Executive Summary

The Waterfall Threat Report 2026 has identified a significant, dual-faced trend in the industrial cybersecurity landscape. On one hand, the number of publicly reported cyberattacks on heavy industry and critical infrastructure that resulted in physical consequences (e.g., operational shutdowns) saw a 25% decrease in 2025. This drop is largely attributed to a temporary slowdown in ransomware activity. However, this seemingly positive development is overshadowed by a more alarming trend: a 100% increase in attacks from nation-states and hacktivists targeting these same critical sectors. The report warns that the ransomware lull is not permanent and calls for a shift in defensive thinking towards engineering-based solutions over purely software-based protections.

Threat Overview

The report analyzes publicly available data on cyberattacks targeting industrial control systems (ICS) and operational technology (OT) environments. While Ransomware has been the dominant driver of incidents with physical consequences from 2019-2024, its activity leveled off in 2025. In its place, politically motivated attacks from nation-state actors and hacktivists have surged, indicating a shift in adversary focus towards disruption and espionage against critical national infrastructure.

Key Findings

• Overall Incidents Down: Publicly recorded incidents with physical consequences dropped from 76 in 2024 to 57 in 2025.
• Ransomware Slowdown: The report attributes this decline to temporary factors affecting ransomware gangs, but predicts a resurgence in 2026 and 2027.
• Nation-State Surge: Attacks from nation-states and hacktivists doubled, with the majority targeting critical infrastructure.
• Decreasing Transparency: Incident reports are becoming less detailed, making it harder for security professionals to analyze attacker TTPs and learn from events.
• Predictable Failures: The report argues that failures in software-based protection for industrial systems are predictable and should be treated as design flaws, not random occurrences.

Impact Assessment

The shift from financially motivated ransomware to politically motivated nation-state attacks has significant implications for Critical Infrastructure. While ransomware aims to extort money, nation-state campaigns can have more strategic goals, including:

• Disruption: Causing widespread power outages, water contamination, or transportation shutdowns.
• Espionage: Stealing sensitive operational data or intellectual property.
• Pre-positioning: Gaining access to critical systems to be used as leverage or for attacks during future geopolitical conflicts.

The doubling of such attacks represents a direct threat to national security, public safety, and economic stability.

Detection & Response

Detecting sophisticated nation-state actors in OT environments is exceptionally challenging. It requires a defense-in-depth approach:

• Network Traffic Analysis: Monitor for unusual traffic patterns between IT and OT networks. Nation-state actors often use custom tools and protocols that can be identified through baseline analysis, as advocated by D3FEND's Network Traffic Analysis (D3-NTA).
• Behavioral Monitoring: Deploy solutions that can monitor for anomalous commands or configuration changes on PLCs, RTUs, and other ICS/OT devices.
• Threat Intelligence Integration: Consume and operationalize threat intelligence specific to ICS threats and nation-state TTPs to inform hunting and detection efforts.

Mitigation and Strategic Recommendations

The report advocates for a fundamental shift in how industrial operations are secured, moving beyond a sole reliance on software.

1. Cyber-Informed Engineering: Embrace principles promoted by CISA and the U.K.'s NCSC. This involves designing industrial processes with the assumption that cyber defenses will eventually fail and building in physical or engineering-based safety measures that cannot be bypassed by a remote attacker.
2. Hardware-Enforced Segmentation: Use unidirectional security gateways and other hardware-based solutions to physically enforce segmentation between IT and OT networks (M1030 - Network Segmentation). This prevents attackers who compromise the IT network from pivoting into the industrial control environment.
3. Resilience and Recovery Planning: Develop and test incident response plans that account for a complete loss of digital control, with clear procedures for safely shutting down operations and reverting to manual control if necessary.
4. Enhanced Monitoring: Despite the call for engineering solutions, robust software-based monitoring and logging remains crucial for early detection (M1047 - Audit).