Cyber-physical attacks on industrial facilities have risen sharply, highlighting the urgent need for robust operational technology (OT) incident response capabilities. An industry report found that facilities experiencing cyber-induced physical disruptions increased by 146% in 2024, from 412 sites in 2023 to 1,015-a significant indicator of widening OT readiness gaps. The report urges security leaders to improve network segmentation, adopt protocol-aware detection tools, and conduct regular incident response drills emphasizing physical safety and rapid recovery.[1]
Background
Manufacturing remained the most frequently targeted sector for cyberattacks in 2025, with a 61% year-over-year increase in ransomware incidents. Downtime costs averaged $1.9 million per day for operators. OT/IT convergence has blurred traditional network boundaries, leaving legacy programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and vendor access points vulnerable to attacks.[2] OT environments are now recognized as operational risk domains. Boardrooms hold chief information security officers (CISOs) accountable for resilience outcomes-including uptime, safety, and effective recovery-expanding performance measurements beyond traditional security metrics.[3]
Details
In December 2025, a cyber incident in Poland targeted the energy sector's OT and industrial control systems (ICS), disrupting renewable energy sites and combined heat and power plants. Attackers leveraged internet-facing edge devices to deploy wiper malware, destroying remote terminal unit (RTU) visibility, corrupting device firmware, and rendering human-machine interfaces (HMIs) inoperable.[4] The incident highlighted the risk posed by inadequately segmented and exposed devices.
Industry assessments indicate the ISA/IEC 62443 zones-and-conduits segmentation model remains the most effective method for preventing lateral movement into OT environments. However, many organizations still rely on a single firewall and lack comprehensive micro-segmentation.[2] Panel discussions noted that attackers often require minimal sophistication; incidents such as altered HMI fields disabling safety backups have led to widespread outages in Ukraine and Sweden.[5]
Recent recommendations call for OT-specific asset inventory and network monitoring tools that detect anomalies at Purdue Model Levels 0-1 by monitoring physical process variables and controller behavior for early warning.[6] Clarity in incident response is also essential. Some companies recommend quarterly tabletop exercises involving IT, OT, and engineering teams, with clear authority to execute shutdowns or switch to manual operations.[6]
Many organizations report inadequate recovery capabilities, lacking golden images, offline backups, or validated procedures to rebuild PLC logic, restore HMIs, or recalibrate sensors after an incident. These deficiencies often cause recovery efforts to lag behind containment.[7]
Outlook
Enterprises and critical infrastructure operators are expected to focus on structured OT recovery, validated restoration procedures, and cross-domain simulations in 2026. Governance will increasingly require C-suite visibility into cyber-physical risks and clearly defined roles during incident escalation.
