technology, May 6, 2025
7. Federal News Network, CISA Tells Critical Organizations to Prepare for Cyber Outages, May 2026
8. CISA, Critical Infrastructure Security and Resilience, 2025
9. Gartner, Gartner Forecasts Worldwide End-User Spending on Information Security to Total $213 Billion in 2025, July 29, 2025
10. McKinsey & Company, Critical Infrastructure Companies and the Global Cybersecurity Threat, 2025