Executive Summary

The Dragos 2026 OT/ICS Cybersecurity Year in Review report has identified a critical evolution in the threat landscape for industrial organizations. Adversaries are no longer content with reconnaissance and data theft; their focus has shifted to understanding and manipulating physical processes to cause tangible, real-world disruption. This strategic change elevates the risk to critical infrastructure sectors like energy, manufacturing, and transportation. The report introduces three new industrial-focused threat groups, including SYLVANITE, which acts as an initial access broker for other actors. Despite the rise of these specialized APTs, the report underscores that ransomware remains a pervasive and immediate danger, with a dramatic increase in campaigns targeting industrial environments in the past year.

Threat Overview

The core finding of the report is the strategic shift in adversary objectives from espionage to disruption. Attackers are investing time to learn the specific operational technology (OT) and industrial control systems (ICS) of their targets. This knowledge allows them to move beyond disrupting IT networks and directly impact physical processes, potentially causing equipment damage, production halts, or unsafe conditions.

New Threat Groups

Dragos has identified three new threat groups, highlighting the increasing specialization in this domain.

• SYLVANITE: This group functions as an Initial Access Broker (IAB) for the ICS world. They specialize in finding and exploiting vulnerabilities in public-facing industrial infrastructure. Instead of carrying out the final attack themselves, they sell or hand off this access to other threat actors, such as ransomware groups or nation-state APTs. This mirrors the mature IAB ecosystem in the enterprise IT world and signifies a professionalization of ICS attacks.

Ransomware in OT

The report emphasizes that while nation-state disruptors are a high-impact threat, ransomware is the most frequent and immediate threat to industrial operations. Key statistics from 2025 include:

• 119 distinct ransomware groups tracked targeting industrial sectors.
• Over 3,300 industrial organizations impacted globally.
• This represents a significant increase over previous years, showing that industrial firms are a lucrative and increasingly targeted market for ransomware gangs.

Technical Analysis

The shift to disruptive attacks requires attackers to progress further along the Purdue Model, moving from the enterprise network (IT) down into the control network (OT). The TTPs are evolving:

• Initial Access: Still relies on common vectors like phishing and exploiting internet-facing devices, but SYLVANITE's activity shows a focus on OT-specific entry points.
• Discovery: Attackers are no longer just mapping IT assets. They are using specialized tools and techniques to identify ICS/OT assets like PLCs, HMIs, and engineering workstations (T0829 - Network Connection Enumeration).
• Impact: The ultimate goal is to manipulate control systems. This could involve techniques like T0831 - Manipulation of Control or T0814 - Denial of Service to halt physical processes.

Impact Assessment

The potential impact of these evolving threats is catastrophic:

• Safety Risks: Manipulation of industrial processes can lead to unsafe conditions, risking employee injury or public harm.
• Operational Downtime: Disrupting production can lead to millions of dollars in losses per day for manufacturing or energy facilities.
• Equipment Damage: Incorrectly manipulating industrial equipment can cause permanent physical damage, requiring costly repairs and long lead times for replacement parts.
• National Security: For critical infrastructure, these attacks pose a direct threat to national security, potentially impacting power grids, water supplies, or transportation networks.

Detection & Response

Defending against these threats requires a shift from IT-centric security to an OT-aware approach.

1. OT Network Visibility: You cannot protect what you cannot see. The first step is to gain full visibility into the OT network, identifying all assets, communication paths, and protocols. This is a prerequisite for any further security measures.
2. Crown Jewel Analysis: Identify the most critical processes and systems in the OT environment. Understand what a disruptive attack would look like and what systems an attacker would need to compromise to achieve it.
3. OT-Specific Threat Detection: Deploy monitoring solutions that understand industrial protocols (e.g., Modbus, DNP3, S7) and can detect anomalous behavior within the control network. An IT-focused IDS will not be effective here.
4. Incident Response Plan for OT: Develop and practice an incident response plan that is specifically designed for OT environments. This plan must prioritize safety and operational stability and involve both IT security and plant engineering staff.

Mitigation

1. Secure Network Architecture: Implement a defensible architecture with strong segmentation between IT and OT networks. Use a DMZ to control all traffic flowing between the two environments. This aligns with M0930 - Network Segmentation.
2. Vulnerability Management for OT: Develop a risk-based approach to managing vulnerabilities in OT systems. Since patching can be difficult, focus on compensating controls like network segmentation and access restrictions.
3. Remote Access Security: Secure all remote access to the OT network with multi-factor authentication and dedicated jump boxes.
4. Employee Training: Train both IT and OT staff on the unique threats facing industrial environments.