Cyber threats to industrial systems are no longer theoretical or contained behind the scenes. A report from cybersecurity firm Dragos shows attackers moving past basic reconnaissance, mapping entire industrial control systems rather than isolated devices with the intent to disrupt operations. Threat groups are no longer acting alone or targeting individual devices, but coordinating across ecosystems to understand how industrial systems run.
Dragos CEO and Co-Founder Robert M. Lee warns:
“Adversaries are mapping how control systems work, understanding where commands originate, how they propagate, and where physical effects can be induced. We’re seeing the ecosystem evolve with specialized threat groups systematically building access pathways for more capable adversaries to reach OT environments.”
For organizations that run critical infrastructure, that shift raises the stakes for customer experience, because when operations falter, customers feel it immediately through outages, delays, and service instability. The risk to customer trust makes cybersecurity an increasingly visible part of the customer experience, where service continuity and confidence hinge on how well organizations protect the systems customers rely on every day.
Cyber Risk Is No Longer Isolated From Operations or Customers
The Dragos 2026 OT/ICS Cybersecurity Report and Year in Review report identified three new threat groups targeting critical infrastructure globally and understanding how commands flow, where failures cascade, and how physical effects can be triggered.
Groups like KAMACITE spent months systematically mapping control loops across U.S. infrastructure, while ELECTRUM pushed further into decentralized energy systems in Poland, targeting combined heat and power facilities and renewable energy management platforms. That kind of activity blurs the line between cyber risk and customer-facing disruption.
Three new threat groups focused on operational technology (OT) also entered the picture:
- SYLVANITE, acting as an initial access broker, handing off footholds to more advanced actors
- AZURITE, focused on long-term access and theft of operational data like network diagrams and alarm configurations
- PYROXENE, leveraging supply chain compromises and social engineering to move from IT into OT environments
Dragos now tracks 26 OT threat groups globally, 11 of which were active in 2025.
Ransomware continues to hit customer experience directly. Dragos reported a 49 percent year-on-year surge to 119 ransomware groups reaching into OT environments, affecting roughly 3,300 industrial organizations worldwide. Ransomware attacks on industrial organizations increased by 64 percent year over year. Manufacturing accounted for more than two-thirds of the victims.
Many of these incidents are still misclassified as IT-only problems, even when engineering workstations and HMIs are involved. That stretches outages and delays recovery, which customers notice immediately.
Industry-wide, ransomware sat in OT environments for an average of 42 days before detection, although organizations with strong OT visibility cut that down to five.
That gap translates directly to customer trust. Faster detection means fewer service interruptions, clearer communication and a better chance to keep customers informed instead of surprised.
Attackers Threaten Service Reliability and Trust
One of the clearest signals of how far attackers have progressed centers on VOLTZITE, which Dragos elevated to Stage 2 of the ICS Cyber Kill Chain. The group was observed extracting configuration files and alarm data from engineering workstations, specifically analyzing what operational conditions would trigger shutdowns.
As Lee put it: “The threat landscape in 2025 reached a new level of maturity. Adversaries are mapping how control systems work, understanding where commands originate, how they propagate, and where physical effects can be induced.”
“Meanwhile, ransomware groups are causing more operational disruption and multi-day outages that require OT-specific recovery. Yet industrial organizations significantly underestimate the reach of ransomware into OT environments because they think it’s ‘just IT.’”
The gap between IT and customer experience is closing as outages spread beyond plant floors and into customer relationships. The fallout from cyberattacks can involve missed deliveries, delayed services and inconsistent communications, which CX teams are left to manage in real time.
As a result, IT security, OT operations, and CX leaders are increasingly operating on the same front line, where incident response decisions shape customer trust as much as technical recovery. Treating ransomware as an internal IT problem no longer holds when customers experience the disruption. Lee warned:
“The gaps that remain are serious. Establishing comprehensive OT visibility now is critical. If organizations cannot monitor their systems today, they’ll find that future adoption of technologies like AI, battery storage, and distributed energy resources creates exponentially greater blind spots.”
For CX teams, this reinforces a growing reality that customer trust depends on operational resilience just as much as frontline service.
The report also calls out the quieter risk posed by poor vulnerability data. Dragos found that 25 percent of ICS-CERT and NVD vulnerabilities had incorrect CVSS scores and more than a quarter of advisories offered no vendor patch or mitigation. Only 2 percent of vulnerabilities actually required immediate action under Dragos’ risk-based model.
That matters because overreacting can be just as disruptive as underreacting. Unnecessary shutdowns, rushed patches and poorly planned maintenance all create customer friction.
Protecting trust starts well before a customer notices a problem. It means investing in OT visibility, understanding which risks matter and shortening the distance between detection and response.
