Dragos, a leading industrial cybersecurity firm, has identified that three distinct threat groups began actively targeting Industrial Control Systems (ICS) and Operational Technology (OT) environments starting in 2025. This development is highlighted in their 9th Year in Review OT/ICS Cybersecurity Report. ICS and OT systems are integral to the operation of critical infrastructure sectors such as energy production, manufacturing, water treatment, and transportation. These environments are traditionally isolated but increasingly connected to corporate networks and the internet, expanding their attack surface. The report does not specify the identities or tactics of the threat groups, nor does it detail particular vulnerabilities exploited. However, the targeting of ICS/OT indicates adversaries are focusing on disrupting or manipulating industrial processes, which can lead to physical damage, operational downtime, and safety hazards. The absence of known exploits in the wild suggests these threat groups may be in reconnaissance or early attack phases. The medium severity rating reflects the potential for significant operational impact balanced against the current lack of active exploitation and the complexity involved in attacking ICS/OT systems. This trend underscores the need for enhanced cybersecurity measures tailored to the unique requirements of ICS/OT environments, including specialized monitoring, segmentation, and incident response capabilities.

The targeting of ICS/OT by threat groups poses substantial risks to European organizations that operate critical infrastructure and industrial processes. Potential impacts include disruption of essential services such as electricity, water, and manufacturing, which can have cascading effects on public safety, economic stability, and national security. Compromise of ICS/OT systems can lead to operational downtime, physical damage to equipment, and safety incidents affecting workers and the public. For European organizations, this threat is particularly concerning given the continent's reliance on interconnected industrial systems and the strategic importance of sectors like energy and manufacturing. Additionally, regulatory frameworks such as NIS2 and GDPR increase the consequences of security incidents through compliance and reporting requirements. The medium severity rating suggests that while the threat is serious, the current lack of known exploits and the inherent complexity of ICS/OT environments somewhat limit immediate widespread impact. However, the evolving nature of these threats demands vigilance and preparedness to prevent escalation.

European organizations should implement a multi-layered defense strategy tailored to ICS/OT environments. Key measures include: 1) Network segmentation to isolate ICS/OT systems from corporate IT networks and external internet access, reducing attack surface and lateral movement opportunities. 2) Deployment of specialized monitoring tools capable of detecting anomalous behavior and known threat indicators within ICS/OT protocols and devices. 3) Regular threat intelligence sharing with industry peers and national cybersecurity centers to stay informed about emerging tactics and threat actor activity. 4) Conducting thorough risk assessments and penetration testing focused on ICS/OT to identify and remediate vulnerabilities proactively. 5) Enhancing incident response plans to include ICS/OT scenarios, ensuring rapid containment and recovery. 6) Training personnel on ICS/OT cybersecurity best practices and awareness of social engineering tactics that could facilitate initial access. 7) Applying strict access controls and multi-factor authentication for all ICS/OT system interfaces. 8) Ensuring timely patching and firmware updates where feasible, balancing operational continuity with security needs. These steps go beyond generic advice by focusing on the unique challenges and operational constraints of ICS/OT environments.