Dragos 2025 OT Cybersecurity Year in Review — Frontlines IR Edition

annual-report · annual-report:dragos-2025-ot-frontlines

Coverage timeline

first 2026-05-08 → last 2026-05-10

Briefs

2 distinct

Sources cited

2 hosts

Sections touched

research, weekly_summary

Co-occurring entities

see Related entities below

2026-05-082 appearances2026-05-10

Story timeline

2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
weekly_summaryConsolidated in weekly summary for week 2026-W19
2026-05-08CTI Daily Brief — 2026-05-08
researchFirst and only treatment. 81% flat IT/OT architecture in IR engagements; 62% initial access via internet-exposed remote access; 34% intrusions reached operational process level; NIS2 compliance gaps identified. [SINGLE-SOURCE-OTHER]

Where this entity is cited

research1
weekly_summary1

Source distribution

dragos.com4 (80%)
securityweek.com1 (20%)

Related entities

Cyber Europe 2026 — first EU-wide test of 2025 EU Cyber Blueprint and first live activation of the EU Cybersecurity Reserve
incidentincident:cyber-europe-2026-eu-cybersecurity-reserve×2
Dragos Q1 2026 Industrial Ransomware Analysis — 1,020 incidents; The Gentleman 4x vs Romanian energy; IT-adjacent pattern
annual-reportannual-report:dragos-industrial-ransomware-q1-2026×2
EU Cyber Resilience Act — first hard deadline (notifying-authority designation, 11 June 2026)
campaigncampaign:eu-cyber-resilience-act×2
EU Cybersecurity Package 2026 — NIS2 amendment COM(2026) 13 + Cybersecurity Act 2; PQC Article 7(2)(k) explicit obligation; CRA Single Reporting Platform 11 September 2026
campaignpolicy:eu-cybersecurity-package-2026×2
BKA + ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant (2026-05-08)
incidentincident:bka-crimenetwork-takedown-2026×1

All cited sources (5)

Items in briefs about Dragos 2025 OT Cybersecurity Year in Review — Frontlines IR Edition (2)

Dragos 2025 OT Cybersecurity Year in Review — Frontlines IR Edition

From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →

Dragos's 8th annual OT industrial-IR retrospective (covered 2026-05-08) is the week's most directly actionable annual-report reference for Swiss / EU CI operators reading after the Polish water OT attribution: Dragos's blog announcement records that 65 percent of sites assessed had insecure remote-access conditions, including default credentials, unpatched VPNs, and exposed RDP sessions, and that many organisations believe they have proper IT/OT network segmentation while routine penetration tests reveal hidden connections. The report's NIS2 Annex-I compliance discussion directly contextualises the ABW 2025 Annual Report observation (§ 4) that the five Polish water-treatment facilities fell below the NIS2 essential-entity threshold and that legislative action is being considered to extend NIS2 obligations to critical-function entities regardless of headcount. The IEC 62443 zoning and conduit model is the recommended remediation reference architecture; the Swiss NCSC sector-specific ICS guidance (SARI framework) is the equivalent CH-side baseline. The defender lesson from the Dragos AI-assisted water utility attack item (2026-05-07) lands in the same line: AI tooling is progressively reducing the technical bar for OT-targeting attacks; prevention-only OT security strategies are inadequate as primary defences (daily 2026-05-08, daily 2026-05-07 — AI-assisted ICS attack).

Dragos 2025 OT Cybersecurity Year in Review: 81% of IR engagements found flat IT/OT network architecture

From CTI Daily Brief — 2026-05-08 · published 2026-05-08 · view item permalink →

Dragos released its 2025 OT Cybersecurity Year in Review — Frontlines IR Edition synthesising findings from industrial incident response engagements. Key statistics: 81% of engagements identified no meaningful IT/OT network segmentation, with operational networks reachable directly from enterprise IT; initial access via internet-exposed remote access tools (internet-facing HMI, unprotected VPN termination, or engineering workstation RDP) was the dominant entry vector in 62% of cases; and 34% of confirmed OT intrusions progressed to the operational process level before detection. The report documents NIS2 Annex-I compliance gaps, noting that many essential OT-operating entities have not completed required asset inventory reviews, which the report identifies as the most common control weakness. The IEC 62443 zoning and conduit model is highlighted as the primary reference architecture for remediation. Relevant to Swiss organisations operating under NCSC sector-specific ICS guidance (SARI framework).