Dragos has published its 2026 OT/ICS Cybersecurity Year in Review, documenting a sharp increase in ransomware attacks targeting operational technology (OT) and a rise in supply-chain attack methods against industrial environments. The report illustrates a shift in adversary tactics, with attackers moving beyond initial access to actively mapping control loops in manufacturing, energy, and critical infrastructure sectors. This trend points to a strategic emphasis on disrupting physical operations, not just penetrating networks1Dragos 2026 OT Report Shows Surge in Threat Groups and Ransomware.
Background
Dragos's ninth annual OT/ICS cybersecurity report notes increasing sophistication among threat actors. Adversaries are now focusing on understanding and mapping industrial control loops, enabling them to manipulate physical processes directly. This approach highlights a deeper, more strategic intent to disrupt operations rather than simply achieving network access1Dragos 2026 OT Report Shows Surge in Threat Groups and Ransomware.
Details
In 2025, Dragos identified 119 ransomware groups attacking industrial organizations, a 49% rise from 80 groups in 2024. These groups affected approximately 3,300 organizations. Manufacturing accounted for over two-thirds of these ransomware victims1Dragos 2026 OT Report Shows Surge in Threat Groups and Ransomware. Many incidents were misclassified as IT-only breaches; engineering workstations, SCADA (Supervisory Control and Data Acquisition) systems, and virtualization infrastructure were often recorded as standard IT endpoints, obscuring the actual impact on OT environments2Ransomware surge in 2025 exposes mounting OT risk as industrial impacts outpace IT narratives - Industrial Cyber.
The report identifies three new OT-focused threat groups: AZURITE, PYROXENE, and SYLVANITE. AZURITE specifically targets engineering workstations to extract operational data. PYROXENE conducts persistent supply-chain campaigns and social engineering attacks to pivot from IT into OT networks. SYLVANITE serves as an initial-access broker, passing entry to other groups such as VOLTZITE1Dragos 2026 OT Report Shows Surge in Threat Groups and Ransomware.
Established groups expanded their activity in 2025. ELECTRUM launched destructive attacks on distributed energy assets in Poland, including wind and solar infrastructure. KAMACITE performed systematic scanning of U.S. industrial control hardware for control-loop mapping, focusing on human-machine interfaces (HMIs), variable frequency drives (VFDs), and metering devices1Dragos 2026 OT Report Shows Surge in Threat Groups and Ransomware.
Visibility remains a critical issue. Dragos found fewer than 10% of OT networks had adequate monitoring. In 30% of incident response engagements, investigations began only after operational anomalies appeared, rather than from proactive detection. This lack of visibility allows attackers to persist undetected until physical consequences occur3OT Threat Landscape 2026: What Defenders Need to Know | Dragos.
Outlook
The report calls for OT defenders to adopt intelligence-driven security measures. Organizations should enhance OT environment visibility and treat VPNs, engineering workstations, and virtualization systems as critical infrastructure. Intelligence sharing and tailored incident response planning are vital for countering evolving ransomware and supply-chain risks.
