Executive Summary: OT/ICS Cybersecurity Is Now a Business Continuity Problem

Industrial cybersecurity changed meaningfully in 2025. The threat is no longer limited to attackers entering a network, hiding quietly, and waiting for a future opportunity. In OT and ICS environments, adversaries are getting more practical. They are studying process dependencies, mapping control loops, watching how engineering systems behave, and looking for points where cyber access can create real operational pressure.

That is the part leaders should care about. A compromise in industrial environments does not stay neatly inside a laptop, server, or dashboard. It can affect production lines, plant visibility, safety decisions, regulatory reporting, vendor operations, customer commitments, and insurance exposure. Very inconvenient, because machines apparently do not pause politely while executives schedule a risk committee meeting.

The major shift is speed. The distance between network compromise and physical disruption is getting shorter. An attacker with access to OT-adjacent systems, enough process knowledge, and weak monitoring in their favor may not need custom ICS malware to cause disruption. That reality changes how US critical infrastructure operators should fund, govern, and measure cybersecurity.

This paper analyzes the state of cybersecurity in OT/ICS networks in U.S. critical infrastructure in 2026, based on research by Dragos, TXOne Networks / Frost & Sullivan, Forescout Vedere Labs, Cyble, the World Economic Forum, and Dragos-Marsh McLennan.

Key Findings at a Glance

Sources: As per references shown above, Cyber Tech Intelligence Analysis 

How Industrial Cyber Threats Are Changing

1. The Kill Chain Is Moving Toward Physical Impact

For years, many industrial operators leaned on separation, complexity, and the old comfort of the “air gap.” That comfort is now thin. OT environments are more connected than they used to be. Remote access, cloud analytics, predictive maintenance, enterprise dashboards, vendor support, and IT-integrated workflows have made operations more efficient. They have also made the attack surface wider.

In 2025, adversaries showed deeper interest in how industrial systems actually function. Dragos reported that threat groups were not only establishing access but also mapping control loops, engineering workstations, and process dependencies. Activity linked to groups such as KAMACITE, ELECTRUM, and VOLTZITE showed a move toward operational understanding rather than simple network presence.1

This matters because an attacker who understands process logic can be more dangerous than one who simply has access. They may understand where alarms appear, which workstations hold configuration data, how commands move, and what dependencies keep production stable. That kind of knowledge can shorten the path from intrusion to disruption. OT cybersecurity is therefore not just network protection anymore. It is process protection.

2. Nation-State Activity Is More Coordinated

Industrial threat activity is becoming increasingly organized. The 2025 threat landscape reflected a shift away from isolated operators toward coordinated ecosystems of specialized actors. Some groups focus on initial access. Others concentrate on reconnaissance, credential acquisition, persistence, infrastructure staging, or disruption planning.

This specialization creates efficiency. Access brokers identify vulnerable targets and sell entry points. Intrusion operators expand footholds and collect intelligence. Ransomware affiliates, state-sponsored actors, or disruptive groups build on that access to pursue their objectives. The result is a threat environment in which multiple actors can contribute to a single campaign without sharing the same end goal.

For critical infrastructure operators, this evolution lowers the barrier to entry for sophisticated attacks. An adversary no longer needs expertise across every phase of an operation. Access, intelligence, tooling, and operational support can be acquired through an established ecosystem.

The industrial threat landscape is therefore shaped not only by individual actors, but by networks of actors whose combined capabilities create a more persistent and scalable risk to critical infrastructure.

Sources: As per references shown above, Cyber Tech Intelligence Analysis 

Traditional detection that waits for malware or obvious disruptive behavior is too late. Operators need to detect the earlier stages: suspicious remote access, engineering workstation activity, abnormal data collection, unusual traffic between IT and OT zones, and unexpected activity involving industrial protocols.

3. Ransomware Remains the Most Visible OT Disruptor

Ransomware remains one of the most disruptive threats facing industrial organizations. According to Dragos, ransomware activity targeting industrial entities increased by 49% in 2025, affecting approximately 3,300 organizations worldwide.

In corporate environments, ransomware is often associated with encrypted files, business interruption, and recovery costs. In industrial environments, the consequences extend further. Production may stop, facilities may shift to manual operations, safety validation processes may be triggered, shipments may be delayed, and complex restart procedures may be required before normal operations can resume.

The full impact is frequently understated. Many incidents are categorized as IT security events even when operational technology environments experience the primary business consequences. When a compromise originates in enterprise IT but results in production outages, operational disruption, or facility shutdowns, the risk extends well beyond information technology.

Manufacturing organizations remain particularly vulnerable. Production environments operate with tightly coupled processes, limited tolerance for downtime, and significant dependencies across suppliers, logistics providers, and downstream operations. A disruption affecting one facility can quickly create financial and operational consequences across the broader value chain.

For industrial organizations, ransomware is not simply a cybersecurity issue. It is an operational resilience challenge with direct implications for production, revenue, safety, and business continuity.

4. IT/OT Convergence Is Expanding the Attack Surface

The push toward connected operations has clear benefits. Organizations want real-time visibility, predictive maintenance, remote support, and better performance data. No one is arguing against efficiency. The problem is that every new connection can become a path for attackers if it is not controlled properly.

TXOne Networks and Frost & Sullivan reported that 96% of OT security incidents originated from IT-level compromise. That figure is blunt enough to deserve attention. OT cannot be protected in isolation when the most common path into OT begins in enterprise IT.3

Forescout-linked research also reported an 84% increase in attacks on OT protocols in 2025, with Modbus and Ethernet/IP among the leading targets. That suggests attackers are moving beyond nearby enterprise systems and becoming more comfortable with the protocols used inside industrial environments.9

Remote access gateways, engineering workstations, historians, vendor connections, jump servers, and maintenance laptops all deserve close attention. Convenient access without governance is not modernization. It is a risk with a friendly user interface.

Where OT Security Programs Are Still Falling Behind

Finding 1: Vulnerability Volume Is Outpacing Defender Capacity

ICS vulnerability risk reached a new high in 2025. Forescout-linked analysis reported 508 ICS advisories covering 2,155 vulnerabilities, the highest volume since tracking began. Many affected core industrial assets, such as PLCs, field controllers, SCADA systems, and related control technologies.4

The problem is not only one of volume. Triage is essential. OT staff can't remediate every security advisory. Industrial control systems require uptime, have certain safety considerations, may be dependent on vendors, and need maintenance periods. Priority should be determined by taking into account asset criticality, exploitability, threat intelligence, potential safety consequences, and any existing compensatory controls.

Finding 2: Monitoring Gaps Make Response Harder

Only 46% of OT assessments found adequate real-time network monitoring. That means many industrial environments still do not have the visibility needed to reconstruct an incident. In OT, this matters because commands and state changes can be temporary. Once an action occurs, the best evidence may disappear unless monitoring is already active.1

Without telemetry, teams may not know what changed, which systems were touched, whether attacker access remains, or whether it is safe to restart operations. Real-time monitoring should include passive asset discovery, industrial protocol awareness, alerts for unusual commands, engineering workstation visibility, new device detection, and traffic monitoring across IT/OT boundaries.

Finding 3: Legacy Infrastructure Creates a Built-In Risk Floor

The lifespan of an industrial asset could be from 20 to 30 years on average, but exploits happen much quicker. According to the original content, the timeline between a new vulnerability discovery and exploit availability for attack was about 24 days in 2025. This is another hard truth of OT cybersecurity.

Many legacy controllers and systems, like PLC, RTU, HMI, or engineering workstations,s might have no proper authentication, encryption, logging capabilities, patching mechanisms, or any advanced security functions at all. Most legacy systems weren't designed for security against modern threats and adversaries. The best option is to implement a multi-layered approach involving segmentation, access controls, monitoring, compensating controls, vendor management, testing backups, and contingency plans.

Finding 4: OT Incident Response Planning Is Underdeveloped

MxD’s U.S. manufacturing cyber resilience report also shows uneven security testing maturity among manufacturers. It found that 40% of manufacturers conduct annual external penetration testing, while quarterly testing is much less common, especially among small and medium manufacturers. That supports the broader point that many manufacturers are not validating their cyber resilience often enough, even as their operations become more connected. 8

In IT, response often focuses on isolating systems, resetting credentials, rebuilding machines, and restoring data. In OT, the same decision may affect safety systems, product quality, environmental controls, regulatory obligations, and restart procedures. An OT incident response plan should define shutdown authority, safety validation, regulator and insurer notification, evidence handling, and approved external responders.

Why OT Cyber Risk Belongs in Executive Risk Governance

OT cyber risk is now tied directly to financial exposure. The source material notes that OT cyber risk could cost the global economy hundreds of billions of dollars annually, with North American manufacturing identified as a major exposure hotspot. That exposure includes production losses, supply chain disruption, safety validation, recovery costs, contractual penalties, insurance claims, and delayed delivery.1

Industrial downtime can become expensive quickly. The source material cites automotive assembly line downtime at around $22,000 per minute. Exact figures vary by plant and process, but the direction is clear: when industrial operations stop, financial impact can escalate fast.

The source material also notes that 60% of organizations experienced OT security incidents in 2025. That makes OT incidents a recurring operational risk, not an occasional anomaly.3

The effect differs from routine information technology disruption in several industries, including power generation, water processing, chemicals, medicine, transport, and manufacturing. Ransomware attacks do not necessarily need to encrypt the PLC to achieve their effect. Once the operator is no longer confident about seeing or accessing the systems that support their operations, they might take precaution and stop the process.

Stakeholders increasingly demand evidence that OT risk management is taking place. Companies unable to provide visibility, segmentation, monitoring, preparedness for response to an incident, and control of third-party access will be scrutinized further, subject to higher premiums, exclusions, and underwriting questions. 

Why OT Readiness Still Trails Rising Investment

The World Economic Forum’s Global Cybersecurity Outlook 2026 found that 87% of respondents identified AI-related vulnerabilities as the fastest-growing cyber risk. TXOne Networks also reported that 88% of surveyed organizations increased OT security spending by more than 10%, while 60% experienced at least one OT security incident in 2025.5

This shows momentum, but not uniform maturity. Larger industrial operators may be expanding monitoring, segmentation, incident response, and governance programs. Smaller manufacturers, rural utilities, and resource-constrained operators may still struggle with asset inventory, legacy equipment, staffing, and budget limits.

Sources: As per references shown above, Cyber Tech Intelligence Analysis 

The snapshot shows a familiar problem. Spending is increasing, but foundational controls are not consistently mature. Asset inventory, monitoring, incident response planning, and OT testing remain uneven. Buying advanced capabilities before fixing visibility is like installing a luxury alarm system in a building where no one knows how many doors exist.

What Critical Infrastructure Leaders Should Prioritize

1. Build a Complete OT Asset Inventory

Organizations cannot secure assets they cannot see. A useful OT inventory should include PLCs, RTUs, HMIs, engineering workstations, historians, remote access points, software versions, vendor connections, network paths, and IT/OT boundary systems. Passive discovery should be prioritized to avoid disrupting industrial processes.

2. Deploy Continuous OT Network Monitoring

The 46% monitoring figure should be treated as a warning sign. OT teams need passive, protocol-aware monitoring across Purdue Level 1-3 environments, with alerts for abnormal commands, new devices, engineering workstation activity, lateral movement, and unusual IT/OT communication.7

3. Harden the IT/OT Boundary

The 96% IT-origin statistic makes boundary hardening one of the highest-value security actions. Priorities should include segmentation, MFA for remote access, strict vendor controls, monitored jump servers, secured engineering workstations, and visibility into OT-adjacent IT systems.3

4. Use Risk-Based Vulnerability Prioritization

OT teams should not prioritize solely by raw CVSS scores. A vulnerability’s real risk depends on asset criticality, exploit availability, exposure, compensating controls, safety impact, and operational context. The goal is not to patch everything first. The goal is to reduce the highest-risk paths before attackers use them.

5. Create and Exercise an ICS-Specific Incident Response Plan

A generic IT response plan is not enough. OT incident response must include process engineers, site operators, safety leaders, legal counsel, insurers, regulators, executives, and OT-capable response partners. The plan should define decision authority, evidence handling, shutdown criteria, recovery steps, safety validation, communication protocols, and notification triggers.

6. Move OT Security Into Board-Level Governance

OT cybersecurity should be reported as a material business risk. Boards need OT-specific metrics, not just broad IT cyber dashboards. Useful reporting should include asset inventory maturity, monitoring coverage, segmentation status, incident response readiness, ransomware exposure, third-party access governance, insurance adequacy, and unresolved high-risk vulnerabilities.

References 

1. Dragos Inc. 2026 OT Cybersecurity Year in Review.

2. Dragos Inc. Dragos 2026 Year in Review: New OT Threats and Ransomware.

3. TXOne Networks. 2026 Annual OT/ICS Cybersecurity Report.

4. Forescout Vedere Labs / Industrial Cyber. Forescout Flags Spike in High-Severity OT/ICS Flaws, Exposing Visibility Gaps That Leave Critical Infrastructure at Risk.

5. World Economic Forum. Global Cybersecurity Outlook 2026.

6. Cyble Research and Intelligence Labs. Annual Threat Landscape Report 2025.

7. Dragos and Marsh McLennan. 2025 OT Security Financial Risk Report.

8. MXD & Deloitte -- Behind the Firewall: Assessing Cyber Resilience in U.S. Manufacturing -- June 2024 

9. Forescout Research – Vedere Labs -- 2025 Threat Roundup: Emerging Cybersecurity Threats and Trends -- 2025