The 2026 Dragos OT/ICS Cybersecurity Report and Year in Review documents significant changes in adversary tactics, moving from opportunistic IT encryption to coordinated efforts that map control loops, exploit supply chains, and increasingly target systems such as manufacturing execution systems (MES) and OT-adjacent infrastructure. Manufacturing and critical supply-chain operations are at the center of these developments as ransomware and OT-focused threat groups focus on high-leverage assets.
Executive Summary
The 9th annual Dragos OT Cybersecurity Year in Review details how threat groups advanced from reconnaissance to attempted operational disruption, while industrial ransomware campaigns grew in scale and sophistication. The report identifies three new OT-focused threat groups and a 49% rise in ransomware groups targeting industrial environments, impacting approximately 3,300 industrial organizations, with manufacturing comprising more than two-thirds of victims. Simultaneously, the industrial sector faces an "OT visibility crisis," incomplete vulnerability guidance, and growing reliance on MES and supply-chain integrations that adversaries increasingly exploit.
For manufacturing and operations leaders, the findings highlight priorities including treating MES as critical OT infrastructure, reassessing supply-chain and remote-access exposure, closing telemetry gaps at IT/OT boundaries, and aligning detection and response with OT-specific threat behavior rather than IT-centric models.
Key Findings from the Dragos 2026 OT Cybersecurity Report
Threat Landscape in Brief
The 2026 Dragos report, covering activity from 2025, emphasizes structural change over isolated incidents.
Key data points:
- Dragos now tracks 26 OT threat groups globally; 11 were active in 2025, including three new groups: AZURITE, PYROXENE, and SYLVANITE.
- Ransomware groups targeting industrial organizations rose from 80 in 2024 to 119 in 2025 (a 49% increase), collectively impacting about 3,300 industrial organizations worldwide.
- Manufacturing organizations represented more than two-thirds of the industrial ransomware victims.
- Industry-wide average ransomware dwell time in OT environments was 42 days; organizations with robust OT visibility detected and contained similar incidents in about 5 days.
- The report notes an "OT visibility crisis": only 30% of OT networks have adequate monitoring, 56% cannot monitor below the IT/OT boundary, and 88% struggle with effective detection and response.
- About 25% of ICS-CERT and NVD vulnerabilities analyzed had incorrect CVSS scores, 26% lacked vendor patches or mitigations, and just 2% of ICS-relevant vulnerabilities warranted immediate remediation under Dragos' risk-based model.
These findings indicate a maturing threat ecosystem where specialized groups exchange access, ransomware operators exploit operational and supply-chain dependencies, and defenders often lack the telemetry and advisory accuracy needed for timely, risk-based decisions.
How Adversaries Are Reaching OT: From Supply Chains to MES and Engineering Workstations
Coordinated OT Threat Ecosystems and Stage 2 Tradecraft
Dragos' analysis reveals that threat groups operate as coordinated ecosystems along the ICS Cyber Kill Chain, rather than as isolated actors.
- KAMACITE expanded from targeting Ukraine to broader European supply-chain campaigns, followed by sustained reconnaissance of U.S. industrial devices, mapping control loops including HMIs, variable-frequency drives, meters, and gateways.
- ELECTRUM leveraged access for destructive actions, attacking Ukrainian ISPs and later attempting to disrupt heat and power and renewable energy systems in Poland.
- VOLTZITE (linked to Volt Typhoon) advanced to Stage 2 of the ICS Cyber Kill Chain, manipulating engineering workstation software to extract configuration files and alarm data, seeking conditions that trigger process shutdowns.
This progression marks a shift from reconnaissance to attempts at operational impact, focused on assets underpinning MES, scheduling, and supply-chain orchestration-including engineering workstations, hypervisors, and OT-adjacent servers.
Supply-Chain Campaigns as Primary On-Ramps to OT
Supply-chain compromise has become a core OT security concern.
- PYROXENE executes supply-chain and social-engineering campaigns, often leveraging access from PARISITE to move from IT into OT environments across aviation, aerospace, defense, and maritime sectors.
- KAMACITE's European campaign shows how vendor targeting enables systematic reconnaissance of downstream industrial assets.
- Previous software supply-chain attacks like Havex and NotPetya demonstrated that IT-facing product and tax software compromises can trigger OT disruptions across multiple plants, resulting in large-scale operational and financial losses.
- Waterfall Security's review of modern manufacturing incidents confirms that vendor links, IIoT deployments, and cloud-based platforms introduce numerous OT-relevant connections per site, each a potential attack vector.
These developments align with Dragos' assertion: supply-chain relationships and vendor connectivity are now central to OT attack paths.
Why MES, HMIs, and Engineering Workstations are Increasingly Targeted
Although Dragos highlights engineering workstations, HMIs, and gateways, research shows that MES and related applications often operate on the same or closely linked infrastructure.
- AZURITE targets OT engineering workstations, exfiltrating operational data-network diagrams, alarms, process details-for downstream OT intrusion development.
- VOLTZITE exploits cellular gateways to access engineering workstations, extracting data to understand process shutdown conditions.
- Dragos notes that many OT devices, including HMIs and engineering workstations, are misclassified as IT-since they run Windows-causing OT-critical incidents to be labeled "IT-only."
- Waterfall Security's assessment finds that ransomware increasingly aims at production chokepoints and typically begins with network reconnaissance to identify these assets.
- Waterfall notes that targeting systems such as MES or production scheduling databases allows attackers to maximize operational disruption while encrypting relatively few systems.
MES orchestrates orders, recipes, and quality data across production lines through:
- application servers in OT DMZ or Level 3.5,
- databases syncing with ERP, PLM, and scheduling tools,
- links to historians, SCADA systems, and controllers.
Thus, the tradecraft Dragos reports against engineering workstations and OT-related Windows infrastructure is directly relevant to MES platforms and their components.
Ransomware in Manufacturing: An OT and Supply-Chain Problem
Dragos confirms broader industry data showing manufacturing as the primary ransomware target.
- NordStellar telemetry indicates 1,156 ransomware incidents in manufacturing in 2025-a 32% annual increase, comprising 19% of all cases tracked.
- Other analyses for 2025 also rank manufacturing with technology and healthcare as top targets, with many incidents resulting in production stoppages and extended downtime.
- Dragos data shows manufacturing firms represented over two-thirds of industrial ransomware victims.
From an OT perspective:
- Ransomware groups target hypervisors such as VMware ESXi that host SCADA, historian, and MES servers; encryption of the virtualization layer removes operator visibility and control even if physical assets run.
- Extended dwell times (averaging 42 days) enable deep mapping of production flows, MES, and scheduling chokepoints, allowing carefully coordinated attacks for maximum disruption.
- Supply-chain dependencies-just-in-time inventory, multi-tier suppliers, and shared logistics-allow a single plant incident to trigger widespread shortages.
Comparing "IT-only" and OT-Aware Ransomware in Manufacturing
Distinct differences exist between opportunistic ransomware and OT-aware campaigns targeting operational dependencies.
| Indicator (2025 data) | Broadly IT-focused ransomware | OT-aware industrial ransomware |
|---|---|---|
| Primary targets | Office IT, file servers, end-user devices | Hypervisors, engineering workstations, MES/SCADA servers, historians |
| Victim classification | "IT incident," limited OT visibility | Often misclassified as IT, but impacting OT operations |
| Average dwell time in OT (Dragos) | Not typically measured | ~42 days before detection (Dragos OT dataset) |
| Detection time with strong OT visibility | Rarely available | ~5 days with comprehensive OT telemetry |
| Operational impact | Data unavailability, business disruption | Production stoppages, quality issues, extended recovery windows |
This trend aligns with Dragos' view that ransomware is now an OT problem; targeting MES, scheduling, and supply-chain systems increases attackers' leverage.
Architectural and Operational Implications for MES Cybersecurity
MES as a High-Leverage OT Target
MES platforms bridge enterprise planning with shop-floor execution and:
- process ERP orders and generate schedules,
- manage work-in-progress, routing, recipes, and traceability,
- exchange data with SCADA, historians, and PLCs,
- interface with warehouse and logistics systems.
MES risk patterns matching Dragos' findings include:
- Single-point chokepoints: Limited MES servers often control all production lines for a site.
- Shared infrastructure: MES shares Active Directory, file servers, and virtualization with OT and IT systems, making it susceptible to collateral encryption.
- Remote access and vendor connections: Integrations, vendor support, and outsourced development create jump hosts, reverse proxies, or VPN channels vulnerable to abuse during supply-chain or credential attacks.
- Weak segmentation: Poor zoning between corporate IT, OT DMZ, and Level 3 MES/SCADA enables lateral movement from IT to MES.
Supply-Chain Ripple Effects and MES
MES also plays a key supply-chain role:
- MES disruptions force plants into manual modes, reducing throughput and increasing errors, extending recovery even after IT restoration.
- Cyber incidents at critical suppliers can cascade through tiered supply chains and pause OEM operations due to parts shortages.
- Waterfall Security notes that average cyber incident recovery time for manufacturers approaches a week, with high daily costs and multi-plant effects when scheduling and logistics are centralized.
Dragos' data on long dwell times and misclassification suggests organizations often treat MES outages as "IT events" until significant production impact occurs.
Defensive Priorities Highlighted by Dragos' Findings
1. Architectural Hygiene and Segmentation for MES and OT Gateways
Key priorities reinforced by Dragos include:
- Zone and conduit design: Align with ISA-95/ISA-62443 standards to place MES and related servers in defined OT DMZ or Level 3 zones, with limited conduits to IT and control networks.
- Dedicated remote-access paths: Route vendor/integrator remote access through controlled jump hosts or brokers, not generic VPNs.
- Hypervisor and backup isolation: Segment management interfaces, storage, and backups from general IT and restrict access.
- Least-privilege identity design: Limit administrative accounts across MES and OT DMZ servers to reduce credential theft risk.
These practices counter IT-to-OT pivot scenarios detailed in Dragos' reporting and OT field guides.
2. Closing the OT Visibility Gap
Dragos highlights OT visibility as critical for reducing dwell time from weeks to days.
Key activities:
- Passive network monitoring: Instrument major OT network segments to detect new or anomalous traffic and misuse of protocols.
- SOC integration: Feed OT telemetry into SIEM and SOAR, tuning playbooks to avoid automated IT containment functions that could disrupt MES or controllers.
- Baseline normal MES behavior: Profile typical MES traffic patterns; flag deviations suggesting exfiltration or lateral movement.
- Remote access monitoring: Log all remote sessions to MES or OT DMZ servers, record multi-factor authentication, and track session activity.
These measures support earlier detection of reconnaissance and lateral movement, as recommended by Dragos.
3. Risk-Based Vulnerability Management
Dragos' findings show patch guidance lacks precision and is often impractical in OT settings.
Recommendations include:
- Immediate patching is rare for MES platforms due to vendor and operational constraints.
- Emphasize a triage approach:
- Now: vulnerabilities with active exploitation, network exposure, or direct safety impact.
- Next: issues mitigated by architecture until the next maintenance window.
- Never: vulnerabilities with blocked exploit paths or where patching introduces more risk.
- Adapt vendor advisories with local risk context and OT threat intelligence.
For MES, align patching and mitigations with exposure, exploit paths, and available controls.
4. Intelligence-Driven Response Playbooks
Effective playbooks include:
- Pathway awareness: Map response to typical IT-to-OT attack paths and shared service abuses.
- MES and scheduling decision points: Include explicit steps for potential MES compromise, such as controlled shutdown versus continued operations in a degraded state.
- Joint IT/OT governance: Define roles in advance so containment decisions balance process safety and continuity.
- Forensic prioritization: Collect evidence from OT-critical servers before rebuild to support safe recovery.
These measures ensure MES and OT ransomware incidents are handled with appropriate rigor.
Actionable Conclusions and Next Steps for Industrial Leaders
Industry findings support several priorities for MES-driven manufacturing environments:
- Classify MES as critical OT infrastructure: Update risk registers and response plans to reflect the full operational impact of MES systems.
- Map and harden supply-chain and remote access: Identify all third-party connections and apply zoning and enhanced controls.
- Close high-value visibility gaps: Enhance OT telemetry at boundary and DMZ segments for early risk detection.
- Apply risk-based vulnerability management: Use a "Now, Next, Never" model tailored to OT environments and real-world exploits.
- Align playbooks with OT ransomware tradecraft: Reflect specific OT attack vectors in incident response plans, including MES scenarios.
For many, these steps build on existing programs but are necessary given that adversaries have already adopted OT-focused operations. Integrating MES and supply-chain considerations into OT security architecture will better align with the evolving threat landscape identified in the Dragos 2026 report.
Frequently Asked Questions
How does Dragos differentiate OT ransomware from traditional IT ransomware in its 2026 report?
Dragos analyzes ransomware impacting industrial and OT systems, including cases where OT-adjacent assets (engineering workstations, HMIs, MES/SCADA servers, historians, hypervisors) are involved. Many are misclassified as "IT-only" when Windows-based, despite their operational impact.
Which manufacturing sectors appear most exposed in the current data?
The report aggregates manufacturing but, with external sources such as NordStellar, indicates that machinery, electronics, appliance manufacturers, and automotive suppliers are among the most targeted. Common factors include integrated supply chains, extensive remote maintenance connectivity, and centralized scheduling systems.
Why are MES platforms attractive targets for ransomware and advanced threat groups?
MES platforms can halt production across lines or sites if targeted. Industry research indicates actors seek such chokepoints, knowing that disruptions hinder orders, traceability, and quality. Waterfall Security notes that compromising a small number of MES or scheduling servers can produce cascading supply-chain effects and quickly escalate ransom pressure.
What practical initial steps can organizations take to improve MES cybersecurity in light of the 2026 Dragos findings?
Initial steps include:
- establishing an accurate MES asset inventory and interfaces,
- implementing segmentation to keep MES in defined OT DMZ or Level 3 zones,
- enabling OT monitoring on key network devices and reviewing connection patterns,
- enforcing strong authentication and logging for all remote vendor access,
- integrating MES asset information and procedures into incident-response exercises.
These steps address the visibility and segmentation challenges highlighted in Dragos' report without requiring immediate large-scale changes.
How should industrial organizations address OT supply-chain risk in light of the report's findings?
Addressing OT supply-chain risk includes:
- setting explicit security and access requirements for all vendors and service providers with MES access,
- restricting and monitoring supplier remote access, using policy-controlled jump hosts,
- validating software update sources and tracking configuration changes affecting connected OT assets,
- testing supply-chain incident scenarios in business continuity and response planning.
These measures extend traditional supplier management into the OT and MES domain, reflecting the supply-chain threats documented by Dragos and industry research.
