Dragos 2026 OT Cybersecurity Report Notes Disturbing Shifts - ARC Advisory

APRIL 3, 2026 BYLARRY O'BRIEN CATEGORY: COMPANY AND PRODUCT NEWS Even though it’s been several weeks since the release of the annual Dragos OT Threat Report, this is still a good time to go over the distilled findings, and with the looming threat of nation-state cyber-attacks related to the war in the Middle East, it’s probably even more relevant now to discuss this than when the report first came out. As Dragos CEO Robert Lee says in the introduction of this year’s report, “Our goal was simple, keep the product pitching out of it and share whatever we are legally and ethically allowed to share that helps empower defenders.” Adversaries Move from Lying in Wait to a More Active Stance As you can imagine, the report explores many issues that need to be addressed in US critical and industrial infrastructure when it comes to cybersecurity. Dragos notes that the overall stance of threat groups seems to have shifted from data collection and reconnaissance to using this data to better understand how industrial processes work. In other words, they are moving from a watch-and-wait stance to an active stance. The introductory paragraph to the report states it this way: “In 2025, adversaries targeting operational technology (OT) crossed a line that had previously been limited to a small number of well-known attacks impacting industrial control systems (ICS). They are no longer simply gaining access and waiting. Multiple threat groups, independently and across different geopolitical alignments, moved into actively mapping control loops: identifying engineering workstations, exfiltrating configuration files and alarm data, and learning how physical processes operate well enough to disrupt them. This is the removal of the last practical barrier between having access and being able to cause physical consequences. It indicates that the teams behind these operations are being told to prepare to act, not just to maintain options.” We Must Improve OT Network Visibility Another key finding from the report is that adversarial capabilities seem to be growing a lot faster than end users are refining their defenses and cyber resilience strategies. As the report points out, OT cybersecurity data is transient. If you aren’t watching what’s going on, it’s very difficult to tell if your systems are breached. It’s very likely that users are experiencing incidents that could ultimately be cybersecurity-related, but the lack of visibility prevents them from realizing this. Dragos itself estimates that a paltry 10 percent of all OT networks worldwide have any kind of network monitoring or visibility capabilities in place. New Threat Groups Forming, Existing Ones Collaborating Dragos does a good job of outlining the major advanced persistent threat (APT) groups. These are groups that typically have nation-state backing and often exhibit advanced capabilities. These groups typically specialize in various aspects of the cyber kill chain. This year, Dragos added AZURITE and PYROXENE as new threat groups, with AZURITE specializing in data exfiltration and long-term surveillance of OT systems, and PYROXENE, an Iranian IRGC-backed group, that targets OT and ICS environments. PYROXENE specializes in exploiting supply chains and trusted relationships to move from IT networks into OT systems, potentially leading to a loss of view or control in ICS environments. What Should Users Do? Manufacturing and critical infrastructure end users clearly need to do more to improve cyber resilience. There are still so many companies and critical infrastructure organizations that could benefit from implementing even the simplest steps toward a cyber resilience strategy. The current war in the Middle East is creating a much more volatile threat environment. The Stryker cyber-attack has been the highest-profile attack linked to the conflict so far, but around the world, threat activity seems to be heating up quickly. A recent article from The Register, for example, cites that nearly 80 percent of UK manufacturing firms have reported at least one cyber-attack in the past year. In the case of Stryker, the attack is believed to have been carried out by a group called Handala, an Iran-linked group that targeted Stryker’s Microsoft Intune remote desktop and endpoint management software, possibly with credentials obtained from infostealer malware. This seemingly IT-level attack had no problem shutting down Stryker's manufacturing operations; however, as we have seen so many times, IT-level attacks often have OT-level consequences. It also underlines the importance of good, secure remote access and zero-trust strategies.