New data from NCC Group shows industrial organizations absorbed more than 2,000 ransomware attacks in a single year, as the merging of information technology (IT) and operational technology (OT) networks creates pathways that traditional enterprise security controls were not designed to protect. The warning, issued this week, arrives alongside parallel findings from Dragos, Check Point Research, and KELA pointing to a structural shift in how adversaries target physical operations - one forcing plant managers, security architects, and regulators to reassess the boundaries of cyber risk governance.

Background

IT/OT convergence - the integration of enterprise data systems with industrial control systems (ICS) such as SCADA (Supervisory Control and Data Acquisition) and distributed control systems - has accelerated as manufacturers, energy operators, and utilities deploy cloud-connected MES (manufacturing execution systems), IIoT (Industrial Internet of Things) sensors, and remote analytics platforms. That connectivity, while operationally valuable, eliminates the air gaps that historically isolated production networks from internet-facing infrastructure.

Attacks on operational technology and critical infrastructure have grown significantly more widespread and impactful. Increased connectivity between IT and OT environments has expanded the attack surface, enabling adversaries to infiltrate industrial systems through enterprise IT networks. TXOne Networks reported that 96% of OT incidents in 2025 could be traced back to IT system compromises. That figure underlines the extent to which enterprise IT entry points now serve as the primary attack vector into shop-floor environments.

OT environments habitually run on unpatched, outdated, or end-of-support operating systems, often within flat networks - a configuration that allows adversaries to move laterally once inside a perimeter. Forescout found that attacks on OT protocols increased by 84% in 2025 over the previous year, led by Modbus at 57% of attacks, followed by Ethernet/IP at 22%.

Details

In the 12 months from March 2025, industrial organizations experienced 2,073 ransomware attacks, making the sector the most targeted industry every single month of the period and accounting for 29.6% of all ransomware activity on average. NCC Group, which published the analysis, states that these figures highlight threat actors' focus on OT-heavy environments where cyber incidents can halt production, disrupt supply chains, and endanger public safety.

Capital goods organizations - including machine, equipment, and infrastructure manufacturers - were particularly affected, absorbing 1,192 attacks, with machinery sub-sectors accounting for 442 incidents and construction and engineering for 394.[1] Across the full calendar year 2025, ransomware surged across the manufacturing sector, rising 56% year-over-year to 1,466 incidents, with Check Point Research attributing the spike to vulnerable legacy OT systems, complex supply chains, and rapid scaling of ransomware-as-a-service (RaaS) operations.

Dragos tracked 119 ransomware groups targeting industrial organizations in 2025, up from 80 the year before, collectively impacting 3,300 organizations. Manufacturing accounted for more than two-thirds of all victims, illustrating how attackers deliberately focus on sectors where disruption creates immediate pressure and leverage.

Ray Robinson, OT Director at NCC Group, said: "Our data shows that many organizations continue to prioritize IT security while underestimating the exposure of their operational environments. When OT systems are disrupted, the impact goes far beyond data loss - production can halt, essential services can be disrupted, and in some cases, lives can be put at risk."[2]

The threat is compounded by supply-chain exposure. Affiliates increasingly rely on credential logs sourced from infostealers, password reuse across OT and IT systems, cloud-synchronized identities, and compromised vendor accounts sold through initial access broker (IAB) marketplaces. This approach allows adversaries to bypass perimeter detections entirely by authenticating legitimately into VPN portals, remote desktop infrastructure, and cloud identity providers spanning IT/OT boundaries.

A persistent asset-visibility deficit amplifies the risk. A Ponemon Institute survey of 1,056 global IT and security practitioners found that 73% of respondents said their organizations lack an authoritative OT asset inventory. Sean Arrowsmith, Director of Industrials at NCC Group, noted that "that level of asset inventory that you might see in an IT environment doesn't necessarily exist in OT in a lot of cases."

On the regulatory front, the Network and Information Systems (NIS) Regulations require operators of essential services to implement proportionate technical and organizational measures to manage cyber risk across both IT and OT environments. The Cybersecurity Act and updated sector-specific guidance further strengthen expectations around OT governance, incident reporting, resilience, and supply-chain security. Katarina Sommer, Global Head of Government Affairs and Analyst Relations at NCC Group, stated: "Regulators are increasingly clear that OT environments fall within scope of cyber resilience obligations, particularly where systems support essential services or public safety. Organizations that focus compliance efforts solely on IT risk are exposing themselves to operational, regulatory and safety consequences."

Security researchers point to several root causes that IT-centric controls cannot address alone. Most attacks in industrial environments still begin with predictable weaknesses: exposed remote access tools, forgotten third-party accounts, and unpatched systems provide straightforward entry points. Cross-sector guidance recommends establishing governance frameworks, supply-chain oversight using software bills of materials (SBOMs), network segmentation, identity management, and layered compensating controls where ideal access restrictions are not operationally feasible. That guidance also emphasizes cross-team collaboration among IT, OT, and cybersecurity personnel, warning that technology alone is insufficient.

Outlook

Robert M. Lee, CEO and co-founder of Dragos, said: "The threat landscape in 2025 reached a new level of maturity. Ransomware groups are causing more operational disruption and multi-day outages that require OT-specific recovery. Yet industrial organizations significantly underestimate the reach of ransomware into OT environments because they think it's just IT." Network segmentation can limit lateral movement, while reliable, properly tested backups ensure recovery remains possible even after a breach. Security leaders are urged to ensure both IT and OT teams operate from clear, well-practiced playbooks that reflect current geopolitical threats. With regulatory obligations hardening across the EU and beyond, organizations that have yet to extend incident-response planning and asset visibility programs to OT domains face compounding operational and compliance exposure in the months ahead.