Dragos’s 2026 OT cybersecurity year-in-review establishes a threat picture that should concern practitioners across every industrial sector. The headline numbers — 26 tracked OT-specific threat groups, a 24-day median from vulnerability disclosure to public exploit, 26% of advisories offering no patch — reflect structural conditions that are getting harder, not easier, to defend against. Three new groups tracked for the first time in 2025/26 demonstrate that OT-targeted intrusion activity is expanding rather than contracting despite increased law enforcement attention on ransomware.

New Threat Groups: AZURITE, PYROXENE, SYLVANITE

Dragos designated three new OT-specific threat activity groups in 2025:

AZURITE operates with a profile consistent with Chinese state-sponsored activity. Dragos assesses this group as targeting energy and manufacturing sectors across Europe and North America, with specific interest in OT asset discovery and network mapping — a pattern characteristic of pre-positioning for future disruptive operations rather than immediate impact. The tradecraft emphasises stealthy long-term access over rapid effect.

PYROXENE has been linked to activity targeting the petrochemical sector and industrial chemical manufacturing. The group’s technical profile includes exploitation of engineering workstation access as the bridge into OT networks — a consistent pattern in which compromise of historian servers and HMI workstations provides the pivot from IT into process control networks.

SYLVANITE is a financially motivated actor specifically targeting OT-connected organisations for ransomware deployment. The designation reflects increasing ransomware affiliate activity that reaches OT systems either deliberately or incidentally, contrasting with the IT-only impact that characterised earlier ransomware-in-OT incidents.

The addition of these three groups brings Dragos’s tracked set to 26 groups with OT-specific capabilities or demonstrated OT targeting — a significant increase from the 18 groups tracked three years ago.

The Exploit Timeline Problem

The 24-day median from vulnerability disclosure to public exploit is the most operationally significant finding for defenders who rely on patch-based risk management. In OT environments, where patching windows are constrained by production schedules and vendor-approved maintenance procedures, 24 days is often shorter than the time required to schedule, approve, and execute a controlled patching window — let alone test for operational impact.

Two additional Dragos findings compound the problem:

26% of advisories have no available patch. For more than a quarter of disclosed OT vulnerabilities, there is no vendor-provided fix. Mitigations — network segmentation, access controls, protocol filtering — are the only available control. Organisations without compensating controls are permanently exposed to a significant fraction of the OT vulnerability surface.

25% of advisories contain incorrect CVSS scores. CVSS scoring of OT vulnerabilities systematically underestimates severity because the scoring methodology doesn’t fully account for OT-specific impact: a vulnerability that might score a CVSS 6.5 in an IT context (limited impact, low attack complexity) may represent a critical risk in an OT context if exploitation can cause physical process disruption or safety system failure. Relying on CVSS scores alone for OT prioritisation is therefore unreliable.

The April 2026 joint advisory regarding Iranian-cluster targeting of Rockwell PLCs illustrates the point. CVE-2021-22681 — an authentication bypass in Rockwell Studio 5000 Logix Designer — was disclosed in 2021. By 2026, Iranian-affiliated actors were using it in active operations against government, water, and energy targets, exploiting the gap between disclosure and OT patching timelines.

The Visibility Crisis: Fewer Than 10% Monitored

The most challenging structural finding is network visibility. Fewer than 10% of OT networks globally have active monitoring in place. Without visibility, defenders cannot detect lateral movement into OT zones, cannot identify anomalous protocol commands targeting PLCs, and cannot reconstruct intrusion timelines during incident response.

This creates an asymmetry that threat actors exploit: they operate in environments where detection is statistically unlikely and persistence can be maintained for months or years without disruption. Volt Typhoon’s documented multi-year pre-positioning in US critical infrastructure OT networks is the most prominent example, but the same conditions apply across the installed base.

The OPSWAT finding that every confirmed OT breach in the 2024-2026 period had a file-based component in its attack chain points to one achievable near-term improvement: file transfer controls into OT environments. Every USB device, engineering laptop, and remote access session that can introduce files into an OT network is a potential initial access vector. Controlling and scanning file transfers — even without full network monitoring — closes a specific, demonstrated attack path.

Rockwell Exploitation: The April 2026 Case Study

The April 2026 joint advisory from six US agencies is worth examining in detail because it shows how threat actors operationalise known vulnerabilities against real OT targets. The Iranian-affiliated cluster used Rockwell’s legitimate engineering software — specifically Studio 5000 Logix Designer — to access PLC project files on internet-facing systems and modify ladder logic.

The attack pattern:

  1. Internet scanning to identify exposed Rockwell FactoryTalk and PLC interfaces
  2. Authentication using CVE-2021-22681 (authentication bypass) or brute force against default/weak credentials
  3. Use of legitimate engineering tools (not malware) to access and modify PLC configurations
  4. Operator display manipulation to show false readings alongside actual parameter changes

The use of legitimate software rather than custom malware defeats signature-based detection entirely. Detecting this attack requires either blocking unauthorised use of engineering software (application control policies) or detecting anomalous PLC configuration changes (OT-specific monitoring that baselines normal ladder logic modification patterns).

Practical Guidance for Practitioners

Prioritise visibility in high-risk zones first. Full OT network monitoring requires time and budget. Start with the highest-consequence zones: control networks connected to physical processes with safety implications (electrical distribution, chemical dosing, pressure regulation). Passive network monitoring tools that don’t require active scanning — Claroty, Dragos, Nozomi — can be deployed without touching production traffic.

Treat engineering workstations as the attack path. They sit in both IT and OT networks and run both office software and OT-specific tooling. Compromise an engineering workstation and you have direct access to PLC programming interfaces. These systems require the same rigorous patching, application control, and monitoring as any IT asset — and the same discipline around USB and removable media.

Rebaseline CVSS scores for your environment. Dragos’s finding that 25% of OT advisories have incorrect CVSS scores means your vulnerability management programme needs OT-specific context applied at triage. A vulnerability that allows modification of PLC setpoints in an energy environment is critical regardless of CVSS score.

Document your patching timeline reality. If your OT environment requires 90 days between a patch release and deployment, document that formally, establish the compensating controls in place for that window, and track them explicitly. The 24-day exploit window means most OT vulnerabilities will be weaponised before you can patch — compensating controls need to be your primary response mechanism, not your fallback.

Tags
DragosOT threat landscapeICS securitythreat groupsAZURITEPYROXENESYLVANITEvisibilityCVE2026SCADARockwell