Dragos has published its "2026 OT/ICS Cybersecurity Report and Year in Review". The report analyzes global cyber threats against industrial control systems (ICS) and critical infrastructure in 2025.

Accordingly, three new OT-specific attacker groups were identified: Sylvanite, Azurite and Pyroxene. Dragos is currently monitoring a total of 26 OT-related groups, eleven of which were active in 2025.

According to the report,Sylvanite acts as an initial access broker and uses vulnerabilities in Ivanti systems, among other things, to extract access data from Active Directory. The group passes on access to Voltzite, which has technical overlaps with Volt Typhoon.

Azurite targets engineering workstations and exfiltrates operational data such as network diagrams and process information.

Pyroxene compromises supply chains and uses social engineering to penetrate from IT to OT networks. In June 2025, the group deployed wiper malware against critical infrastructure in the context of a regional conflict.

Existing groups also expanded their activities. Electrum carried out several destructive operations in 2025, including attacks on eight Ukrainian internet service providers and on combined heat and power plants in Poland. There are technical overlaps with Sandworm. Electrum was supported by Kamacite, which specifically analyzed control circuits in US industrial plants, including HMIs, frequency converters and measurement modules.

Voltzite reached Stage 2 of the ICS cyber kill chain, according to Dragos. The group manipulated software on engineering workstations to extract configuration and alarm data, and compromised Sierra wireless AirLink gateways in U.S. pipeline operations.

Industrial destinations increasingly popular

Ransomware remains the biggest threat to industrial companies, according to report Dragos tracked a total of 119 active ransomware groups focusing on industrial targets in 2025, up from 80 in the previous year - an increase of 49%. Globally, 3300 organizations were affected, more than two-thirds of them from the manufacturing industry. The average time spent in OT environments across the industry was 42 days.

"The threat landscape has reached a new level in 2025," explained Robert M. Lee, CEO and co-founder of Dragos. "Attackers are analyzing exactly how industrial control systems work, understanding where commands come from, how they spread and where physical impact can be triggered."

Dragos also sees deficits in the vulnerability assessment: 25% of the 2025 ICS vulnerabilities recorded by ICS-CERT and in the National Vulnerability Database (NVD) had incorrect CVSS values. 26% of the security advisories contained neither patches nor specific remediation measures. Dragos classifies only two percent of the ICS-relevant vulnerabilities as immediately critical in its own "Now, Next, Never" model.

During investigations into battery energy storage systems, Dragos identified vulnerabilities for bypassing authentication and command injection. More than 100 devices, including inverters with an output of around one megawatt, were freely accessible via the Internet.