Introduction
For years, operational technology (OT) security was the quiet corner of cybersecurity — overlooked, underfunded, and assumed to be safe behind air-gaps and proprietary protocols. That assumption is now dangerously outdated.
In 2025, Dragos tracked 119 ransomware groups impacting more than 3,300 industrial organizations worldwide — nearly double the number from 2024. State-sponsored threat groups like VOLTZITE (linked to China’s Volt Typhoon) systematically pre-positioned themselves inside power grids, water systems, and manufacturing networks. And according to ENISA’s 2025 Threat Landscape report, 4,875 cybersecurity incidents occurred between July 2024 and June 2025, with 18.2% involving OT systems.
The message is clear: industrial control systems are no longer hidden from attackers — they’re high-value targets.
In this post, you’ll learn:
- • Why OT is under more threat than ever in 2026
- • The threat actors actively targeting industrial systems
- • How adversaries are actually getting into OT environments
- • Why IT/OT convergence is the entry point attackers exploit
- • What regulatory pressure (NIS2) means for your OT security posture
Who is Targeting Industrial Organizations in 2026?
The days of assuming “nobody is interested in us” are over. The OT threat ecosystem in 2026 includes three distinct threat categories — all with different motivations, but all with the same goal: disrupting, extorting, or destroying industrial operations.
State-Sponsored Groups: The Long Game
Perhaps the most alarming trend is the methodical pre-positioning by state-aligned threat actors throughout 2025. Groups like VOLTZITE compromised small-office routers at electric utilities and telecommunications providers, establishing relay networks while exfiltrating geographic information system data, OT network diagrams, and operational instructions.
Three new groups emerged in 2025-2026:
- • AZURITE — targeting OT engineering workstations to exfiltrate operational data and establish long-term access
- • PYROXENE — focusing on compromising IT-to-OT pathways to gain footholds inside industrial environments
- • SYLVANITE — operating at scale as an initial access provider for VOLTZITE, exploiting edge devices and remote access infrastructure
As FBI Director Christopher Wray testified before the House Select Committee on the CCP: “These aren’t reconnaissance operations — they’re preparation for destructive attacks in the context of a major crisis or conflict.”
Ransomware: The Industrial Disruptor
Financially motivated ransomware groups are hitting industrial organizations at scale. The GRIT 2026 Ransomware Report recorded a 58% year-over-year increase in ransomware victims, with manufacturing accounting for 14% of all attacks — making it the most targeted industry sector.
The reason industrial targets are so attractive? Downtime is enormously expensive. A manufacturing plant that stops production loses money by the hour. That leverage makes organizations more likely to pay.
But here’s the catch: many ransomware incidents affecting industrial organizations are classified as “IT incidents” even when the compromised systems support OT operations — engineering workstations, SCADA infrastructure, virtualization platforms underpinning OT. If these bridges are poorly secured, attackers don’t need to breach OT directly. The path is already open.
How Are Adversaries Actually Getting In?
One of the most important — and counterintuitive — insights from the Dragos Intelligence Fabric is that most OT incidents do not begin in OT networks. Adversaries consistently gain access through infrastructure that sits between enterprise and operational environments.
In practice: adversaries are not “getting into OT.” They’re getting into the systems that connect to it.
The most consistently targeted assets for initial access include:
- • Remote access infrastructure — VPNs, remote desktop protocols, and unpatched remote access servers
- • Engineering workstations — often running outdated operating systems, connected to both IT and OT networks
- • IT-to-OT bridge systems — historians, data gateways, and SCADA servers that sit at the boundary
- • Identity systems — compromised credentials that unlock multiple environments
- • Third-party vendor access — vendors with deferred security patches and broad network access
Palo Alto Networks, Siemens, and Idaho National Laboratory research identified a 332% increase in unique internet-exposed OT devices and services — with nearly 20 million OT-related devices now observable on the public internet. That expanded attack surface is a direct result of digital transformation, IoT adoption, and the drive to connect industrial systems to enterprise networks.
The IT/OT Convergence Problem
Digital transformation has been a gift for attackers. As industrial organizations connected legacy OT systems to enterprise IT networks — for monitoring, analytics, and remote management — they created bridges that never existed before. Those bridges are now the primary attack vector.
The challenge is stark:
- • OT environments were built for reliability, not security — many PLCs and control systems run on 20+ year-old software that can’t be patched
- • IT security teams often lack visibility into OT protocols (Modbus, EtherNet/IP, DNP3)
- • OT security teams often lack the tools to detect sophisticated IT-based attack techniques
- • Both sides are under-resourced, and the “convergence” often means OT gets bolted onto IT security tools that weren’t designed for industrial environments
As we explored in our earlier post on OT security and Zero Trust, this convergence requires a fundamentally different security approach — one that doesn’t assume the OT side of the house is implicitly trusted.
Regulatory Pressure: NIS2 is Raising the Bar
Beyond the threat landscape, regulatory pressure is accelerating OT security investment. The EU’s NIS2 Directive (Network and Information Security Directive 2) expanded its scope to include entities in sectors like energy, transport, water, healthcare, and digital infrastructure — all heavy OT environments.
NIS2 mandates:
- • Risk management and security measures
- • Incident handling and reporting (within 24 hours)
- • Security policies for network and information systems
- • Vulnerability handling and disclosure
- • Accountability at board level
For many organizations, NIS2 compliance will require a complete overhaul of how OT security is governed, monitored, and funded.
The OT Security Checklist: What’s Your Priority?
- • ☑️ Asset inventory complete — all OT devices mapped and monitored
- • ☑️ IT/OT boundary identified and hardened (firewalls, unidirectional gateways)
- • ☑️ Remote access secured — MFA enforced, vendor access time-boxed and logged
- • ☑️ Engineering workstations locked down — no unnecessary software, no direct internet access
- • ☑️ Network segmentation in place — OT systems not on flat networks
- • ☑️ OT-specific monitoring deployed — passive monitoring for OT protocols
- • ☑️ Incident response plan covers OT scenarios — includes plant operations teams
- • ☑️ Third-party vendor access reviewed and least-privileged
- • ☑️ NIS2 compliance gap assessment completed
Conclusion: The Window is Now
State-sponsored groups are no longer just mapping OT networks — they’re embedding themselves for potential destructive operations. Ransomware groups are more OT-aware than ever. The attack surface is expanding with every new connected sensor and remote monitoring dashboard.
The good news: the gap between adversary activity and defensive capability is still closeable — for now. The threats covered in this post don’t require futuristic defenses. They require disciplined fundamentals: asset visibility, network segmentation, identity hygiene, OT-aware monitoring, and IT/OT collaboration.
In Part 2 (coming soon), we’ll explore how AI is specifically being deployed to close those OT security gaps — from anomaly detection to automated threat hunting. Stay tuned.
About the Author: Syed Adil Hussain is a cybersecurity professional helping organizations secure their digital infrastructure. Connect with him on LinkedIn or reach out directly at thecyberguy90@gmail.com.
[…] micro-segmentation as an alternative control until device-level management is feasible. Your OT security checklist covers this in more […]