OT cyber adversaries increasing real-world impact: report

Dragos has released its 2026 OT/ICS Cybersecurity Report and Year in Review, which has identified three new threat groups targeting critical infrastructure globally and found adversaries progressing from reconnaissance to operational disruption.

The findings demonstrate a maturation in adversary operations, with threat groups working as coordinated ecosystems and advancing from isolated device targeting to mapping entire industrial control systems.

KAMACITE systematically mapped control loops across US infrastructure throughout 2025, while ELECTRUM targeted distributed energy systems in Poland with deliberate attempts to affect operational assets.

Dragos also identified three new threat groups, including SYLVANITE, which hands off established footholds to VOLTZITE for deeper OT intrusions. PYROXENE targets the United States, Western Europe and the Middle East, and deployed destructive wiper malware against critical infrastructure during regional conflict in June.

Meanwhile, AZURITE showed OT overlaps with Flax Typhoon and conducted sustained operations across the US, Europe and Asia–Pacific. Ransomware groups targeting industrial organisations surged 49% year-over-year, impacting 3300 organisations globally and disrupting operations.

“The threat landscape in 2025 reached a new level of maturity,” said Robert M. Lee, CEO and co-founder of Dragos. “Adversaries are mapping how control systems work, understanding where commands originate, how they propagate and where physical effects can be induced. We’re seeing the ecosystem evolve with specialised threat groups systematically building access pathways for more capable adversaries to reach OT environments.

“Meanwhile, ransomware groups are causing more operational disruption and multi-day outages that require OT-specific recovery. Yet industrial organisations significantly underestimate the reach of ransomware into OT environments because they think it’s just IT.

“There were meaningful defensive gains in 2025 too,” Lee continued. “Organisations with comprehensive OT visibility detected and contained OT ransomware incidents in an average of five days compared to the industry-wide average of 42 days, proving that detection maturity directly correlates with response success. But the gaps that remain are serious. Establishing comprehensive OT visibility now is critical. If organisations cannot monitor their systems today, they’ll find that future adoption of technologies like AI, battery storage and distributed energy resources creates exponentially greater blind spots.”

More details from the 2025 Year in Review can be found here.

Image credit: iStock.com/metamorworks