Published 26 Mar 2026

OT Cyber Incident Report and the Iceberg Syndrome

Waterfall’s recent release of the ICS Strive 2026 OT Cyber Threat Report shows a relatively small (and declining) number of cyberattacks with “physical consequences.” This data is seemingly at odds with other research which points to threats especially from nation-states and the increasingly concerning Agentic AI-generated attacks. If anything, there are indications that the industrial sector is increasingly under attack.

The easiest explanation is that Waterfall uses a narrow definition of incidents with physical consequences that skew towards the catastrophic end of the spectrum – incidents where the physical impact was undeniable and publicly admitted. In fact, the report itself states that the “incident database and numbers in this report regarding breaches and outages are certain to be an underestimate.”

Putting aside their disclaimer, it is worth considering a so-called Iceberg Syndrome – the significant underreporting of OT cyber breaches. Why is this important? Because ignoring the threat can lead to complacency and a weakening of cyber defenses.

There is no one answer to explain the underreporting; it’s a combination of several factors.

The Disincentives to Disclose

Let’s start with when and why companies report an OT cyberattack. All things considered, there is little in the way of positive incentives for companies to make public disclosures of a cyber breach. Beyond the immediate risk of reputational damage and a loss of customer trust, coming forward may open the door to litigation or regulatory scrutiny without any obvious benefit. There are also strategic reasons not to let the attacker be aware that an intrusion has been identified, as disclosures can inadvertently provide a “roadmap” for future attackers, effectively punishing the organization for its transparency.

The Reporting Gap: 1 in 3

How significant is underreporting? Although there is no single “true” answer, the UK National Cyber Security Centre (NCSC) has indicated that for Operators of Essential Services (water, energy, transport, etc.) who are legally required to report significant incidents, only 1 in 3 actually reported.

This is because to be “reportable,” an incident must meet extreme criteria, such as a specific number of casualties or a total loss of service for a set duration. This means that attack consequences that fall beneath these thresholds are considered “minor” disruptions and do not trigger reporting.

Regulatory Shields and Legal Advice

In fact, regulatory requirements like NIS2 and NERC can actually lead to limited reporting. Waterfall notes that some mandatory reporting frameworks provide a “shield of anonymity,” ensuring that information about specific targeted organizations is not made public. Furthermore, because of the potential for heavy fines and legal implications, corporate lawyers often advise against reporting unless a strict threshold (such as a material impact on share price or a clear violation of a specific safety metric) is undeniably met.

Structural Drivers: The Visibility Crisis

Finally, there are structural drivers of the reporting gap. The technical complexity of OT environments often leads to the misclassification of incidents. In many cases, Security Operations Centers (SOCs) may lack the specialized knowledge to recognize when an unexplained operational anomaly is, in fact, the result of a cyber intrusion. Data that indicates unusual asset behavior can be logged as an IT glitch or as a maintenance issue rather than a lateral movement by a threat actor.

Where does SIGA fit in?

While the industry grapples with reporting thresholds and legal shields, SIGA provides a technical “ground truth” that bypasses the reporting gap entirely. Most OT security tools rely on network traffic or PLC logs – data sources that can be spoofed or blinded by sophisticated attackers. SIGA, however, operates out-of-band by monitoring raw electrical signals directly at Level 0 (the sensors and actuators). Because these physical signals cannot be hacked or manipulated, SIGA identifies the physical consequences of an attack, even if the attacker has successfully compromised the control logic to show a “normal” status to the operators. By providing this unhackable view of the physical process, SIGA ensures that operational anomalies are identified as cyber-physical events immediately, providing the forensic evidence needed to bridge the visibility crisis between the SOC and the industrial plan level.

Summary and Conclusion

There is no incentive (in fact, there are massive disincentives) for organizations to be transparent about the threats they face. The relatively small numbers in consequence-based reports are a distorted view of reality, created by high legal thresholds, fear of litigation, and a fundamental gap in how IT teams interpret physical machine behavior.

To combat this “Iceberg Syndrome,” organizations must move beyond a reliance on public disclosure and implement defenses like SIGA that are grounded in the undeniable physics of the operation.


Copy Copy link X Facebook LinkedIn
Protecting the Process Layer of Critical Infrastructure with an unhackable source of truth
Our blog

Lastest blog posts

Tools and strategies to keep your infrastructure safe.

View all posts

Data Centers Harden IT. CPS Remains Soft

04 June 2026

Data center infrastructure is built for resilience. Power, cooling, and physical security systems are tightly engineered to keep operations running, even under...

Recent Lesson from Warfare: Process Integrity Part of the Battleground

16 April 2026

As documented in Advisory AA26-097A, kinetic warfare now extends to critical infrastructure. When adversaries can manipulate the very data operators use to...

Gartner Explains the Shift from Prevention to Resilience

09 April 2026

For many years, prevention has been the focus within OT cybersecurity.  This approach is best compared to a fortress – building higher...