Infrastructure Attacks With Physical Consequences Down 25%

THREAT INTELLIGENCE CYBER RISK CYBERSECURITY ANALYTICS ICS/OT SECURITY NEWS Infrastructure Attacks With Physical Consequences Down 25% Operational technology (OT) at industrial and critical infrastructure sites seem to have been benefitting from a lull in ransomware, and hackers' relative ignorance of OT systems. Nate Nelson,Contributing Writer March 27, 2026 6 Min Read SOURCE: JAVIER SOTO VAZQUEZ VIA ALAMY STOCK PHOTO The volume of major operational technology (OT) cyber incidents dropped off in 2025, for the first time in seven years. Rare is it in cybersecurity that any figure or metric goes down. More often than not, any kind of threat, anywhere, is usually rising. Only occasionally does the cybersecurity industry, ardent law enforcement, or some geopolitical development cut so deeply that some category of cyber threat declines, let alone one so significant as major OT attacks. Since 2019, the number of OT cyberattacks that caused some sort of physical consequence for victims has been one of those statistics that's only ever gone one way. In the whole of 2018 — and every year before then — there were only a few. Then there were dozens. By 2024, there were 76 in one year. 2025 seems to have bucked the trend, though. In its newly published annual report on the subject, Waterfall Security Solutions identified just 57 physically impactful OT attacks — a figure significantly lower than 2024 and 2023, and even below 2022. Related:SANS: Top 5 Most Dangerous New Attack Techniques to Watch Which raises two questions: Why? And will it continue? Why Are OT Cyberattacks Falling Off in Volume? Waterfall proposed three hypotheses for why OT attacks fell last year. One is that improved cybersecurity protections are giving defenders an edge. This theory isn't so easy to measure, nor is it terribly convincing when one reads about some of the attacks that did make it through. For instance, in January 2025, a teenager in Italy happened upon a system that allowed him to change the routes of oil tankers and transport ships in the Mediterranean Sea. "Some of the attackers found exposed human-machine interfaces (HMIs) on Shodan or something, and logged into the wretched things with default passwords or stolen passwords and caused physical consequences," recalls Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, speaking with Dark Reading. He pleads with the organizations that manage these systems: "People, take your HMIs off the Internet. This is basic stuff." A second possible explanation is that fewer breaches are being reported nowadays in the public square.  This theory runs counter to conventional wisdom. For a long time, even large, publicly traded companies used to get away with concealing and lying about data breaches. In recent years, more and more countries have been imposing breach reporting regulations that force companies to promptly cop to their cyber failures out in the open. But this Western-centric trend doesn't cover a lot of the countries where OT attacks are most frequent. And in some countries, especially in Europe, organizations involved in critical infrastructure must report their breaches to their governments, but when that information reaches the public, it's often anonymized and aggregated. Related:Iran Hacktivists Make Noise but Have Little Impact on War Could It Just Be About Ransomware? An even more compelling theory for the 25% drop is that there are simply fewer ransomware attacks, the cause of most major OT attacks in the 2020s. In recent years, law enforcement action in the United States, and, surprisingly, in Russia, has caused a lull in the ransomware scene, disrupting incentive structures and splitting up major groups. As a result, OT has benefitted. If this hypothesis is to be believed, it doesn't bode well for 2026. "My prediction going forward is that these factors are stabilizing, if not self-correcting. The ransomware ecosystem, as far as we can tell, is back. It's settled down. The holes that were left in the ecosystem from law enforcement, now other people are providing those technologies," Ginter says. The barrier to confirming this hypothesis, unfortunately, is that less information about cyberattacks has been surfacing in public lately. "We used to be able to figure [the details of any given attack] out from the data in the public record. This time around there just isn't the data to produce any sort of meaningful statistics," Ginter says, having put together enough annual reports to observe the trend over time. Related:How a Large Bank Uses AI Digital Twins for Threat Hunting "I would argue that the problem is lawsuits," he adds. Companies face all kinds of legal risks when they're breached; doubly so when they proffer initial findings, then later have to correct the record. In February 2025, for instance, a company called Marquis sued its firewall vendor, SonicWall, for having underestimated the impact of its breach upon initial analysis. Faced with stories like these, Ginter thinks, "the lawyers are saying, 'We could get sued if we expose a detail that is incorrect. So expose as few details as you can. Give what the law demands and no more.'" Other OTSEC Trends: Sophistication Is Low, Severity Is High OT attacks weren't only less frequent in 2025 — they were also less technically impressive, on the whole. "I would not call the attacks in the public record in 2025 OT-sophisticated," Gitner says. "In the previous year, 2024, there were three brand new kinds of malware: OT-specific malware were discovered, and some of them used. And so that betrays a certain level of sophistication. If you're clever enough to write the protocols, write the code to implement the protocols that can talk to the programmable logic controllers (PLCs), and the remote terminal units and the other industrial devices, that shows a degree of sophistication on the OT side. This time around, we did not see any new malware. We didn't even see a lot of old OT malware being used," Ginter explains. There were some incidents that required significant OT know-how, though, such as those surrounding the Russia-Ukraine conflict. And, Ginter notes, "There are rumors recently that the American military has used their presumably sophisticated knowledge in Venezuela, and in Iran, to counteract anti-aircraft systems when their bombs were dropped on the nuclear facilities in 2025," but little reliable detail has been released to the public. Although OT attacks were rarer and less technically interesting in 2025, many of those that did break through managed to be severe. The Jaguar Land Rover attack last summer, for example, is estimated to have caused a billion dollars in losses to the company, and around $2.5 billion to the United Kingdom economy, making it one of the most expensive cyber incidents in history. On the nation-state front, Russian threat actors recently gained widespread access to Poland's solar and wind infrastructure, bricking an undisclosed number of automation devices but not actually causing a disruption to power flow. In fact, despite that 25% global drop off in attacks with physical consequences, Waterfall found that nation-state and hacktivist attacks without physical consequences doubled last year, and that most of those attacks targeted critical infrastructure. "The numbers are down," Ginter warns, "but it does not seem to me like the severity is down." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Iran Exploits Cyber Domain to Aid Kinetic Strikes by Robert Lemos, Contributing Writer NOV 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE