Whilst talking with a client recently, they mentioned the 2025 OT Cybersecurity Report. 

It’s not that often you see a report which focuses specifically on the cyber issues associated with Operational Technology (OT). I’m learning a lot about OT. As my bulletin last week was all about OT backups, I thought I would share some of the learnings from the report with the readers of the bulletin.

The Dragos 2025 OT Cybersecurity Year in Review gives us a snapshot of the evolving cyber threat landscape targeting industrial systems and critical infrastructure. But rather than just summarising the report, I want to focus on what we can learn from it, and how we can apply those lessons in our own organisations.

1. OT is now a frontline in geopolitics

One of the more alarming shifts in 2024 was the increasing use of cyberattacks as geopolitical weapons. We’re no longer just seeing hackers tinkering with OT environments for fun or money – these attacks are being used to pressure, punish or destabilise governments and societies.

Two interesting examples:

• Fuxnet, allegedly used by a Ukrainian hacktivist group, targeted Moscow’s underground infrastructure. It disabled industrial sensors and wiped control systems using default credentials.
• FrostyGoop, on the other hand, disrupted heating in over 600 Ukrainian apartment buildings during winter. It manipulated Modbus commands and left residents without heating.

Whether hacktivists or state-sponsored actors, these groups now see OT as a viable, vulnerable and valuable target. If your organisation plays any role in national infrastructure – even indirectly – it’s worth asking ‘are we ready to be on the frontlines?’.

2. Stage 2 attacks are no longer rare

Dragos has described attacks on OT in two stages:

• Stage 1: Network access and data collection.
• Stage 2: Actions with real-world physical consequences.

Historically, most attacks stopped at Stage 1. However in 2024, several groups pushed into Stage 2 territory.

BAUXITE are a threat group likely linked to Iranian interests. They didn’t just snoop – they accessed Unitronics PLCs, uploaded malicious ladder logic, and disrupted operations in water and chemical plants. That’s not theoretical risk; that’s real-world impact.

It’s a sign we need to move beyond detection. Response plans must now assume attackers will try to cause disruption.

3. The basics still matter – more than ever

Reading about zero-day exploits and nation-state tools is always compelling, but many of the attacks detailed in the report were surprisingly… basic.

• Default passwords were used in the Fuxnet attack.
• Phishing emails and a known Outlook vulnerability helped GRAPHITE gain access to major targets.
• Poor remote access setups left systems exposed for VOLTZITE to exploit via Ivanti VPN flaws.

As ever, the lesson is clear: we can’t neglect the fundamentals. Patch systems. Change default credentials. Review who has remote access and how it’s secured. You don’t need a multi-million-pound cybersecurity budget to protect yourself from basic attacks.

4. VPNs and firewalls are the new soft underbelly

If your organisation still treats firewalls and VPNs as untouchable gatekeepers, it’s time for a rethink. VOLTZITE, a China-linked group, made a habit of targeting perimeter devices. They exploited unpatched VPNs and compromised SOHO routers to get access, then exfiltrated GIS data and potentially OT telemetry.

Once inside, they weren’t just browsing – they were gathering useful, operational intelligence. For organisations reliant on remote access and hybrid IT/OT setups, these devices are your most visible – and often most vulnerable – point of entry.

5. Ransomware isn’t going away

Ransomware remains the most prominent and disruptive cyber threat for industrial sectors. Dragos observed an 87% year-on-year rise in ransomware incidents across industrial organisations. The manufacturing sector alone accounted for nearly 70% of all known cases.

The worrying part? Some ransomware groups now appear aligned, formally or informally, with nation-state objectives. So even if they start with a ransom demand, the intent might be broader disruption.

This means ransomware needs to be part of your resilience planning. Do you have:

1. Offline backups?
2. Response playbooks?
3. Tested comms plans?

If not, you might be gambling with your continuity.

6. Visibility is everything

Time and time again, the report highlights a critical issue: defenders couldn’t see what was happening on their networks.

Organisations hit by KAMACITE and ELECTRUM didn’t detect suspicious behaviours until it was too late. VOLTZITE’s activity often flew under the radar. Even simple things like unusual traffic between HMIs and PLCs went unnoticed.

Whether it’s deep packet inspection, protocol-aware monitoring, or better logging and alerting, visibility is no longer a luxury. It’s the difference between catching a threat early or learning about it in the press.

Final thoughts: defend smart, not just hard

The Dragos report doesn’t suggest we need silver bullets or high-end AI to fend off attackers. In fact, it makes a strong case for getting the basics right and using smart, risk-based approaches to security.

Some key questions to consider:

• Are you still using default passwords on any OT equipment?
• Can you confidently say your VPN and remote access systems are secure?
• If an attacker got in, would you know?
• Do your senior leadership understand the business impact of a cyberattack on OT?

The threats are getting bolder, but many defences are still stuck in 2015. Maybe it’s time to shift from compliance-driven security to resilience-driven defence.

As I always say in training sessions: if your OT network is connected to IT, and your IT is connected to the internet… your OT is connected to the internet. Let’s start acting like it.

The report can be found here.