Threat actors intensified campaigns targeting operational technology (OT) and cyber-physical (CP) systems as industrial networks expanded their digital reach, prompting concerns about segmentation and resilience strategies. Cybersecurity researchers reported ransomware incidents affecting OT networks increased by approximately 49% year-over-year in 2025, impacting over 3,300 industrial organizations globally-particularly in manufacturing. Attackers exploited stolen credentials and VPN vulnerabilities to breach IT systems, then moved laterally into SCADA (supervisory control and data acquisition) and HMI (human-machine interface) environments, causing denial-of-view or control disruptions. New advanced persistent threat (APT) groups-Sylvanite, Azurite, and Pyroxene-emerged, leveraging weak segmentation to exfiltrate engineering data or deploy wiper malware using phishing and lateral movement. In response, manufacturers and OT security teams placed higher priority on segmentation, micro-segmentation, enhanced visibility, and asset discovery to mitigate risk and strengthen defense in depth. Budgets for OT security platforms increased, and adoption of frameworks such as IEC 62443 and NIST-based zones-and-conduits models rose, with organizations fortifying remote access through hardened jump hosts using multi-factor authentication and session controls.
Background
Digital convergence of IT and OT systems in manufacturing and critical infrastructure has broadened the attack surface for groups targeting cyber-physical environments. Attackers increasingly gain initial access through IT domains before moving into OT systems by exploiting compromised credentials or misconfigured remote access, often leveraging weak segmentation on control networks. Cyber intelligence firms noted a marked rise in vulnerabilities affecting HMIs and SCADA interfaces disclosed in 2025-nearly doubling compared to the previous year. Ransomware operators shifted toward extortion-only models, combining AI-generated phishing, polymorphic malware, and deepfake techniques to accelerate intrusion and negotiation.
Details
Analysis of 2025 ransomware activity found OT networks experienced around a 49% increase in incidents, with manufacturing facing the majority of attacks, typically through VPN and credential-based intrusions rather than traditional ICS exploits. New APT groups appeared: Sylvanite acted as an exploitation broker for power, oil & gas, and water sectors, delivering credentials or network access to other threat actors; Azurite, reportedly linked to Chinese state-backed groups, targeted extraction of operational data such as network diagrams and PLC/HMI configurations; Pyroxene, associated with Iranian interests, specialized in phishing-driven lateral movement and wiper malware deployment, even without direct programmable logic controller (PLC) access. Vulnerability disclosures surged to 2,451 ICS-specific cases in 2025, up from 1,690 in 2024, including several high-severity flaws in Siemens and Schneider Electric products. Attackers also disrupted virtualization servers and backup systems supporting SCADA/HMI platforms, compounding ransomware impacts.
Industrial organizations responded by accelerating OT cybersecurity investments. Forecasts indicate widespread use of micro-segmentation and virtual patching where traditional updates are impractical. IEC 62443-based 'zones & conduits' segmentation strategies defined function-specific zones-such as safety, production, engineering, and remote access-with rigorously controlled protocol flows. To secure vendor and third-party access, organizations deployed hardened jump hosts in identity-focused DMZs, implementing multi-factor authentication, time-limited credentials, and session logging. Enhanced visibility-through asset discovery and continuous monitoring tailored for cyber-physical systems-supported these architectural defenses.
Outlook
As digitization progresses, organizations are aligning governance and budgets with measurable resilience objectives, including reducing downtime, improving audit efficiency, and enhancing incident response capacities. Continued integration of IEC 62443 and NIST-aligned segmentation architectures, combined with maturity assessments and board-level risk reporting, is expected to guide future OT modernization initiatives.
