Dragos released its 2025 OT Cybersecurity Year in Review — Frontlines IR Edition synthesising findings from industrial incident response engagements. Key statistics: 81% of engagements identified no meaningful IT/OT network segmentation, with operational networks reachable directly from enterprise IT; initial access via internet-exposed remote access tools (internet-facing HMI, unprotected VPN termination, or engineering workstation RDP) was the dominant entry vector in 62% of cases; and 34% of confirmed OT intrusions progressed to the operational process level before detection. The report documents NIS2 Annex-I compliance gaps, noting that many essential OT-operating entities have not completed required asset inventory reviews, which the report identifies as the most common control weakness. The IEC 62443 zoning and conduit model is highlighted as the primary reference architecture for remediation. Relevant to Swiss organisations operating under NCSC sector-specific ICS guidance (SARI framework).
notableannual-reportdiscovered 2026-05-04 05:00 UTC
Dragos's 8th annual OT industrial-IR retrospective (covered 2026-05-08) is the week's most directly actionable annual-report reference for Swiss / EU CI operators reading after the Polish water OT attribution: Dragos's blog announcement records that 65 percent of sites assessed had insecure remote-access conditions, including default credentials, unpatched VPNs, and exposed RDP sessions, and that many organisations believe they have proper IT/OT network segmentation while routine penetration tests reveal hidden connections. The report's NIS2 Annex-I compliance discussion directly contextualises the ABW 2025 Annual Report observation (§ 4) that the five Polish water-treatment facilities fell below the NIS2 essential-entity threshold and that legislative action is being considered to extend NIS2 obligations to critical-function entities regardless of headcount. The IEC 62443 zoning and conduit model is the recommended remediation reference architecture; the Swiss NCSC sector-specific ICS guidance (SARI framework) is the equivalent CH-side baseline. The defender lesson from the Dragos AI-assisted water utility attack item (2026-05-07) lands in the same line: AI tooling is progressively reducing the technical bar for OT-targeting attacks; prevention-only OT security strategies are inadequate as primary defences (daily 2026-05-08, daily 2026-05-07 — AI-assisted ICS attack).