Electric utilities have long operated under an assumption: meaningful disruption requires direct access to control systems such as protection relays, PLCs, or substation automation. The 2026 Dragos OT/ICS Cybersecurity Year in Review reflects what electric operators are already feeling: the grid is not as insulated from disruption as traditional security models assumed.
Based on observations from across the Dragos Intelligence Fabric, integrating platform telemetry, frontline response, adversary intelligence, and real-world assessments,the report highlights that adversaries do not need to “hack the grid” in the traditional sense to create operational impact. Instead,they areobservedincreasinglytargeting the systems that operators rely on to see, understand, and manage the grid. In parallel, the grid itself is changing and expanding into distributed, software-driven, and remotely accessible systems that were not part of traditional security models. Together, these shifts are redefining what risk looks like in electric environments.
In 2025, the threat to electric infrastructure moved beyond access and persistence into deliberate, active preparation for operational impact. ELECTRUM, the most operationally experienced infrastructure threat group Dragos tracks, responsible for the 2015 and 2016 Ukrainian power outages, expanded its targeting to Polish energy infrastructure in late December 2025. It was the first major coordinated attack against Distributed Energy Resources (DER) anywhere in the world, and the activity confirmed deliberate attempts to directly impact operational assets rather than remaining confined to enterprise reconnaissance.
At the same time, KAMACITE, the access development team that directly enables ELECTRUM, spent four months systematically scanning internet-exposed industrial devices across the United States, targeting HMIs, variable frequency drives, meters, and cellular gateways in deliberate sequence to map entire control loops across energy and critical infrastructure sectors.
In a confirmed incident response, Dragos observed SYLVANITE, a Stage 1 access group that hands footholds directly to ICS-capable adversaries like VOLTZITE, operating inside a U.S. electric utility network.
These are active campaigns by adversaries who have caused electric outages before or are demonstrably building the access and operational intelligence to do so again. The implication: electric environments are not being “breached” loudly at a point in time; they are being inhabited silently over time.
The adversaries targeting electric infrastructure each follow distinct attack frameworks and understanding these patterns is the first step to defending against them. Download the 4 Steps to Defend Electric Utilities from Cyber Threats infographic to see how adversaries operate across scenario-based attack paths built for electric sector defenders.
Insights from the Dragos Intelligence Fabric in 2025 reveal that adversaries are not forcing direct entry into control systems, they are gaining access through the systems that support and interface with grid operations and using that access to move closer to operational impact.
This includes:
- Remote access infrastructure used by operators and vendors
- Engineering workstations used to configure substations and protection systems
- IT systems that provide visibility, coordination, and control over grid operations
But securing these systems as IT problems alone is insufficient. What the Year in Review shows is that risk emerges at the intersection of IT and OT, where commands issued appear operationally valid and activity blends in with engineering and administrative workflows, and where there is limited ability to distinguish authorized use from adversary behavior.
This is why visibility into OT context, not just IT access, is required to identify when adversaries are operating inside grid-supporting systems.
At the same time, electric environments are evolving in ways that expand both capability and risk. Utilities are increasingly integrating Distributed Energy Resources (DER) management systems, Battery Energy Storage Systems (BESS), cloud-based grid platforms, and industrial IoT and smart grid technologies. These systems are remotely accessible, software-driven, and interconnected with grid operations.
The 2026 Dragos OT/ICS Cybersecurity Year in Review reports that technologies like BESS are increasingly integral to load balancing and grid stability. But they also introduce new control interfaces, new access pathways, and new dependencies on external systems. In many cases, these environments are deployed faster than they are secured or fully understood. The result is that the grid is more capable, but also more exposed and less consistently visible unless electric operators extend the boundaries that have historically defined operational environments.
Across environments analyzed in 2025, Dragos consistently observes that lack of OT asset visibility remains one of the most significant drivers of cyber risk. This lack of visibility directly impacts detection. Without a clear understanding of what assets exist, how they communicate, and what normal operations look like, it becomes extremely difficult to identify when adversaries are interacting with systems that influence grid operations.
Observations from across the Dragos Intelligence Fabric show that risk associated with OT vulnerabilities is not just growing, it is moving faster than most organizations are prepared for. In 2025, Dragos observed a median time of just 24 days between vulnerability disclosure and public exploit availability. In some cases, that window was nonexistent. Of the vulnerabilities disclosed in 2025, approximately 4 percent of ICS vulnerabilities were actively exploited at the time of disclosure. For electric environments where patching is often constrained by operational requirements, these timelines compress the window for defensive action. Vulnerabilities should be prioritized based on their immediate exposure conditions - whether they are internet-reachable, operationally significant, and tied to grid-supporting systems - not treated as theoretical risks to be scheduled into the next maintenance cycle.
Observations from across Dragos regularly highlight that vulnerabilities affecting OT environments frequently involve systems tied to substation automation, protection relay automation and engineering workflows, remote access infrastructure, and other supporting systems that participate in grid operations. Across these same environments, these vulnerabilities often coexist with internet exposure, remote connectivity into OT environments, and limited visibility into how affected systems are used. This combination is what creates risk. At the same time, the continued expansion of Battery Energy Storage Systems (BESS) and distributed grid technologies introduces additional systems where vulnerabilities can directly affect how energy is stored, dispatched, and balanced.
In electric environments, vulnerabilities do not become dangerous when they are disclosed, they become dangerous when they are exposed, reachable, and tied to systems that influence grid visibility and control.
The findings of this year’s report reinforce that the SANS Five ICS Critical Controls remain the most practical way to reduce real operational risk. These are the controls most directly tied to how grid environments are actually accessed, monitored, and operated.
OT/ICS Incident Response: Electric operators need incident response plans built for grid operations, not just enterprise systems. In practice, that means preparing for scenarios where operators may lose confidence in telemetry or visibility is degraded across substations and distributed assets, and where systems may need to be managed manually while an investigation is underway.
Defensible Architecture: For electric environments, architecture matters because the systems that influence grid operations are often spread across substations, remote sites, control centers, and third-party connections. The report makes clear that risk grows when those pathways are poorly segmented or when supporting systems are allowed to sit too close to operational functions without sufficient boundaries.
ICS Network Visibility & Monitoring: Visibility in electric environments has to extend beyond simply knowing what assets exist. Operators need to understand how systems communicate across generation, transmission, and distribution workflows, and whether those communications align with expected operational behavior. Without knowing that in real time, adversary activity inside grid-supporting systems is much harder to distinguish from normal operations.
Secure Remote Access: Remote access remains essential in electric operations, but it also remains one of the most consequential pathways into environments that influence grid reliability. The issue is not remote access itself; it is whether those pathways are tightly governed, monitored, and separated from the systems that provide operational visibility and control.
Risk-Based Vulnerability Management: Electric organizations do not need to treat every vulnerability as equally urgent. What matters is whether a vulnerability affects a system that is exposed, reachable, or operationally significant, especially where it intersects with substation operations, engineering workflows, or remote access into grid environments. The broader lesson is that vulnerability management only reduces risk when it is grounded in operational context.
The electric sector is not facing a single threat; it is facing a shift in how risk develops across interconnected systems. Understanding the shift requires more than isolated data points. It requires visibility across adversary behavior, vulnerabilities, asset exposure, and operational context.
Watch our on-demand 2026 Electric OT Threat Trends briefing with Dragos experts.