Dragos 2026 OT Threat Landscape: Ransomware and Supply-Chain Attacks Escalate

Dragos has published its 2026 OT/ICS Cybersecurity Year in Review, documenting a sharp increase in ransomware attacks targeting operational technology (OT) and a rise in supply-chain attack methods against industrial environments. The report illustrates a shift in adversary tactics, with attackers moving beyond initial access to actively mapping control loops in manufacturing, energy, and critical infrastructure sectors. This trend points to a strategic emphasis on disrupting physical operations, not just penetrating networks^[1].

Background

Dragos's ninth annual OT/ICS cybersecurity report notes increasing sophistication among threat actors. Adversaries are now focusing on understanding and mapping industrial control loops, enabling them to manipulate physical processes directly. This approach highlights a deeper, more strategic intent to disrupt operations rather than simply achieving network access^[1].

Details

In 2025, Dragos identified 119 ransomware groups attacking industrial organizations, a 49% rise from 80 groups in 2024. These groups affected approximately 3,300 organizations. Manufacturing accounted for over two-thirds of these ransomware victims^[1]. Many incidents were misclassified as IT-only breaches; engineering workstations, SCADA (Supervisory Control and Data Acquisition) systems, and virtualization infrastructure were often recorded as standard IT endpoints, obscuring the actual impact on OT environments^[2].

The report identifies three new OT-focused threat groups: AZURITE, PYROXENE, and SYLVANITE. AZURITE specifically targets engineering workstations to extract operational data. PYROXENE conducts persistent supply-chain campaigns and social engineering attacks to pivot from IT into OT networks. SYLVANITE serves as an initial-access broker, passing entry to other groups such as VOLTZITE^[1].

Established groups expanded their activity in 2025. ELECTRUM launched destructive attacks on distributed energy assets in Poland, including wind and solar infrastructure. KAMACITE performed systematic scanning of U.S. industrial control hardware for control-loop mapping, focusing on human-machine interfaces (HMIs), variable frequency drives (VFDs), and metering devices^[1].

Visibility remains a critical issue. Dragos found fewer than 10% of OT networks had adequate monitoring. In 30% of incident response engagements, investigations began only after operational anomalies appeared, rather than from proactive detection. This lack of visibility allows attackers to persist undetected until physical consequences occur^[3].

Outlook

The report calls for OT defenders to adopt intelligence-driven security measures. Organizations should enhance OT environment visibility and treat VPNs, engineering workstations, and virtualization systems as critical infrastructure. Intelligence sharing and tailored incident response planning are vital for countering evolving ransomware and supply-chain risks.