5 hard OT Cybersecurity lessons 2025 taught us (And What to Do About Them)

Congratulations, we have made it to November and 3i Atlas hasn’t done anything that that has triggered our planetary defenses. Though it is changing colors and doing some remarkable stuff, the interstellar traveller hasn’t shown us any probes or rovers yet. So there’s nothing to worry about yet or so we can assume.

As we head into the final stretch of 2025, it’s time for quick health check. If 2024 was the year started talking openly about OT security, 2025 was the year it hit home and we still have a full month to go.

Remember the plain vanilla theoretical threats that we were all warned about at conferences? They are not theoretical anymore. This year, the gloves more or less came off. We did watch attackers move with alarming speed by manipulating employee behaviour from simple IT network breaches to causing real-world, physical disruptions.

So what is the single biggest lesson we have learnt from 2025? If I have to summarize it, here are the two broad lessons.

·         You need to know what’s happening in your OT networks (including what assets are up to) and

·         Employee awareness on OT security is no longer a ritualistic need.

The surprising bit is that malware sophistication hasn’t risen to extraordinary levels this year (unlike 2024 where we had AI coded malware and variants being introduced faster than Gamma Ray emissions coming from a Neutron star). However, there were many self goals that were scored thanks to a few security misses. We need to know what they are and act to address them so that we get ready for 2026.

Let's be real. Let's go deep. Here are the five biggest lessons we’ve all had to learn this year.

Before the dive, don’t forget to read our previous blog on Why NERC CIP-015-1 for Internal Network Security is a must-have for ICS Defense here.

The IT/OT firewall is a fable and a leaky sieve.

For years, we operated with a simple (and downright dangerous) assumption: secure the IT network, and the OT network, with its legacy systems and PLCs, will take of itself.

2025 Lesson: That wall has long dissolved just like a highly volatile substance sublimes on ignition. Attackers are not bothering to identify a rare, zero-day exploit for a 3 decade-old controller. Why would they? They just phish an employee, or pull out credentials from a common vault for the VPN, and then pivot from the billing system (IT) right into the plant-floor HMI (OT).

This year's reports, including the latest from Shieldworkz, confirmed our worst fears: most of the OT-related incidents originated in the IT environment.

• Case in point: Threat groups are actively exploiting IT-centric remote access tools, like standard corporate VPNs, as their primary entry point (Source 1.1, 3.4). That VPN you set up for a third-party vendor? That's now your softest underbelly.

• The takeaway: An IT breach is an OT breach. Your security posture is only as strong as the link between your corporate network and your control systems. Network segmentation isn't a suggestion; it's the most critical defense you have. You must assume they're already in the IT network and work to stop their lateral movement.

"Stage 2.5" Is here and they have access to the machinery

This one is a bit spooky. For the longest time, attackers who got into OT networks just did reconnaissance. They looked around, snatched some and moved on.

2025 cybersecurity lesson: "Stage 2.5" attacks-where attackers take action to cause a physical consequence-are no longer rare. The goal has shifted from espionage to sabotage.

Physical disruptions are now rising faster with threat actors trying to break things in a way that makes it difficult to recover.

• The takeaway: Your detection plan cannot just look for malware. It must look for process anomalies. Why did that valve open without scheduling at 3 AM? Why is that motor running 20% over speed? You need visibility into the process itself, not just the network traffic.

Your infrastructure may be a geopolitical arena

If your organization is part of critical infrastructure energy, water, food, transport, you are no longer just a financial target. You are a political one as well.

2025 cybersecurity lesson: Nation-states and politically-motivated hacktivists now constantly eying your OT environment and it is not because they have something against you. The motive isn't ransom; it's to create fear, disruption, and psychological pressure.

• Case in Point: We saw it with major breach where a threat group claimed to tamper with the water treatment HMI. We saw it in attacks targeting PLCs in small water and beyond. It doesn’t stop and threat actors aren’t tiring down now.

• The Takeaway: These aren't high-level, sophisticated attacks. They are often low-skill, but high-impact, designed to create a hybrid "psychological operation" to exert maximum pressure and possibly an intervention from the government. They want you, and your customers, to constantly worry that the water isn't safe. Your BCP should now account for all types of scenarios for politically-motivated disruption, not just ransomware.

Your biggest attack surface

You can have the most secure network in the world, but it could translate into nothing if your HVAC vendor, your food wholesaler, or your third-party support provider gets breached.

Cybersecurity lesson from 2025: The supply chain is, without a doubt, our weakest link. The World Economic Forum's 2025 Outlook named it the number one ecosystem cyber risk (Source 5.2). And we saw why.

• The case in point: Some of the most crippling cyberattacks came from a supplier system or originated there.

• The takeaway: "Trust but verify" is dead. The new model is Zero Trust. You need a Software Bill of Materials (SBOM) from your vendors. You need to enforce MFA on all third-party access. And you need to contractually-and technically-limit their access to only what is absolutely necessary.

It’s AI Vs AI

We all knew AI would be big, but 2025 was the year it became a tangible force on both sides of the perimeter.

2025 cybersecurity lesson: Attackers are using AI to scale and to script better phishing attacks. But in OT, AI is a tool that needs a human to succeed.

• The attack: ENISA reported a few months back that over 80 percent of social engineering attacks now leverage AI in some form. This means that hyper-realistic, context-aware phishing emails and vishing (voice phishing) calls that are nearly impossible for a human to spot. The role of AI goes even further now with threat actors using it to identify vulnerable employees and best time for a phishing attack using pattern determining algorithms.

• The defense: We are using AI to process the sheer volume of data needed for real-time anomaly detection. In fact, it's the "brain" that can spot that tiny, anomalous valve change in a sea of data. We can certainly work to extend the role of AI into building deterministic attack models that can be used to train employees and to declare ‘Red Alerts’ when cyber attacks are most probable.

• The takeaway (and maybe the catch as well): You just cannot "unleash" an AI on a power grid or a refinery or even a gas pipeline. In an IT network, an AI-driven security tool can quarantine a laptop that acts weirdly on its own. If it's a false positive, no big deal at the most you may have to deal with a grumpy employee. In an OT network, however, an automated response to a false positive could mean shutting down an assembly line or even a sub-station or a turbine The 2025 lesson is that AI in OT must be a human-centric model. It should alert and advise a human operator and arm her with information, but the final "red button" decision must remain with a person who knows the physical process.

Our job for 2026: Move from security to resilience

So, what's the one big takeaway from 2025?

Sustainable resilience is mandatory.

You may not be able to build an impenetrable fortress overnight. You could face a breach from an improbable source. Your supplier will have an incident. But with defense-in-depth and zero trust couple with actionable employee awareness, you will be able to detect and supress the attacks quickly.   

It's about visibility (knowing they're in, fast), segmentation (stopping them from getting to the crown jewels), and resilience (having a plan to get the plant back online safely and quickly).

We have had our wake-up call multiple times. Now the real work begins.

Planning your next OT risk assessment? Talk to us.

Interest in augmenting your incident response? We have something for you.