Operational technology environments face unprecedented threats in 2026. With ransomware surging 49% year-on-year and three new ICS-focused threat groups identified, CNI organisations must rethink their OT security posture. We break down the latest data from Dragos, SANS, and Forescout to help security leaders prioritise.
← Back to Insights
The operational technology landscape is under unprecedented assault. Ransomware attacks on industrial organisations surged 49% year-on-year, affecting over 3,300 companies globally. Three new ICS-focused threat groups have emerged — SYLVANITE, PYROXENE, and AZURITE — each deliberately targeting critical national infrastructure sectors.
For UK organisations in energy, transport, and water, these aren't abstract statistics. They're direct operational risk.
The SANS 2025 State of ICS/OT Cybersecurity Survey polled 330 organisations, predominantly from energy, manufacturing, and transport. The results are sobering.
One in five organisations reported a cybersecurity incident in the past 12 months. Of those, 40% experienced operational disruption. Nearly 20% took over a month to fully recover.
Most concerning: unauthorised external access caused half of all incidents. Yet only 13% of organisations have fully implemented advanced remote access controls. That gap between threat reality and defensive maturity is where the greatest risk lives.
The Forescout and Takepoint Research Global Industrial Cybersecurity Benchmark 2025 paints a broader picture. Across their survey, 64% of organisations classify their OT security maturity as foundational — meaning basic controls only, not proactive defence.
Supply chain threats and cybercriminal activity top the external risk list, cited by half of respondents. But internal maturity lags where it matters most.
Tool sprawl makes the problem worse. Fifty-seven percent of organisations use more than three OT visibility tools. Twenty-eight percent use more than five. This fragmentation makes it nearly impossible to maintain coherent security posture or prioritise vulnerabilities effectively.
Cloud adoption in ICS/OT environments is accelerating. The SANS/OPSWAT 2024 survey found 26% of organisations now use cloud-based services for ICS/OT — a 15% increase from the previous year.
Cloud brings scalability and remote management benefits, but it expands the attack surface in environments that were never designed for internet connectivity. And while threat actors increasingly leverage AI to enhance their tactics, only 10% of organisations are currently using AI in their ICS/OT security operations. That capability gap will widen unless organisations invest in both technology and the talent to operate it.
Behind every statistic is a staffing problem. The SANS/OPSWAT survey found 51% of organisations lack staff with ICS/OT-specific certifications.
Only 56% have a dedicated ICS/OT incident response plan. Twenty-eight percent have none at all. These gaps exist not because security leaders don't care, but because recruiting and retaining OT security professionals is exceptionally difficult.
For CNI organisations, this is a critical bottleneck. The convergence of IT and OT networks means traditional IT security skills are insufficient. Organisations need professionals who understand both cyber threat and physical infrastructure — a combination that's rare and expensive to find.
The data points to clear immediate priorities. First, conduct a realistic assessment of OT security maturity using frameworks like IEC 62443, moving beyond foundational controls toward proactive threat detection and response.
Second, address the remote access gap. With half of incidents originating from unauthorised external access, robust identity and access management for OT environments is critical. This isn't optional.
Third, invest in ICS/OT-specific talent. Recruit professionals with genuine operational technology experience. Don't redeploy IT security staff into OT roles and expect the same outcomes.
Fourth, consolidate visibility tools. Reducing tool sprawl improves both operational efficiency and your ability to distinguish genuine threats from noise.
The threat landscape will continue evolving. Organisations that close these gaps now will be significantly better positioned to protect the infrastructure that underpins national security and public services.
AI spending on network automation will reach $20 billion by 2028. For CNI operators, deploying AI effectively requires professionals who understand both the technology and the operational context of critical infrastructure.
The UK government's decision to block Nvidia's acquisition of ARM underscored that technology sovereignty is a national security issue. For CNI organisations, the implications extend to supply chain assurance and specialist talent.
Trusted by security leaders at
"I can't recommend Gyles and the team at Foundations enough. We struggled to find a suitable candidate for 5 months, Foundations found 3 perfect candidates in 24 hours."
Manager of EMEA & APAC Network Engineering, Equinix
