OT Incident Response: The hard-earned and learned lessons of 2025

One of the biggest truths that the year 2025 has revealed is that Operational Technology (OT) environments are no longer secondary targets. As critical infrastructure and manufacturing deploy true IT/OT convergence, the kinetic consequences of a cyberattack will turn into more frequent, more disruptive, and more severe episodes. While specific details of every single incident are often kept under wraps, the trends from major breaches in sectors like aviation, manufacturing, and supply chain tell a clear story.

The primary lesson of 2025 is that an incident in your IT network could simply be a pre-incident for your OT environment.

Explore our previous blog post on securing Sub Stations here.

Major cyber incident trends from 2025

The most impactful cyber events in the OT space in 2025 reveal an unambiguous focus by adversaries on exploiting a few key weaknesses (in human behavior and in networks):

Pivot to disruption

Adversaries have now stopped focusing solely on encrypting and sale of data and pivoted to actions that ensure maximum operational disruption for a prolonged period of time. For instance, a major grocery wholesaler experienced a crippling attack that shut down electronic ordering and delivery systems, causing immediate, real-world shortages. While threat actors were known to follow a scorched earth policy, now they are focusing on ensuring maximum disruption across all dimensions including operations, incident recovery, data and reputation loss and supply chain disruption.

• Attacks targeting manufacturing systems (that are often running older, unpatched software or even systems that are new but have been unpatched for fear of operational disruption) caused physical production lines to grind to a halt, forcing manual operations and leading to significant revenue loss. The attacker's goal was not just to extract a ransom payment but the guaranteed cessation of business. The idea is that such disruptions help attackers shorten future post-cyberattack ransom extraction cycles by ramping up the fear factor.

Exploiting the IT-to-OT Jump

We have read many times that 90% of attacks that led to a physical impact on OT systems began by compromising (in some instances) the less-hardened IT network. A simple vulnerability in a critical business application or a single weak remote access credential offered the threat actor the necessary foothold to pivot into the plant floor.

• Incidents in the power and water utilities segment often started with a breach in an enterprise network, with the threat vector moving laterally through flat or poorly segmented networks to access human-machine interfaces (HMIs) or supervisory control and data acquisition (SCADA) systems.

The compounding impact on supply chains

Attackers constantly targeted soft-belly vendors and third-party contractors to get "trusted access" to downstream critical infrastructure. If I had a nickel for everytime this happened, I would had a few 100s of bitcoins by now. A single compromise at a software or hardware vendor could easily cascade into dozens of compromised OT environments. The question to be asked is: who is ensuring supply chain security?

• Breaches in vendor-managed remote access tools or compromised components embedded with malware in the supply chain were reported, giving nation-state actors and organized crime a silent, long-term foothold within highly secure facilities. You will be surprised to know how easy it is to enter secure supply chains (we will park that for another day)

Now lets go right to the core theme of this post.

OT Incident Response lessons for 2026

To make 2026 a more secure year, we must translate these hard-won lessons into immediate, actionable changes in our OT security programs.

Focus on visibility, especially at Level 0/1/2

You cannot defend what you cannot see. The most mature organizations in 2025 demonstrated that full visibility is key to rapid response.

• Learning: Traditional monitoring (network logs, firewalls) is insufficient. Defenders need visibility down to the physical process layer (Purdue Model Levels 0 and 1). This involves monitoring I/O points, control logic, and physical state changes to detect malicious manipulation before it causes damage.

• Action for 2026: Deploy OT-specific Asset Inventory and Network Monitoring tools such as Shieldworkz that understand industrial protocols and can detect anomalies in controller behavior (e.g., unauthorized code changes or physical process variables deviating from baseline).

Enforce the Zero Trust principle of functional isolation

The failure of simple firewalls to prevent IT-to-OT lateral movement was a recurring theme. True Network Segmentation is non-negotiable.

• Learning: A single firewall between IT and OT is not sufficient. Implement micro-segmentation within the OT network (e.g., isolating HMIs from controllers, and critical zones from less critical ones) to contain a breach immediately upon detection.

• Action for 2026: Treat all connections, internal or external, with a Zero Trust mindset. Strictly limit remote access, enforce multi-factor authentication (MFA) everywhere, and use secure gateways or data diodes for strictly unidirectional communication where possible.

Elevate and integrate Incident Response planning

In 2025, delays in remediation (sometimes stretching into weeks or months) were often caused by confusion over roles and decision-making authority between IT, OT, and engineering teams.

• Learning: Clarity of command is essential in an OT incident. The person with the authority to shut down a production line to ensure physical safety needs to be identified before the attack.

• Action for 2026: Conduct quarterly, scenario-based tabletop exercises that include both IT and OT personnel, focusing on decision points like when to isolate systems or switch to manual operations. Clearly document and assign ICS/OT-specific incident response roles.

Harden the supply chain and enforce accountability

External connections proved to be the easiest route in. This attack vector will only become more prevalent with the rise of AI-driven supply chain attacks.

• Learning: Trusting a vendor's security posture was never an option. Security must be managed exclusively by the asset owner.

• Action for 2026: Implement strict auditing and least-privilege access for all third-party connections. Mandate that vendors use your secure access platforms rather than their own. Insist on a Software Bill of Materials (SBOM) for all industrial software to quickly identify compromised components.

Few other important measures:

· Ensure security of data back-ups

· Employees should be made to undergo incident response tests that involve escalating scenarios 

· Maintenance windows should be tested for security aspects

Looking ahead towards 2026

As we ease into 2026, the convergence of AI-driven attacks, previously leaked data, lack of adequate employee attention and persistent geopolitical tension means the threats to OT environments will become frequent and more sophisticated. Beyond this imminent threat, enterprises must also be able to prove with evidence (audit trails) that they have been able to do everything possible to protect their systems from a breach to regulators.  

In the year 2026, OT security teams must expand focus to cover cyber resilience.

The path to a more secure 2026 involves three key commitments from your business. Engineering-focused asset and network visibility, aggressive network isolation, and leadership-driven incident preparedness. By integrating these lessons in your OT security strategy, you can ensure that future incidents remain within the realm of minor disruptions and not catastrophic failures.

Get a free consulting on OT security best practices from Shieldworkz.

Go from 0 to NIS2 compliant in 5 weeks.

See our best-in-class OT NDR solution in action