For years, the "air gap" and the sheer complexity of industrial environments provided a thin layer of security by obscurity. But according to the Dragos 2026 OT/ICS Cybersecurity Report, that era is officially over.
In 2025, adversaries crossed a chilling threshold: they are no longer just breaking into networks and waiting; they are actively mapping the physical control loops of critical infrastructure.
The report, the ninth annual "Year in Review," offers a stark look at an evolving threat landscape where the divide between access and physical impact is disappearing. For cybersecurity professionals and executive leaders alike, the message is clear: the window to protect the systems that safeguard civilization is shrinking.
Adversaries have professionalized their approach to industrial targets. Dragos now tracks 26 threat groups specifically targeting OT (operational technology), with three new groups—AZURITE, PYROXENE, and SYLVANITE—emerging in 2025. These groups are moving from prepositioning to operational readiness, exfiltrating configuration files and alarm data to understand exactly how to manipulate physical processes.
A significant shift is the rise of the "paired model" of attack. Initial access providers like SYLVANITE specialize in rapidly weaponizing edge device vulnerabilities, only to hand off the compromised environment to "Stage 2" adversaries with deep ICS (industrial control systems) expertise. This division of labor compresses the timeline from the initial breach to operational impact from weeks to mere days.
Meanwhile, established groups are expanding their reach. ELECTRUM, infamous for the Ukrainian power outages, conducted the first major coordinated cyberattack against decentralized energy resources (DERS) in Poland in late 2025. Their partner group, KAMACITE, was observed conducting sustained reconnaissance of internet-exposed industrial devices across the U.S., scanning components in a sequence that suggests an intent to map entire control loops rather than just isolated systems.
"In OT, effective risk mitigation means reducing exposure without interrupting production," said Al Lindseth, Principal, CI50 Advisory Services LLC. "Modern approaches—identity-driven access, the ability to isolate a single connection instead of shutting down systems, distributed enforcement, just in time MFA at different levels (port, device, etc.), credential management, session recording and time-boxing, and strong audit trails—are making that possible. What many leaders don't realize is how far innovation has come. Capabilities once limited to IT environments are now practical in OT, but organizations often aren't exploring them deeply enough."
Lindseth continued, "At first, we had too much of an isolation / segmentation-only strategy. Then we tried to misapply IT Defense in Depth to OT, which was clunky. But now, we're in a much better place regarding effective and efficient risk mitigation options that work for OT. This should be the new baseline for operators as attackers are widening the existing gap with their utilization of modern technology. Companies need to be exploring this more seriously—and doing it quickly."
The vulnerability velocity problem
The pace of exploitation is now outstripping the pace of defense. In 2025, the median time from a vulnerability disclosure to a public exploit was just 24 days. More concerning is the gap in remediation; 26 percent of advisories offered no patch, and 25 percent contained incorrect CVSS scores, leaving defenders with flawed guidance while attackers operationalized exploits.
Ransomware also continues its relentless assault, with Dragos tracking 119 groups impacting more than 3,300 industrial organizations. However, the report highlights a dangerous trend: many of these incidents are mischaracterized as "IT-only" simply because they occur on Windows-based systems, ignoring the fact that those systems were hosting critical SCADA software or engineering workstations.
For those tasked with defending industrial environments, the report underscores that visibility is the greatest hurdle. Fewer than 10 percent of OT networks worldwide currently have network monitoring in place. This lack of data is catastrophic during an incident; 30 percent of Dragos's 2025 incident response cases began with a "hunch" that something was wrong, yet in most cases, the telemetry needed to confirm a cyberattack had never been recorded.
The "call to action" for security teams remains the Five Critical Controls for OT Cybersecurity:
-
OT/ICS Incident Response: Having an ICS-specific plan that accounts for physical consequences
-
Defensible Architecture: Moving beyond simple segmentation to eliminate internet-facing exposure
-
ICS Network Visibility & Monitoring: Recording transient network telemetry before it is gone forever
-
Secure Remote Access: Enforcing multifactor authentication (MFA) across all entry points
-
Risk-Based Vulnerability Management: Prioritizing the three percent of vulnerabilities that are actively being exploited (the "Now" category) over bulk patching
“The threat actors targeting OT environments are patient, sometimes spending weeks, months, or even years in a system undetected. They are often not looking to perform a 'smash-and-grab' style attack but biding their time for when they can have the biggest impact (i.e., the energy sector during wintertime)," said Derek Fisher, Founder, Security Built. "And as our 'smart' grids, factories, and cities continue to expand, we hand over a growing attack surface to adversaries. The Five Critical Controls help organizations assume breach and move to a stronger defensive posture.”
The executive mandate: why non-cyber leaders must care
For executive-level leaders, OT security is no longer a niche technical concern; it is a core component of operational resilience and human safety. The report demonstrates that adversaries are willfully targeting civilian infrastructure with a level of aggression that accepts the risk of loss of human life.
When an industrial process is disrupted, the costs are not measured in lost data but in lost production, damaged equipment, and environmental impact. The "mislabeling" of OT incidents as IT issues often leads to an underestimation of business risk. Investing in OT visibility and the five critical controls is not just about security; it is about protecting the communities that depend on your operations.
