Cyberattacks targeting operational technology (OT) environments in critical infrastructure are escalating in frequency, sophistication, and physical consequence. Multiple industry reports and government advisories published in recent months have prompted new regulatory mandates and urgent calls for cross-sector information sharing.
Background
The OT threat landscape has shifted from opportunistic exploitation toward multi-stage campaigns designed to achieve persistent access and, increasingly, physical disruption. The post-IT/OT convergence boom of the mid- to late-2010s expanded the attack surface by connecting enterprise IT networks to industrial control systems, enabling attackers to infiltrate OT environments through IT pathways. Critical Manufacturing and Energy remain consistent frontrunners in government warnings, with transportation and water sectors also facing sustained pressure.
Nation-state actors have intensified activity across these sectors. A joint CISA advisory confirmed that pro-Russia hacktivist groups target critical infrastructure entities by exploiting minimally secured, internet-facing virtual network computing (VNC) connections to access OT control devices. A December 2025 incident in Poland illustrated destructive intent: an attacker gained initial access through insecure, internet-facing edge devices and deployed tools that damaged remote terminal units, corrupted firmware, and wiped data on human-machine interfaces, disrupting operators' ability to monitor and control at least 30 wind, solar, and heat generation sites.
Details
Quantitative data from security vendors and research institutions underscores the scale of the problem. TXOne Networks reported that 96% of OT incidents in 2025 could be traced back to IT system compromises, while Forescout found that attacks on OT protocols increased by 84% over the previous year, led by Modbus at 57% of attacks and Ethernet/IP at 22%. Meanwhile, a 40% rise in internet-exposed ICS devices between 2024 and 2025 has further expanded the accessible attack surface.
Budget data reveals a structural gap between investment and threat velocity. Fifty-eight percent of respondents in an OPSWAT/SANS survey identified IT compromises as a leading initial attack vector for ICS/OT incidents, with 33% pointing to internet-accessible devices. Yet over 50% of organizations reported experiencing at least one security incident within their ICS/OT environments, and unauthorized external access accounted for half of all incidents, while only 13% of organizations have fully implemented advanced controls such as session recording or ICS/OT-aware access.
Regulators are moving to close visibility gaps through prescriptive requirements. The U.S. Federal Energy Regulatory Commission (FERC) approved Internal Network Security Monitoring standard CIP-015-1, which mandates monitoring of internal network traffic and detection of malicious activity that may have bypassed perimeter defenses in critical electric utility OT environments. CISA, in its February 2026 alert amplifying the Poland incident, urged energy and industrial firms to strengthen security across edge devices, control systems, and incident response capabilities.
Organizational posture for OT security is also evolving. In 2025, 52% of organizations placed OT security under the CISO, up from just 16% in 2022, with 80% planning to follow suit, as CISOs extend security operations, automation, and threat intelligence into OT environments. Despite this shift, just 14% of respondents felt fully prepared for emerging threats, though organizations that involved frontline technicians in exercises were nearly 1.7 times more likely to report strong readiness.
Outlook
Regulatory pressure is expected to intensify, with critical manufacturing and energy remaining the most impacted sectors, followed by commercial facilities, transportation, and water. Asset visibility, threat detection, and secure remote access lead both current deployments and planned investments for 2026-2027, reflecting where operators see the highest return. Cross-sector information sharing through trusted community channels and standardized threat intelligence feeds is emerging as a critical complement to technical controls. As threat actors move faster across IT and OT boundaries, such sharing is no longer optional but a force multiplier for operational continuity and safety.
