Operational technology (OT) at industrial and critical infrastructure sites seem to have been benefitting from a lull in ransomware, and hackers' relative ignorance of OT systems.
The volume of major operational technology (OT) cyber incidents dropped off in 2025, for the first time in seven years.
Rare is it in cybersecurity that any figure or metric goes down. More often than not, any kind of threat, anywhere, is usually rising. Only occasionally does the cybersecurity industry, ardent law enforcement, or some geopolitical development cut so deeply that some category of cyber threat declines, let alone one so significant as major OT attacks.
Since 2019, the number of OT cyberattacks that caused some sort of physical consequence for victims has been one of those statistics that's only ever gone one way. In the whole of 2018 — and every year before then — there were only a few. Then there were dozens. By 2024, there were 76 in one year.
2025 seems to have bucked the trend, though. In its newly published annual report on the subject, Waterfall Security Solutions identified just 57 physically impactful OT attacks — a figure significantly lower than 2024 and 2023, and even below 2022.
Which raises two questions: Why? And will it continue?
One is that improved cybersecurity protections are giving defenders an edge. This theory isn't so easy to measure, nor is it terribly convincing when one reads about some of the attacks that did make it through. For instance, in January 2025, a teenager in Italy happened upon a system that allowed him to change the routes of oil tankers and transport ships in the Mediterranean Sea.
"Some of the attackers found exposed human-machine interfaces (HMIs) on Shodan or something, and logged into the wretched things with default passwords or stolen passwords and caused physical consequences," recalls Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, speaking with Dark Reading. He pleads with the organizations that manage these systems: "People, take your HMIs off the Internet. This is basic stuff."
A second possible explanation is that fewer breaches are being reported nowadays in the public square.
This theory runs counter to conventional wisdom. For a long time, even large, publicly traded companies used to get away with concealing and lying about data breaches. In recent years, more and more countries have been imposing breach reporting regulations that force companies to promptly cop to their cyber failures out in the open. But this Western-centric trend doesn't cover a lot of the countries where OT attacks are most frequent. And in some countries, especially in Europe, organizations involved in critical infrastructure must report their breaches to their governments, but when that information reaches the public, it's often anonymized and aggregated.
If this hypothesis is to be believed, it doesn't bode well for 2026. "My prediction going forward is that these factors are stabilizing, if not self-correcting. The ransomware ecosystem, as far as we can tell, is back. It's settled down. The holes that were left in the ecosystem from law enforcement, now other people are providing those technologies," Ginter says.
The barrier to confirming this hypothesis, unfortunately, is that less information about cyberattacks has been surfacing in public lately. "We used to be able to figure [the details of any given attack] out from the data in the public record. This time around there just isn't the data to produce any sort of meaningful statistics," Ginter says, having put together enough annual reports to observe the trend over time.
"I would argue that the problem is lawsuits," he adds. Companies face all kinds of legal risks when they're breached; doubly so when they proffer initial findings, then later have to correct the record. In February 2025, for instance, a company called Marquis sued its firewall vendor, SonicWall, for having underestimated the impact of its breach upon initial analysis. Faced with stories like these, Ginter thinks, "the lawyers are saying, 'We could get sued if we expose a detail that is incorrect. So expose as few details as you can. Give what the law demands and no more.'"
"I would not call the attacks in the public record in 2025 OT-sophisticated," Gitner says. "In the previous year, 2024, there were three brand new kinds of malware: OT-specific malware were discovered, and some of them used. And so that betrays a certain level of sophistication. If you're clever enough to write the protocols, write the code to implement the protocols that can talk to the programmable logic controllers (PLCs), and the remote terminal units and the other industrial devices, that shows a degree of sophistication on the OT side. This time around, we did not see any new malware. We didn't even see a lot of old OT malware being used," Ginter explains.
There were some incidents that required significant OT know-how, though, such as those surrounding the Russia-Ukraine conflict. And, Ginter notes, "There are rumors recently that the American military has used their presumably sophisticated knowledge in Venezuela, and in Iran, to counteract anti-aircraft systems when their bombs were dropped on the nuclear facilities in 2025," but little reliable detail has been released to the public.
Although OT attacks were rarer and less technically interesting in 2025, many of those that did break through managed to be severe. The Jaguar Land Rover attack last summer, for example, is estimated to have caused a billion dollars in losses to the company, and around $2.5 billion to the United Kingdom economy, making it one of the most expensive cyber incidents in history.
On the nation-state front, Russian threat actors recently gained widespread access to Poland's solar and wind infrastructure, bricking an undisclosed number of automation devices but not actually causing a disruption to power flow. In fact, despite that 25% global drop off in attacks with physical consequences, Waterfall found that nation-state and hacktivist attacks without physical consequences doubled last year, and that most of those attacks targeted critical infrastructure.
"The numbers are down," Ginter warns, "but it does not seem to me like the severity is down."
The volume of major operational technology (OT) cyber incidents dropped off in 2025, for the first time in seven years.
Rare is it in cybersecurity that any figure or metric goes down. More often than not, any kind of threat, anywhere, is usually rising. Only occasionally does the cybersecurity industry, ardent law enforcement, or some geopolitical development cut so deeply that some category of cyber threat declines, let alone one so significant as major OT attacks.
Since 2019, the number of OT cyberattacks that caused some sort of physical consequence for victims has been one of those statistics that's only ever gone one way. In the whole of 2018 — and every year before then — there were only a few. Then there were dozens. By 2024, there were 76 in one year.
2025 seems to have bucked the trend, though. In its newly published annual report on the subject, Waterfall Security Solutions identified just 57 physically impactful OT attacks — a figure significantly lower than 2024 and 2023, and even below 2022.
Which raises two questions: Why? And will it continue?
Why Are OT Cyberattacks Falling Off in Volume?
Waterfall proposed three hypotheses for why OT attacks fell last year.One is that improved cybersecurity protections are giving defenders an edge. This theory isn't so easy to measure, nor is it terribly convincing when one reads about some of the attacks that did make it through. For instance, in January 2025, a teenager in Italy happened upon a system that allowed him to change the routes of oil tankers and transport ships in the Mediterranean Sea.
"Some of the attackers found exposed human-machine interfaces (HMIs) on Shodan or something, and logged into the wretched things with default passwords or stolen passwords and caused physical consequences," recalls Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, speaking with Dark Reading. He pleads with the organizations that manage these systems: "People, take your HMIs off the Internet. This is basic stuff."
A second possible explanation is that fewer breaches are being reported nowadays in the public square.
This theory runs counter to conventional wisdom. For a long time, even large, publicly traded companies used to get away with concealing and lying about data breaches. In recent years, more and more countries have been imposing breach reporting regulations that force companies to promptly cop to their cyber failures out in the open. But this Western-centric trend doesn't cover a lot of the countries where OT attacks are most frequent. And in some countries, especially in Europe, organizations involved in critical infrastructure must report their breaches to their governments, but when that information reaches the public, it's often anonymized and aggregated.
Could It Just Be About Ransomware?
An even more compelling theory for the 25% drop is that there are simply fewer ransomware attacks, the cause of most major OT attacks in the 2020s. In recent years, law enforcement action in the United States, and, surprisingly, in Russia, has caused a lull in the ransomware scene, disrupting incentive structures and splitting up major groups. As a result, OT has benefitted.If this hypothesis is to be believed, it doesn't bode well for 2026. "My prediction going forward is that these factors are stabilizing, if not self-correcting. The ransomware ecosystem, as far as we can tell, is back. It's settled down. The holes that were left in the ecosystem from law enforcement, now other people are providing those technologies," Ginter says.
The barrier to confirming this hypothesis, unfortunately, is that less information about cyberattacks has been surfacing in public lately. "We used to be able to figure [the details of any given attack] out from the data in the public record. This time around there just isn't the data to produce any sort of meaningful statistics," Ginter says, having put together enough annual reports to observe the trend over time.
"I would argue that the problem is lawsuits," he adds. Companies face all kinds of legal risks when they're breached; doubly so when they proffer initial findings, then later have to correct the record. In February 2025, for instance, a company called Marquis sued its firewall vendor, SonicWall, for having underestimated the impact of its breach upon initial analysis. Faced with stories like these, Ginter thinks, "the lawyers are saying, 'We could get sued if we expose a detail that is incorrect. So expose as few details as you can. Give what the law demands and no more.'"
Other OTSEC Trends: Sophistication Is Low, Severity Is High
OT attacks weren't only less frequent in 2025 — they were also less technically impressive, on the whole."I would not call the attacks in the public record in 2025 OT-sophisticated," Gitner says. "In the previous year, 2024, there were three brand new kinds of malware: OT-specific malware were discovered, and some of them used. And so that betrays a certain level of sophistication. If you're clever enough to write the protocols, write the code to implement the protocols that can talk to the programmable logic controllers (PLCs), and the remote terminal units and the other industrial devices, that shows a degree of sophistication on the OT side. This time around, we did not see any new malware. We didn't even see a lot of old OT malware being used," Ginter explains.
There were some incidents that required significant OT know-how, though, such as those surrounding the Russia-Ukraine conflict. And, Ginter notes, "There are rumors recently that the American military has used their presumably sophisticated knowledge in Venezuela, and in Iran, to counteract anti-aircraft systems when their bombs were dropped on the nuclear facilities in 2025," but little reliable detail has been released to the public.
Although OT attacks were rarer and less technically interesting in 2025, many of those that did break through managed to be severe. The Jaguar Land Rover attack last summer, for example, is estimated to have caused a billion dollars in losses to the company, and around $2.5 billion to the United Kingdom economy, making it one of the most expensive cyber incidents in history.
On the nation-state front, Russian threat actors recently gained widespread access to Poland's solar and wind infrastructure, bricking an undisclosed number of automation devices but not actually causing a disruption to power flow. In fact, despite that 25% global drop off in attacks with physical consequences, Waterfall found that nation-state and hacktivist attacks without physical consequences doubled last year, and that most of those attacks targeted critical infrastructure.
"The numbers are down," Ginter warns, "but it does not seem to me like the severity is down."