Cyber-physical attacks on industrial facilities have risen sharply, highlighting the urgent need for robust operational technology (OT) incident response capabilities. An industry report found that facilities experiencing cyber-induced physical disruptions increased by 146% in 2024, from 412 sites in 2023 to 1,015-a significant indicator of widening OT readiness gaps. The report urges security leaders to improve network segmentation, adopt protocol-aware detection tools, and conduct regular incident response drills emphasizing physical safety and rapid recovery.1OT Attacks Surge 146% – Critical Infrastructure Wake-Up Call
Background
Manufacturing remained the most frequently targeted sector for cyberattacks in 2025, with a 61% year-over-year increase in ransomware incidents. Downtime costs averaged $1.9 million per day for operators. OT/IT convergence has blurred traditional network boundaries, leaving legacy programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and vendor access points vulnerable to attacks.2Cybersecurity for Manufacturing: OT/IT Convergence Guide 2026 | Blog // ITECS OT environments are now recognized as operational risk domains. Boardrooms hold chief information security officers (CISOs) accountable for resilience outcomes-including uptime, safety, and effective recovery-expanding performance measurements beyond traditional security metrics.3Industrial CISOs redefine influence in 2026 as production risk, budget control and boardroom trust collide - Industrial Cyber
Details
In December 2025, a cyber incident in Poland targeted the energy sector's OT and industrial control systems (ICS), disrupting renewable energy sites and combined heat and power plants. Attackers leveraged internet-facing edge devices to deploy wiper malware, destroying remote terminal unit (RTU) visibility, corrupting device firmware, and rendering human-machine interfaces (HMIs) inoperable.4Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps - Critical Infrastructure Protection & Resilience Europe The incident highlighted the risk posed by inadequately segmented and exposed devices.
Industry assessments indicate the ISA/IEC 62443 zones-and-conduits segmentation model remains the most effective method for preventing lateral movement into OT environments. However, many organizations still rely on a single firewall and lack comprehensive micro-segmentation.2Cybersecurity for Manufacturing: OT/IT Convergence Guide 2026 | Blog // ITECS Panel discussions noted that attackers often require minimal sophistication; incidents such as altered HMI fields disabling safety backups have led to widespread outages in Ukraine and Sweden.5Emerging Trends in OT: Staying Ahead of Cyber Threats in 2026 | NCC Group
Recent recommendations call for OT-specific asset inventory and network monitoring tools that detect anomalies at Purdue Model Levels 0-1 by monitoring physical process variables and controller behavior for early warning.6OT Incident Response: The hard-earned and learned lessons of 2025 Clarity in incident response is also essential. Some companies recommend quarterly tabletop exercises involving IT, OT, and engineering teams, with clear authority to execute shutdowns or switch to manual operations.6OT Incident Response: The hard-earned and learned lessons of 2025
Many organizations report inadequate recovery capabilities, lacking golden images, offline backups, or validated procedures to rebuild PLC logic, restore HMIs, or recalibrate sensors after an incident. These deficiencies often cause recovery efforts to lag behind containment.7Industrial Cybersecurity Insights for Critical Infrastructure for 2026 - Takepoint ResearchTakepoint Research
Outlook
Enterprises and critical infrastructure operators are expected to focus on structured OT recovery, validated restoration procedures, and cross-domain simulations in 2026. Governance will increasingly require C-suite visibility into cyber-physical risks and clearly defined roles during incident escalation.
