You don’t need another headline to tell you ransomware is a problem. What you may not realize yet is just how often it’s impacting operational technology (OT) environments, and how few organizations are truly prepared for the fallout.
In a recent webcast hosted by SANS Institute, we brought together four seasoned experts in industrial cybersecurity, Tim Conway, Lesley Carhart, Jason Christopher, and Robert M. Lee, to unpack what’s really happening out there, what the latest data is showing us, and most importantly, what defenders can do to reduce risk.
Here’s what you need to know.
OT Is Under Fire, Whether It's the Target or Not
It’s easy to assume ransomware is still mostly an IT problem. But that assumption is increasingly dangerous.
Dragos CEO Robert M. Lee, who leads the company’s industrial cybersecurity efforts and co-authors the annual Dragos Year in Review report, shared that in the latest report, they documented around 1,600 industrial organizations hit by ransomware in 2024. And that’s just the verified number. Many more likely flew under the radar.
What’s changed? It’s not that criminals are becoming industrial control systems (ICS) experts. It’s that they’ve learned something simple: hitting OT environments, even indirectly, gets them paid faster.
“They’re not crafting programmable logic controller (PLC) specific malware,” Robert explained. “They’re hitting industrial companies, and thanks to interconnectivity and digitization, the blast radius includes OT. And they know it.”
The result? More frequent, more disruptive attacks that lead to real operational impacts, even when OT wasn’t the initial target.
Visibility and Detection Still Matter More Than Ever
Jason Christopher, who serves as Senior Vice President at Energy Impact Partners and co-author of several SANS ICS courses, took a step back to look at the big picture, specifically, five years of SANS ICS survey data.
One of the strongest correlations found was between detection maturity and ransomware response success. “Organizations with solid ICS detection capabilities were measurably better at containing incidents, remediating quickly, and minimizing damage,” he said.
Back in 2019, only about 30% of survey respondents said they had OT-specific detection in place. By 2024, that number had jumped to more than half. It’s progress, but also a sign that many organizations are still flying blind.
The IT–OT Divide Is Thinner Than You Think
One of the more sobering stats from the SANS survey: over 50% of respondents who experienced ransomware said it had some impact on their OT operations, even when the ransomware didn’t directly infect OT systems.
This isn’t surprising if you’ve spent any time in these environments. The separation between IT and OT that exists on architecture diagrams often looks very different in the real world. Remote access, vendor connections, unmanaged modems, shadow IT, and unpatched third-party systems make it easy for ransomware to spill into places where it can cause serious disruption.
Lesley Carhart, Technical Director of Incident Response at Dragos, sees this firsthand. “I’ll be told there’s just one remote access path,” she said. “Then we do forensics and find seven more, including TeamViewer sessions and outdated VPN concentrators.”
What Gets Hit, and Why It Matters
Here’s a critical point: ransomware rarely targets PLCs or remote terminal units (RTUs) directly. But that doesn’t mean your OT environment is safe.
Instead, attackers are compromising the systems that give operators visibility and control, Windows-based human machine interfaces (HMIs), telemetry servers, supervisory control and data acquisition (SCADA) systems. When those go dark, the result is often a shutdown. Sometimes that shutdown is graceful. Sometimes it’s not.
“Getting ransomed in OT isn’t the same as getting ransomed in the front office,” Lesley explained. “You could lose a 20-million-dollar smelter. You could lose lives. And in many cases, people do lose jobs or companies go out of business.”
A Simple Framework for OT Ransomware Preparation
Lesley recently authored a SANS white paper titled A Simple Framework for OT Ransomware Preparation. It’s well worth your time. Using the PICERL model familiar to many incident response teams, it breaks down how to apply incident response planning specifically to OT environments, something too few organizations are doing with intent.
The focus? Preparation and documentation. Not buzzwords. Not product pitches. Just solid guidance on what matters when you're in the heat of the moment.
Key takeaways:
- Map and test backup and restore procedures regularly.
- Know how to isolate infected systems fast, without debate over who owns the decision.
- Build response plans around real-world scenarios, not abstract threats.
Scenarios Matter More Than Frameworks
When leaders ask, “Are we doing enough?” what they’re often really asking is, “Will we be okay when something goes wrong?”
The answer has less to do with how many controls you’ve checked off and more to do with how well you’ve prepared for what could actually happen in your environment. That’s why the SANS Five Critical Controls framework, co-authored by Tim Conway and Robert M. Lee, encourages organizations to start with scenario-based planning.
Instead of aiming for a world-class cyber program, focus on building a resilient business that can survive a bad day. That’s a lot more valuable than a color-coded heatmap or a high maturity score on a spreadsheet.
To Pay or Not to Pay?
During tabletop exercises, Jason always asks, “Would you pay the ransom?”
The answers vary. Some say “Never.” But then they realize their recovery plan doesn’t cover key systems, or their backups are incomplete, or they’d be down for weeks without a way to restore. Suddenly the decision isn’t so easy.
There’s no one-size-fits-all answer. But pretending you’ll never be in the position to decide is a mistake. Practice that scenario. Know your dependencies. And be honest about what it would take to recover without making the payment.
Your Next Move
Ransomware isn’t new. But the risks it poses to OT environments are escalating fast, and we can’t afford to treat it like just another IT security problem.
What’s encouraging is that the knowledge, tools, and frameworks to address it already exist. You don’t need to start from scratch. You just need to start.
Watch the webcast today, exclusively OnDemand. And ask yourself: if ransomware hit tomorrow, would your team be ready?
If the answer isn’t yes, the time to act is now.
