OT cyber threat intelligence often leaves consumers with the same lingering question: “What am I actually supposed to do with all this information?” In OT cybersecurity, industrial organizations cannot afford that ambiguity. When cyber incidents affect operational technology (OT), the consequences extend beyond IT systems and data loss. They can halt production, disrupt industrial processes, and affect the physical systems that support critical civilian infrastructure. Understanding the OT threat landscape is therefore only useful if it answers a practical question for defenders: What should we prioritize right now to reduce operational risk?
Across the Dragos 2026 OT/ICS Cybersecurity Year in Review, insights drawn from incident response engagements, cyber threat intelligence on adversaries, vulnerability research, and security assessments reveal a consistent pattern. Those insights come together through the Dragos Intelligence Fabric, a model that connects adversary tracking, OT telemetry, vulnerability research, detection engineering, threat hunting, incident response insights, and more to continuously inform defensive actions.
The most effective way to apply OT cyber threat intelligence is not just by understanding adversaries, but by identifying the assets they target to create operational impact. When viewed through that lens, the OT cyber threat landscape can be understood through four questions every asset owner and defender should ask.
The first reality of the OT threat landscape is that industrial organizations are no longer targeted by a narrow set of specialized adversaries. Today’s industrial threat ecosystem includes:
- State-sponsored and aligned threat groups
- Financially motivated ransomware groups
- Ideologically or geopolitically motivated hacktivists
Newly identified threat groups AZURITE, PYROXENE, and SYLVANITE, and continued activity by ELECTRUM, KAMACITE, VOLTZITE, and BAUXITE, demonstrate how adversary activity is evolving across the ICS Cyber Kill Chain with an increased focus on mapping control loops. AZURITE has been observed targeting OT engineering workstations to exfiltrate operational data and enable long-term access, while PYROXENE focuses on compromising IT-to-OT pathways to establish footholds inside industrial environments. At the same time, SYLVANITE operates at scale as an initial access provider for VOLTZITE, exploiting edge devices and remote access infrastructure to enable follow-on operations. Across these groups, activity consistently centers on a small set of high-impact assets, such as engineering workstations, remote access infrastructure, identity systems, and enterprise systems, that influence industrial control loops and physical processes.
Financially motivated ransomware groups, in particular, continue to impact industrial organizations at scale. In 2025 alone, Dragos tracked 119 ransomware groups impacting more than 3,300 industrial organizations worldwide, nearly double the number in 2024. Many ransomware cases that impacted industrial organizations are classified as “IT incidents,” even when the compromised systems support industrial operations, such as engineering workstations, SCADA infrastructure, and virtualization platforms that underpin OT operations. If these assets are exposed or poorly secured, adversaries do not need to breach the OT network directly. The path is already established.
The second insight from the Dragos Intelligence Fabric is that most OT incidents do not begin in OT networks. Adversaries consistently gain access through infrastructure that sits between enterprise and operational environments. In practice, adversaries are not “getting into OT,” they are getting into systems that connect to it. The most consistently targeted assets include:
- Remote access infrastructure (VPNs, remote access platforms)
- Identity and authentication systems
- Internet-facing edge devices (firewalls, gateways)
- Operational support systems (GIS, engineering tools)
The intrusion pathways outlined above are actively exploited by threat groups operating today. For example, SYLVANITE has been observed conducting large-scale initial-access operations via VPN exploitation and edge-device compromise, while AZURITE leverages vulnerabilities in internet-facing infrastructure to gain a foothold. Across observed activity, adversaries consistently target the systems that connect, manage, or enable industrial operations because those systems provide both easier access and direct path toward operational impact.
What this means for defenders
Security teams should prioritize the systems that provide access into operational environments, not just the systems inside them. This means focusing on remote access infrastructure, identity systems, and internet-facing edge devices. If these assets are exposed or poorly secured, adversaries do not need to breach OT networks directly, the path is already established.
Perhaps the most striking finding across the Year in Review is not the breadth of adversaries. It is the lack of visibility that many organizations still have into OT environments. Dragos estimates that fewer than 10 percent of OT networks worldwide currently have meaningful network monitoring in place. This lack of telemetry creates a dangerous situation.
In 30 percent of incident response cases in 2025, investigations began not with a detection alert, but with someone noticing that “something seemed wrong” in operations. In many of those cases, the telemetry required to determine whether adversary activity was involved had never been collected. This means defenders may not discover an intrusion until operational symptoms appear.
Complicating matters, adversary activity does not immediately appear malicious in an OT context. Groups such as AZURITE operate within engineering environments to collect configuration and operational data, and PYROXENE establishes persistence across the extended operational environment without directly interacting with industrial environments.
The gap is not just visibility into OT networks; it is visibility into the full set of systems that support and influence operations. Adversaries can achieve operational impact by targeting these systems without ever interacting directly with control systems.
Adversaries are accelerating their ability to operate within these gaps. They use legitimate tools, native protocols, and trusted system interactions to blend into normal industrial activity, making detection even more dependent on visibility and context. This is why many incidents are only identified once operational symptoms appear. The activity leading up to them is occurring in systems that are not being monitored as part of the operational environment.
What this means for defenders
Effective visibility must extend beyond core OT networks to include the systems that support, connect to, and influence them. Without visibility into these assets, such as engineering workstations, remote access systems, identity infrastructure, cloud-connected platforms, and increasingly, industrial IoT and digitally connected automation systems, adversaries can operate undetected in the environments that ultimately determine operational outcomes.
Despite the dynamic threat landscape, the defensive priorities that consistently reduce OT risk remain surprisingly consistent. Organizations that reduce risk tend to focus on the same fundamentals:
- Preparing operationally aware incident response cases
- Segmenting critical systems and processes
- Monitoring industrial network communications
- Controlling remote access pathways
- Addressing vulnerabilities based on risks
Dragos recommends focusing on the SANS Five ICS Critical Security Controls,which remain one of the most effective frameworks for improving OT cybersecurity.
These priorities remain consistent, not because the threat landscape is static, but because adversaries continue to exploit the same foundational weaknesses. Whether the threat originates from ransomware groups, state-aligned threat groups, or opportunistic intrusions by hacktivists, the path to operational impact still depends on gaining access, moving through IT-OT boundaries, and operating undetected in industrial environments.
The key takeaway from this year’s report is simple: The OT threat landscape is dynamic, with new threat groups and capabilities observed each year, but the defenses that work are not novel. What continues to accrue is the urgency. The gap between what adversaries can do and what defenders can see is widening, and organizations that cannot observe activity inside their industrial networks will struggle to detect the threats already operating there.
Cyber threat intelligence should not just describe adversaries. At its best, it helps defenders decide where to act first.
The insights in this blog represent only a portion of the findings from the 2026 Dragos OT/ICS Cybersecurity Year in Review, which draws on intelligence gathered from across incident response engagements, threat research, vulnerability analysis, and real-world industrial security assessments in the Dragos Intelligence Fabric.
As adversaries continue to evolve their targeting of industrial environments, the organizations that succeed will not be those that chase every new threat, but those that consistently apply the controls that limit how far those threats can go.
Download the report for a deeper look at the threats shaping industrial cybersecurity and the defensive actions organizations should prioritize.