TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security Google Sets 2029 Deadline for Quantum-Safe Cryptography Google Sets 2029 Deadline for Quantum-Safe Cryptography by Alexander Culafi Mar 27, 2026 4 Min Read Vulnerabilities & Threats Critical Flaw in Langflow AI Platform Under Attack Critical Flaw in Langflow AI Platform Under Attack by Rob Wright Mar 26, 2026 2 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Cyber Risk Cybersecurity Analytics ICS/OT Security News Infrastructure Attacks With Physical Consequences Down 25% Operational technology (OT) at industrial and critical infrastructure sites seem to have been benefitting from a lull in ransomware, and hackers' relative ignorance of OT systems. Nate Nelson , Contributing Writer March 26, 2026 6 Min Read Source: Javier Soto Vazquez via Alamy Stock Photo The volume of major operational technology (OT) cyber incidents dropped off in 2025, for the first time in seven years. Rare is it in cybersecurity that any figure or metric goes down. More often than not, any kind of threat, anywhere, is usually rising. Only occasionally does the cybersecurity industry , ardent law enforcement, or some geopolitical development cut so deeply that some category of cyber threat declines, let alone one so significant as major OT attacks. Since 2019, the number of OT cyberattacks that caused some sort of physical consequence for victims has been one of those statistics that's only ever gone one way. In the whole of 2018 — and every year before then — there were only a few. Then there were dozens. By 2024, there were 76 in one year. 2025 seems to have bucked the trend, though. In its newly published annual report on the subject, Waterfall Security Solutions identified just 57 physically impactful OT attacks — a figure significantly lower than 2024 and 2023, and even below 2022. Related: SANS: Top 5 Most Dangerous New Attack Techniques to Watch Which raises two questions: Why? And will it continue? Why Are OT Cyberattacks Falling Off in Volume? Waterfall proposed three hypotheses for why OT attacks fell last year. One is that improved cybersecurity protections are giving defenders an edge. This theory isn't so easy to measure, nor is it terribly convincing when one reads about some of the attacks that did make it through. For instance, in January 2025, a teenager in Italy happened upon a system that allowed him to change the routes of oil tankers and transport ships in the Mediterranean Sea. "Some of the attackers found exposed human-machine interfaces (HMIs) on Shodan or something, and logged into the wretched things with default passwords or stolen passwords and caused physical consequences," recalls Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, speaking with Dark Reading. He pleads with the organizations that manage these systems: "People, take your HMIs off the Internet. This is basic stuff." A second possible explanation is that fewer breaches are being reported nowadays in the public square. This theory runs counter to conventional wisdom. For a long time, even large, publicly traded companies used to get away with concealing and lying about data breaches. In recent years, more and more countries have been imposing breach reporting regulations that force companies to promptly cop to their cyber failures out in the open. But this Western-centric trend doesn't cover a lot of the countries where OT attacks are most frequent. And in some countries, especially in Europe, organizations involved in critical infrastructure must report their breaches to their governments, but when that information reaches the public, it's often anonymized and aggregated. Related: Iran Hacktivists Make Noise but Have Little Impact on War Could It Just Be About Ransomware? An even more compelling theory for the 25% drop is that there are simply fewer ransomware attacks, the cause of most major OT attacks in the 2020s. In recent years, law enforcement action in the United States, and, surprisingly, in Russia , has caused a lull in the ransomware scene, disrupting incentive structures and splitting up major groups. As a result, OT has benefitted. If this hypothesis is to be believed, it doesn't bode well for 2026. "My prediction going forward is that these factors are stabilizing, if not self-correcting. The ransomware ecosystem, as far as we can tell, is back. It's settled down. The holes that were left in the ecosystem from law enforcement, now other people are providing those technologies," Ginter says. The barrier to confirming this hypothesis, unfortunately, is that less information about cyberattacks has been surfacing in public lately. "We used to be able to figure [the details of any given attack] out from the data in the public record. This time around there just isn't the data to produce any sort of meaningful statistics," Ginter says, having put together enough annual reports to observe the trend over time. Related: How a Large Bank Uses AI Digital Twins for Threat Hunting "I would argue that the problem is lawsuits," he adds. Companies face all kinds of legal risks when they're breached; doubly so when they proffer initial findings, then later have to correct the record. In February 2025, for instance, a company called Marquis sued its firewall vendor, SonicWall , for having underestimated the impact of its breach upon initial analysis. Faced with stories like these, Ginter thinks, "the lawyers are saying, 'We could get sued if we expose a detail that is incorrect. So expose as few details as you can. Give what the law demands and no more.'" Other OTSEC Trends: Sophistication Is Low, Severity Is High OT attacks weren't only less frequent in 2025 — they were also less technically impressive, on the whole. "I would not call the attacks in the public record in 2025 OT-sophisticated ," Gitner says. "In the previous year, 2024, there were three brand new kinds of malware: OT-specific malware were discovered, and some of them used. And so that betrays a certain level of sophistication. If you're clever enough to write the protocols, write the code to implement the protocols that can talk to the programmable logic controllers (PLCs), and the remote terminal units and the other industrial devices, that shows a degree of sophistication on the OT side. This time around, we did not see any new malware. We didn't even see a lot of old OT malware being used," Ginter explains. There were some incidents that required significant OT know-how, though, such as those surrounding the Russia-Ukraine conflict. And, Ginter notes, "There are rumors recently that the American military has used their presumably sophisticated knowledge in Venezuela, and in Iran, to counteract anti-aircraft systems when their bombs were dropped on the nuclear facilities in 2025," but little reliable detail has been released to the public. Although OT attacks were rarer and less technically interesting in 2025, many of those that did break through managed to be severe. The Jaguar Land Rover attack last summer, for example, is estimated to have caused a billion dollars in losses to the company, and around $2.5 billion to the United Kingdom economy, making it one of the most expensive cyber incidents in history. On the nation-state front, Russian threat actors recently gained widespread access to Poland's solar and wind infrastructure , bricking an undisclosed number of automation devices but not actually causing a disruption to power flow. In fact, despite that 25% global drop off in attacks with physical consequences, Waterfall found that nation-state and hacktivist attacks without physical consequences doubled last year, and that most of those attacks targeted critical infrastructure. "The numbers are down," Ginter warns, "but it does not seem to me like the severity is down." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. See more from Nate Nelson Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ran