The Dragos 2026 Report: Why This One Changes Everything
Some cybersecurity reports confirm what we already knew. This one documents something new.
Dragos’ 2026 OT/ICS Cybersecurity Report, released February 17, 2026, marks the ninth year of the company’s comprehensive analysis of threats facing industrial and critical infrastructure. But the findings this year aren’t incremental. They represent a structural shift in how adversaries approach operational technology environments — and what that means for data security, data privacy, and regulatory compliance.
The core finding is straightforward and alarming: adversaries are no longer content to gain access and wait. They’re actively mapping control loops, understanding how industrial processes work, and positioning themselves to induce physical effects.
That’s not reconnaissance. That’s preparation for operational disruption.
5 Key Takeaways
- Adversaries Have Moved From Reconnaissance to Control Loop Mapping. The Dragos 2026 report documents a fundamental shift in how threat actors approach industrial environments. KAMACITE systematically mapped control loops across U.S. infrastructure throughout 2025, while ELECTRUM targeted distributed energy systems in Poland with deliberate attempts to affect operational assets. Adversaries are no longer just gaining access — they’re learning how commands originate, how they propagate through systems, and where physical effects can be induced. This represents a maturation from passive foothold to active operational understanding.
- Three New Threat Groups Emerged — and They Work as Coordinated Ecosystems. Dragos identified three new threat groups in 2025: SYLVANITE, PYROXENE, and AZURITE. Most significantly, SYLVANITE operates as an access broker, rapidly exploiting vulnerabilities in Ivanti, F5, SAP, and ConnectWise products, then handing established footholds to VOLTZITE for deeper OT intrusions. PYROXENE deployed destructive wiper malware against critical infrastructure during regional conflict. AZURITE showed operational overlaps with Flax Typhoon and conducted sustained operations across the U.S., Europe, and Asia-Pacific. The ecosystem model — specialists establishing access for more capable adversaries — is now the dominant operational pattern.
- Ransomware Groups With OT Reach Surged 49% Year-Over-Year. Ransomware targeting industrial organizations jumped 49% in 2025, impacting 3,300 organizations globally. But the real story is operational disruption. Ransomware is no longer “just IT” — it’s causing multi-day outages that require OT-specific recovery. Organizations continue to significantly underestimate ransomware’s reach into operational environments because they misclassify incidents as IT-only, missing the downstream impact on production systems, safety controls, and physical processes.
- Visibility Is the Decisive Differentiator — 5 Days vs. 42 Days Detection Time. Organizations with comprehensive OT visibility detected and contained OT ransomware incidents in an average of 5 days. The industry-wide average? 42 days. That’s not a marginal improvement — it’s the difference between a contained incident and a catastrophic one. Detection maturity directly correlates with response success, yet fewer than 10% of OT networks have the visibility required to detect reconnaissance, lateral movement, and data exfiltration before adversaries achieve their objectives.
- VOLTZITE Reached Stage 2 of the ICS Cyber Kill Chain. Dragos elevated VOLTZITE to Stage 2 of the ICS Cyber Kill Chain after observing the group manipulate engineering workstation software to extract configuration files and alarm data. The group specifically investigated what operational conditions would trigger process shutdowns. In one case, VOLTZITE compromised Sierra Wireless Airlink cellular gateways to access U.S. midstream pipeline operations, then pivoted to engineering workstations. VOLTZITE shares technical overlaps with Volt Typhoon — the group U.S. intelligence has warned is prepositioning for potential disruption of critical infrastructure.
Control Loop Mapping: Understanding the Threat
To understand why control loop mapping matters, you need to understand what a control loop is.
In industrial environments, a control loop is the set of devices and software that sense a physical variable — temperature, pressure, flow, level — compare that reading to a setpoint, and actuate devices to change the process. A thermostat controlling a furnace is a simple control loop. A refinery managing hundreds of interconnected processes has thousands of them.
When adversaries map control loops, they’re learning the operational logic of a facility. They’re identifying which sensors feed which controllers. They’re understanding what thresholds trigger alarms or automatic shutdowns. They’re discovering how to manipulate readings or commands to produce specific physical outcomes.
KAMACITE spent 2025 doing exactly this across U.S. infrastructure. ELECTRUM targeted distributed energy systems in Poland with deliberate attempts to affect operational assets. VOLTZITE extracted configuration files and alarm data from engineering workstations, specifically investigating what conditions would trigger process shutdowns.
This isn’t theoretical capability. It’s documented operational activity.
You Trust Your Organization is Secure. But Can You Verify It?
The Ecosystem Model: Specialists Handing Off to Specialists
One of the most significant findings in the Dragos report is the emergence of coordinated threat ecosystems where groups specialize in different phases of an attack.
SYLVANITE exemplifies this model. The group focuses on rapid exploitation of vulnerabilities in internet-facing systems — Ivanti, F5, SAP, ConnectWise. In one case, SYLVANITE exploited Ivanti VPN vulnerabilities within 48 hours of disclosure. The group uses commodity tools like Cobalt Strike and Sliver, establishes persistence, then hands access to VOLTZITE for deeper OT intrusions.
This division of labor has significant implications. It means that initial access and OT operations are now separate specializations. It means that defending against the initial compromise doesn’t eliminate the risk — another group may inherit the access. And it means that attribution becomes more complex, since the group that gains access isn’t necessarily the group that causes operational impact.
The May 2025 incident at a U.S. utility illustrates the model. SYLVANITE exploited Ivanti Endpoint Manager Mobile vulnerabilities to extract LDAP user details and Office 365 tokens from the backend database. Those credentials were replayed internally for lateral movement. The initial access broker established the foothold; more capable actors would exploit it.
Ransomware’s 49% Surge Into OT Environments
Ransomware targeting industrial organizations jumped 49% year-over-year in 2025, impacting 3,300 organizations globally. Dragos tracked 119 ransomware groups with demonstrated capability to affect operational environments.
But volume isn’t the real story. Operational disruption is.
Industrial ransomware incidents in 2025 increasingly caused multi-day outages requiring OT-specific recovery. When ransomware encrypts an engineering workstation, the organization can’t just reimage the machine and move on. They need to verify that control system configurations haven’t been altered. They need to ensure that safety systems are functioning correctly. They need to validate that production processes will operate as expected before bringing systems back online.
This is where Dragos CEO Robert Lee’s observation becomes critical: “Industrial organizations significantly underestimate the reach of ransomware into OT environments because they think it’s ‘just IT.'”
The misclassification problem is systemic. When incident responders without OT expertise investigate a ransomware attack, they may not recognize the operational implications. They may restore IT systems and declare the incident resolved, missing that production data was corrupted, engineering workstations were compromised, or safety system configurations were altered.
The 42-day average detection time Dragos cites for the broader industry isn’t just a detection problem. It’s a visibility problem. Organizations can’t detect what they can’t see — and most OT networks lack the monitoring, asset inventory, and telemetry required to identify compromise before operational impact occurs.
The Visibility Gap: What Most Organizations Are Missing
Fewer than 10% of OT networks have comprehensive visibility and monitoring.
That statistic alone explains why the industry average detection time is 42 days while organizations with comprehensive OT visibility contain incidents in 5 days. The difference isn’t talent or technology preference. It’s whether you can see what’s happening in your environment.
The Dragos report identifies several categories of data that adversaries target in OT environments:
Engineering project files: CAD drawings, design specifications, and system architecture documents that reveal how facilities are constructed and how processes interconnect.
Alarm data and thresholds: Information about what conditions trigger alerts, automatic shutdowns, or safety system activations — essential knowledge for an attacker planning to manipulate processes without triggering detection.
Configuration files and backups: HMI/SCADA configurations, PLC programming, and system backups that contain the operational logic governing industrial processes.
Operator information: User credentials, shift patterns, access privileges, and activity logs that can be used for social engineering, privilege escalation, or understanding when to time an attack.
GIS and network diagrams: Geographic and logical representations of how systems interconnect — critical for planning lateral movement and understanding blast radius.
This data moves between systems constantly. Engineering teams share designs with manufacturing floors. Vendors receive technical specifications for maintenance. Quality assurance data flows between production networks and business systems. The channels that carry this data — often legacy SFTP servers, email attachments, and unsecured file shares — become the pathways adversaries exploit.
Hacktivism Has Evolved to Operational Capability
The Dragos report documents another concerning trend: hacktivist groups are evolving from symbolic attacks to operationally capable campaigns.
BAUXITE deployed two custom wiper malware variants against Israeli targets during the Iran-Israel conflict in June 2025. This represented an escalation from prior access and disruption to destructive intent. The group didn’t just deface websites or steal data. It deployed malware designed to cause irreversible data loss and operational disruption.
Hacktivist groups increasingly blend ideological messaging with state-aligned operations. They target internet-exposed HMIs, misconfigured engineering workstations, and open field protocols like Modbus/TCP and DNP3. The technical sophistication varies, but the intent is consistent: translate digital access into real-world impact.
For organizations operating critical infrastructure, the implication is clear. The threat landscape now includes not just nation-state actors and financially motivated criminals, but ideologically driven groups with demonstrated capability to affect operations. The attack surface — internet-exposed devices, remote access systems, and IT/OT boundary systems — is the same regardless of who’s targeting it.
Data Security Implications for Industrial Environments
The Dragos findings have direct implications for how industrial organizations approach data security.
The data being targeted is operational, not just personal. Traditional data security focuses on protecting personal information, financial data, and intellectual property. The OT threat landscape adds a new category: operational data that can be used to disrupt physical processes. Engineering files, alarm configurations, and control system documentation are now high-value targets that require protection strategies matching their risk profile.
IT/OT convergence creates data exchange vulnerabilities. Industrial organizations face a paradox: OT systems require isolation for safety and reliability, yet operational data must flow between IT and OT environments for business processes. Engineering designs shared with suppliers. Quality control data exchanged across global sites. Vendor specifications for equipment updates. These exchanges happen through channels that adversaries systematically exploit. Managing this supply chain risk requires governing each data exchange, not just securing the network perimeter.
File transfer infrastructure is a primary attack vector. The Dragos report and broader industry analysis identify managed file transfer and SFTP systems as high-value targets. These systems aggregate sensitive data from multiple sources and often connect otherwise-segregated network segments. When compromised, they provide access to concentrated repositories of operational data and pathways into OT environments. Legacy SFTP servers without audit logging, access controls, or anomaly detection are particularly exposed.
Visibility gaps create compliance exposure. When organizations can’t see what’s happening in their OT environments, they can’t demonstrate compliance with regulatory requirements. They can’t produce audit trails showing who accessed what data. They can’t detect and report breaches within required timeframes. The 42-day average detection time creates extended notification windows and expanded regulatory liability.
Data Privacy in OT: The Overlooked Dimension
The Dragos report focuses on operational security, but the data types involved carry significant privacy implications.
Operator information — including named individuals’ behaviors, shift patterns, error histories, and safety incidents — qualifies as sensitive personal data under GDPR, CCPA, and emerging privacy regulations. Credential dumps and activity logs published by hacktivist groups expose personal identifiers to global audiences.
Organizations typically don’t classify operational data as personally identifiable information. But when breach notification requirements kick in, they discover they’ve been holding sensitive personal data they never properly inventoried or protected.
The combination of operational context and personal identifiers creates regulatory exposure that most industrial organizations haven’t accounted for. Privacy impact assessments designed for IT systems may not capture the personal data embedded in OT environments.
What Organizations Should Do Now
The Dragos report closes with a clear message: the gaps that remain are serious, and establishing comprehensive OT visibility now is critical.
Prioritize visibility above all else. The 5-day vs. 42-day detection gap proves that monitoring capability is the decisive differentiator. Organizations need asset inventories, network monitoring, and telemetry that covers OT environments — not just IT networks. SIEM integration that ingests OT telemetry alongside IT logs closes the visibility gap that allows adversaries to dwell undetected for weeks. This isn’t optional enhancement. It’s the foundation everything else depends on.
Secure the IT/OT boundary. The exchanges that happen at the IT/OT boundary — engineering files, configuration data, vendor specifications — create the pathways adversaries exploit. These channels need governed data exchange with encryption, access controls, audit logging, and anomaly detection. Legacy SFTP and email aren’t adequate for data that can enable operational disruption. A purpose-built managed file transfer platform with audit trails and DLP controls provides the governed channel that legacy tools cannot.
Account for the ecosystem model. Defending against initial access doesn’t eliminate risk when groups like SYLVANITE hand off footholds to more capable actors. Security strategies need to assume that compromise may already exist and focus on detecting lateral movement, privilege escalation, and access to operational data before it leads to impact. Zero-trust principles — least privilege, explicit verification, assume breach — apply equally to OT environments.
Close the misclassification gap. Incident response plans need OT expertise embedded from the start. When every incident is classified as “IT only,” organizations miss the operational implications until something in the process behaves abnormally. Detection and response teams need the context to recognize when IT compromise has OT consequences.
Plan for regulatory scrutiny. The operational data being targeted — engineering files, alarm configurations, operator information — triggers compliance obligations organizations may not have anticipated. Audit trails, breach notification capabilities, and evidence of “reasonable security” need to extend to OT environments, not just IT systems. Frameworks including NIST 800-53, NERC CIP, and ISA/IEC 62443 all require demonstrable controls over how operational data is accessed, transmitted, and protected.
The Dragos 2026 report documents a threat landscape where adversaries understand industrial operations at the process level and are using that knowledge to escalate from intrusion to attempted operational impact. The defensive implication is unambiguous: visibility, asset context, and ICS-aware detection are not optional.
Organizations that invest in these capabilities will detect threats before physical impact. Those that don’t will learn about compromise only when something in the process behaves abnormally — and by then, the damage may already be done.
To learn how Kiteworks can help, schedule a custom demo today.
Frequently Asked Questions
Managed file transfer and SFTP systems are high-value targets in OT environments for two compounding reasons: they aggregate sensitive operational data from multiple sources, and they frequently bridge otherwise-segregated network segments. Engineering project files, alarm configurations, vendor specifications, and quality control data all flow through these systems — meaning a single compromise provides access to concentrated repositories of operational intelligence and a pathway deeper into OT networks. Legacy SFTP deployments without audit logging, access controls, or anomaly detection are particularly exposed, and the Dragos report’s broader finding that file transfer infrastructure is systematically exploited underscores why governing these channels is foundational to OT data security.
IT/OT convergence creates a continuous flow of high-value operational data across the boundary between business and production networks: engineering designs shared with external suppliers, quality control data exchanged between global sites, vendor specifications for equipment maintenance, and configuration backups transferred to business systems. This data is valuable both for intellectual property theft and for operational attack preparation — adversaries who obtain engineering files and alarm thresholds understand a facility well enough to plan disruption without triggering detection. Protecting these exchanges requires governed file transfer channels with encryption, DLP controls, and immutable audit trails rather than legacy SFTP or email attachments that leave no forensic record.
Yes — and this is one of the most overlooked compliance dimensions in industrial security. Operator information routinely collected in OT environments — named individuals’ shift patterns, access histories, error records, safety incidents — constitutes personal data under GDPR and CCPA. Most industrial organizations don’t classify this as personally identifiable information and therefore haven’t inventoried or protected it accordingly. When a breach occurs — and the Dragos report documents hacktivist groups publishing credential dumps and activity logs — organizations discover they face breach notification obligations they hadn’t anticipated. Privacy impact assessments need to extend explicitly into OT environments to capture this exposure before a regulator does it for them.
Extended dwell time compounds both operational and regulatory exposure. On the compliance side, most major frameworks — GDPR, HIPAA for healthcare OT, and sector-specific mandates like NERC CIP — impose breach notification windows measured in hours or days, not weeks. A 42-day average detection time means organizations are routinely missing those windows, triggering notification violations on top of the underlying breach. It also means they cannot produce the forensic timelines regulators require: who accessed what data, when, and through which systems. Fewer than 10% of OT networks have the monitoring infrastructure needed to answer those questions — which means most organizations are carrying undisclosed compliance liability alongside their operational risk.
Industrial organizations operate under a layered compliance environment that most IT-focused security programs don’t fully address. NERC CIP applies to bulk electric system operators and mandates access controls, security monitoring, and audit logging for cyber assets affecting grid reliability. ISA/IEC 62443 provides the internationally recognized standard for industrial cybersecurity, requiring network segmentation, identity and access management, and documented security zones. NIST 800-53 and the NIST Cybersecurity Framework apply broadly, including to critical infrastructure operators. Where OT systems process personal data — operator records, healthcare manufacturing, water systems — GDPR and sector-specific privacy regulations apply as well. All of these frameworks share a common requirement: demonstrable controls, documented in audit trails, that extend to the OT environment itself — not just the IT network above it.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video Microsoft GCC High: Disadvantages Driving Defense Contractors Toward Smarter Advantages
- Blog Post How to Secure Classified Data Once DSPM Flags It
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video The Definitive Guide to Secure Sensitive Data Storage for IT Leaders