Dragos's 2026 OT Cybersecurity Year in Review highlights persistent vulnerabilities in industrial environments as IT/OT (Information Technology/Operational Technology) integration increases, ransomware incidents rise, and supply chain threats intensify. The report, released March 9, 2026, finds that fewer than 30% of OT networks have visibility across IT/OT boundaries. Of the remainder, 56% lack monitoring capabilities below this threshold, and 88% face challenges with detection and response. These gaps enable adversaries to map control loops and threaten physical processes before detection.1Dragos 2026 OT Cybersecurity Report: A Year in Review
Background
Industrial organizations continue to face elevated cybersecurity risks from the convergence of IT and OT systems. In 2025, threat actors moved beyond prepositioning, actively mapping control loops and preparing for potential process manipulation. The number of tracked OT threat groups increased to 26, while ransomware impacted over 3,300 industrial organizations worldwide. Attackers primarily targeted access points and infrastructure supporting OT functions, rather than the controllers themselves.1Dragos 2026 OT Cybersecurity Report: A Year in Review These trends are consistent with previous years, in which ransomware incidents spiked in manufacturing and operational disruptions often originated from IT-adjacent systems.2Dragos Reports OT/ICS Cyber Threats Escalate Amid Geopolitical Conflicts and Increasing Ransomware Attacks
Details
Dragos reports that adversaries increasingly delay attacks, seeking to position themselves for future disruption rather than causing immediate impact. Attackers have gained awareness of control loops and have targeted human-machine interfaces (HMIs), drives, meters, and gateways.3Top Takeaways from the Dragos 2026 OT Cybersecurity Report | SANS Institute New threat groups-including AZURITE, PYROXENE, and SYLVANITE-have joined established actors such as VOLTZITE, BAUXITE, and KAMACITE in compromising engineering workstations, IT/OT bridges, remote access devices, and identity solutions.4OT Threat Landscape 2026: What Defenders Need to Know | Dragos
Ransomware affected more than 3,300 industrial organizations in 2025, nearly doubling from the previous year. Most incidents originated in IT-support systems, such as virtualization platforms, rather than directly compromising controller networks.1Dragos 2026 OT Cybersecurity Report: A Year in Review Supply chain risk has grown, with adversaries exploiting trusted third parties, including engineering firms and vendors, to access multiple asset owners.3Top Takeaways from the Dragos 2026 OT Cybersecurity Report | SANS Institute
Outlook
Improving visibility into OT networks, enhancing network segmentation, and securing IT/OT transition points-including remote access and identity solutions-will be essential for detecting adversarial actions before they impact operations. Building these capabilities is vital for strengthening industrial cybersecurity maturity in 2026 and beyond.
