Top Takeaways from the Dragos 2026 OT Cybersecurity Report

8 Takeaways from the Dragos 2026 OT Cybersecurity Report

What the Dragos Year in Review Revealed About Adversary Intent, Architecture, and OT Risk By SANS Institute

The Dragos 2026 OT Cybersecurity Report reinforces a reality many industrial defenders are experiencing on the frontlines: the OT threat landscape is maturing in quiet, structural ways. The most consequential activity in 2025 was not defined by new malware families or dramatic single-event disruptions. Instead, adversaries demonstrated patience, process awareness, and confidence that long- standing architectural weaknesses would continue to deliver results.

Rather than chasing novelty, attackers invested in understanding how industrial environments actually function — how access persists, how trust is inherited, and how operational impact can be staged long before it is executed. The result is an OT threat landscape where intent often precedes action by months, and where the absence of immediate disruption is no longer a sign of safety.

The following eight takeaways from Dragos’ latest Year in Review highlight the shifts that matter most for ICS defenders. They are indicators of how adversaries plan, position, and ultimately succeed in OT — and why organizations should expect this trajectory to continue.

1. Adversaries Are Actively Positioning for OT Impact

In 2025, several threat groups moved beyond opportunistic access and basic reconnaissance into deliberate positioning for future operational disruption. Dragos observed activity consistent with preparing environments for loss of control, loss of view, or destructive outcomes, even when nothing happened right away. That distinction matters. This behavior reflected intent, not experimentation. When this shift goes unnoticed, access tends to linger. Security teams may detect it, but without enough process context to understand why it matters. Production continues to run, urgency fades, and attackers quietly map dependencies in the background. Over time, disruption becomes a question of timing rather than capability. Preventing this requires more than intrusion detection — it requires understanding how cyber access can turn into physical consequences.

2. Control-Loop Mapping Replaced Broad Scanning

Some adversaries also moved away from broad, noisy discovery and toward a more deliberate effort to understand industrial processes. By systematically targeting HMIs, variable frequency drives, meters, and remote gateways, groups like KAMACITE showed interest in how commands originate, move through the environment, and affect physical systems. This marked a shift from simple asset inventory to genuine process comprehension. Many organizations struggle here. Monitoring often emphasizes asset visibility without fully accounting for how those assets interact. Defenders may see individual alerts but miss the story forming underneath, one that points to process manipulation rather than random activity. Recognizing when control-loop behavior changes requires architectural and operational fluency, not just better alerting.

3. Initial Access Has Become a Scalable, Specialized Function

Initial access is no longer tightly coupled to the actors who ultimately cause operational impact. Groups such as SYLVANITE focused almost entirely on exploiting internet-facing infrastructure and then handing that access off to others. This division of labor increases scale and efficiency. For defenders, the more pressing question is no longer who got in, but how long that access is allowed to remain. The pattern looks familiar to anyone who has followed IT ransomware ecosystems, but the downstream risk in OT is much higher. Organizations may detect initial access and still lack OT-specific playbooks for validation, containment, and safe removal. Access persists because removing it requires coordination with operations, not just technical cleanup.

4. OT Disruption Often Occurs Without Touching Controllers

Many of the most disruptive incidents in 2025 never involved direct manipulation of PLCs or field devices. Instead, attackers targeted virtualization platforms, identity systems, and other OT-supporting infrastructure. The result was loss of visibility, loss of control, and extended outages — all without ICS- specific payloads. In many of these cases, defenders were looking in the wrong place entirely. Teams focused on controller integrity missed the real points of fragility: the systems operators rely on to see and manage the process. When those systems fail, the impact is operational regardless of where the malware lives.

5. Supply Chain Compromise is a Primary OT Attack Vector

Engineering firms, system integrators, vendors, MSPs, and GIS providers increasingly became targets. These organizations often hold trusted access, detailed documentation, and insight into multiple industrial environments. Compromising one supplier can create leverage across dozens of asset owners. OT security can no longer be viewed through the lens of a single perimeter. Many environments inherit risk through trust relationships they don’t fully control. Vendor access models, remote workflows, and third-party connectivity often introduce exposure long before an asset owner realizes it. In regulated sectors, these trust boundaries are frequently shaped by compliance requirements as much as threat modeling, sometimes with unintended consequences.

6. Hacktivism Has Become Operationally Dangerous

In 2025, groups such as BAUXITE demonstrated that hacktivist activity can move well beyond disruption or messaging and into destructive operations. Wiper malware, direct interaction with OT assets, and psychological pressure campaigns appeared in the same playbooks. Hacktivist personas were also used to muddy attribution for more capable actors. For response teams, this ambiguity complicates decision-making. Assessing intent, capability, and risk often has to happen under pressure and with incomplete information. In those moments, disciplined response matters more than knowing exactly who is behind the activity.

7. Visibility Gaps, Not Zero-Days, Drive Most Failures

Across incident response cases and tabletop exercises, Dragos repeatedly found the same issue: organizations lacked the telemetry needed to confidently detect or investigate OT-related activity. Many incidents were only identified after operational impact occurred. Some anomalies couldn’t be classified at all. In many cases, no one knew what they were looking at. Visibility in OT environments is constrained by safety, stability, and legacy technology. Understanding what visibility is necessary — and what is realistically achievable — requires context that generic security models often overlook.

8. Architecture Determines Whether Incidents Stay Contained

Where networks were flat, trust was implicit, and segmentation was weak, attackers moved quickly from entry to impact. In environments with defensible architecture, the same intrusions were slower, louder, and easier to manage. The difference wasn’t tooling, intelligence, or staffing. It was structure. In practice, architecture determines whether an incident stays manageable or spirals. Resilience isn’t accidental. It’s either designed or it isn’t.

Strengthen Your ICS Defenses with SANS

The Dragos 2026 OT Cybersecurity Report shows that adversaries are succeeding because the same structural weaknesses remain widespread across industrial environments. Gaps in visibility, overexposed infrastructure, weak segmentation, and implicit trust continue to provide reliable paths to impact. Those same patterns are echoed in the SANS State of ICS/OT Security 2025 Report, which consistently shows that many organizations struggle less with identifying threats than with understanding their environments well enough to detect, investigate, and contain them. Across incident response, tabletop exercises, and assessments, the limiting factor is rarely intent or awareness, it is practical operational context. Improving OT security depends less on chasing new threats and more on building durable understanding and response capability. For practitioners, that starts with a strong foundation in how industrial environments operate and how cyber activity translates into operational risk. ICS410: ICS/SCADA Security Essentials focuses on those fundamentals, while ICS515: ICS Visibility, Detection, and Response develops the skills needed to contain and manage incidents without introducing additional operational risk. At the leadership level, many of the failures highlighted in the Dragos report trace back to decisions about trust, visibility, and architecture made without sufficient operational context. ICS418: ICS Security Essentials for Leaders helps bridge that gap by aligning governance and design decisions with real-world industrial risk. In regulated environments, ICS456: Essentials for NERC Critical Infrastructure Protection supports translating compliance requirements into architectures that meaningfully limit blast radius, while ICS612: ICS Cybersecurity In-Depth provides advanced practitioners with deeper insight into complex OT systems and attack paths.

Related Resources

Download your copy of the Dragos 2026 OT Cybersecurity Report here.

Download your copy of the SANS State of ICS/OT Security 2025 Report here.

Learn more about SAN's ICS security training here.