From access to impact: why 2025 was the year OT threats grew teeth

In 2025, OT adversaries changed posture.

A recently published year-in-review report from Dragos documents threat groups that are actively mapping industrial control loops – identifying engineering workstations, exfiltrating configuration files and alarm data, and analysing processes closely enough to disrupt them. The report describes this as the removal of the last practical barrier between network access and physical consequence.

That detail is huge for OT risk. Mapping control logic requires patience, domain familiarity and intent, and it shows threat actors are preparing for operational impact.

Dragos also identified three new OT-focused threat groups in 2025: AZURITE, PYROXENE and SYLVANITE. This brings the total it tracks to 26 OT-specific groups, with 11 active during the year.

So the threat landscape is expanding in both volume and sophistication.

A more industrialised adversary model

Dragos describes an increasingly structured operating model among threat actors. Initial access providers establish footholds and then hand off environments to teams with ICS-specific capability. In some cases, this division of labour compresses the timeline from compromise to operational readiness from weeks to days.

That efficiency mirrors developments seen in the ransomware ecosystem. OT tradecraft now follows similar patterns of specialisation and workflow.

AZURITE and PYROXENE were observed operating inside OT environments and exfiltrating operational intelligence from engineering workstations. Engineering systems, configuration files and alarm histories are becoming priority targets – because they provide insight into how physical processes behave. If you know how systems are controlled, you’ve got operational leverage. 

Distributed energy comes into scope

The year also delivered a milestone in critical infrastructure targeting.

The report notes that ELECTRUM (the group linked to the 2015 and 2016 Ukraine power outages) expanded its targeting into Poland in late December 2025, focusing on distributed energy resources (DERs) – the first major coordinated cyberattack against DERs globally.

DER environments introduce new architectural complexity. They rely on software-defined coordination, remote management and interconnected supply chains. The fact that adversaries are giving serious attention to this segment reflects the strategic value of these systems. 

Exploitation timelines are shrinking

Speed was another defining feature of 2025.

Dragos reports a median of 24 days from vulnerability disclosure to public exploit in 2025. In addition, 4% of ICS vulnerabilities were actively exploited at disclosure. The report also notes that 26% of advisories offered no patch and 25% contained incorrect CVSS scores.

That means exposure windows remain wide while attacker development cycles accelerate.

Telemetry from Nozomi provides supporting context. In the second half of 2025, adversary-in-the-middle (AiTM) activity accounted for 26.5% of all alerts. Credential interception and session hijacking continue to be highly effective entry techniques across converged IT, OT and IoT environments.

The same report highlights a rise in data manipulation activity, climbing to fifth place in technique rankings. Integrity attacks can alter operational data in ways that influence decisions, safety thresholds and automated responses. Access and manipulation increasingly move together. 

The visibility deficit

Reading these reports, it’s clear that the structural concern here sits on the defensive side. 

Dragos estimates that fewer than 10% of OT networks worldwide have network visibility and monitoring in place.

And operational anecdotes reinforce that statistic. Thirty percent of incident response cases in 2025 began with someone observing that “something seems wrong”, often without sufficient telemetry to determine whether cyber activity was involved.

To investigate, you have to have data – but many environments still lack it. 

Meanwhile, Nozomi reports that 48% of recent 2025 vulnerabilities present in observed environments were rated ‘high’ or ‘critical’. Wireless exposure is also still common, with 68% of observed wireless networks lacking management frame protection, and only 0.3% using enterprise-grade 802.1X authentication.

In effect, the gap between adversary capability and defender instrumentation is widening. For cybersecurity, that represents a monumental task: to protect OT, we have to close the gap. 

There’s no simple way to do that. But this research does bring up some strong pathways to more robust security: 

• Harden and monitor engineering workstations. They’re central to control-loop mapping activity.
• Reduce patch latency and advisory blind spots. Exploitation often follows disclosure within weeks.
• Prioritise OT visibility. Incident response without telemetry limits both attribution and containment.

OT environments now attract focused, technically capable adversaries who invest time in understanding how physical processes operate. Resilience now depends on whether organisations match that seriousness with visibility and disciplined operational defence.