Overview

Ransomware’s expansion into operational technology environments is no longer an emerging threat — it is an established operational pattern. In 2026, multiple manufacturing and energy operators have experienced ransomware events that either directly impacted OT systems or forced precautionary OT shutdowns to prevent lateral movement from compromised IT infrastructure.

The distinction matters: direct OT compromise (where ransomware executes on engineering workstations, historian servers, or SCADA systems) and precautionary IT-driven shutdowns (where operators manually disconnected OT networks to prevent spread) both result in the same operational outcome — production stops. From the attacker’s perspective, either path achieves leverage.

The IT/OT Convergence Problem

The reason ransomware has become an OT threat is structural. Over the past decade, the boundaries between enterprise IT and operational technology networks have eroded significantly. Remote monitoring, cloud-connected SCADA, VPN access for engineering contractors, and historian servers that bridge IT and OT networks all create pathways that were not present in traditional air-gapped environments.

The Purdue Model’s Level 2/Level 3 boundary — the demilitarised zone between control system networks and the enterprise — is often poorly enforced in practice. Security assessments consistently find uncontrolled data flows between historian servers and corporate networks, remote desktop access directly to engineering workstations, and flat network segments where IT and OT devices share the same VLAN.

When ransomware compromises an IT endpoint in these environments, lateral movement to OT-adjacent systems can take minutes. Ransomware affiliates operating in industrial environments in 2026 are aware of this — exfiltration tooling observed in OT incidents now routinely targets historian databases, PLC configuration backups, and HMI project files in addition to standard corporate data.

Attack Vector Profile: How OT Environments Are Being Reached

Remote access infrastructure. Engineering contractors typically connect to OT environments via VPN or remote desktop. Where these accounts use shared credentials, reused passwords, or lack MFA, they are compromise targets. Ransomware groups acquiring access through initial access brokers frequently obtain contractor credentials alongside corporate user accounts. The Colonial Pipeline model — where an unused VPN account with a reused credential was the entry point — remains relevant in 2026 incidents.

IT-OT data historian bridging. OSIsoft PI (now AVEVA PI), Honeywell Uniformance, and similar historian platforms sit at the boundary between control networks and enterprise IT. These systems are legitimate targets for ransomware both for the data they hold and as pivot points into lower-level OT segments. Historian servers that are domain-joined to the corporate Active Directory and also have direct connectivity to SCADA systems are a documented lateral movement path.

Engineering workstation exposure. Engineering workstations running ICS software (Siemens TIA Portal, Rockwell Studio 5000, Wonderware) frequently run outdated Windows versions because ICS software certification cycles are slow. A workstation running Windows 7 with a certified PLC programming environment is not unusual in manufacturing environments. These systems are rarely included in enterprise endpoint detection coverage.

Ransomware RDP propagation. Several 2026 ransomware families — including Akira, RansomHub, and Bavacai — include SMB and RDP network propagation capability. In flat OT/IT network segments, the ransomware encryptor itself can traverse into OT-adjacent network ranges without any explicit lateral movement action by the affiliate.

Confirmed 2026 Impact Patterns

Several patterns characterise OT-affecting ransomware incidents observed in H1 2026:

Automotive parts suppliers. JIT manufacturing operations with lean inventory buffers are disproportionately represented in 2026 ransomware victim lists. A 24-48 hour production halt in an automotive stamping or assembly plant directly impacts downstream OEM production lines, creating supply chain pressure that increases ransom payment incentives.

Regional water utilities. Water treatment operations running SCADA on Windows-based HMIs with RDP enabled for remote troubleshooting continue to present an accessible attack surface. Unlike energy operators with mature OT security programmes, smaller water utilities often lack dedicated OT security staff.

Discrete manufacturing. Precision machining, fabrication, and electronics manufacturing operators face a specific variant of the OT ransomware problem: CNC machine configuration files, CAM programmes, and toolpath libraries are frequently stored on network shares accessible from both engineering workstations and corporate PCs. Encryption of these files can halt production even without any encryptor reaching OT devices directly.

Defensive Controls for OT Operators

Network segmentation enforcement. The most impactful single control is enforcing the IT/OT boundary with stateful firewall inspection rather than relying on routing isolation alone. All traffic crossing from enterprise networks into the OT DMZ should be inspected and logged. Historian replication traffic is typically the only legitimate flow — everything else should be blocked and alerted.

Remote access consolidation. Replace ad-hoc VPN and RDP access for engineering contractors with a dedicated jump server in the OT DMZ. Apply MFA to all remote access paths. Maintain a current inventory of contractor accounts and disable accounts when access is no longer required — inactive contractor accounts are a common initial access vector.

Engineering workstation isolation. Engineering workstations with ICS software should not have internet access and should not be domain-joined to the corporate Active Directory unless the trust relationship is controlled at the firewall level. Where domain join is operationally necessary, ensure the workstations are in a separate OU with restricted GPO inheritance and cannot authenticate against domain controllers on the IT side.

OT-specific incident response planning. Operators need a pre-established decision tree for the IT/OT isolation decision during an active ransomware incident. The manual “disconnect OT” option is often exercised too late (after some OT systems are already encrypted) or triggered unnecessarily (shutting down production for IT incidents that never had OT reach). Document the specific triggers and authority chain for isolation decisions in advance.

Backup and recovery for OT configurations. PLC programmes, HMI project files, and historian configuration databases should be backed up to offline storage independent of the enterprise backup infrastructure. In incidents where enterprise backup systems are encrypted before OT systems, the absence of offline OT configuration backups significantly extends recovery time.

Canary files in engineering directories. Deploy honeypot files in shares containing CNC programmes, ICS project files, and engineering documents. A ransomware encryptor touching these files before production data triggers an alert that can interrupt the encryption process before significant OT data loss occurs.

Outlook

The convergence of IT and OT security risk is accelerating, not stabilising. The commercial pressure to connect OT systems for remote monitoring, predictive maintenance, and production analytics continues to create new pathways into industrial environments. Ransomware groups understand that production downtime creates payment pressure that data theft alone does not — and they are pricing their demands accordingly.

OT operators who have not conducted a network segmentation assessment in the past 18 months should prioritise this. The question is not whether ransomware can reach OT environments — it demonstrably can. The question is whether the pathways in your specific environment are known, controlled, and monitored.

Tags
ransomwareOTICSmanufacturingenergySCADAPurdue-modelIT-OT-convergenceRDPdouble-extortionnetwork-segmentationincident-response