The 2025 OT Cyber Threat Report: What It Tells Us (and What It Doesn’t See)

Why the shift toward process-oriented OT security is no longer optional

The context: The 2025 OT Cyber Threat Report, published by Waterfall Security and ICS STRIVE, compiles incidents from 2024 that had physical consequences for operational technology systems. These are not theoretical scenarios, they’re documented disruptions where cyberattacks led to real-world outcomes: shutdowns, damaged equipment, lost revenue, and national security concerns.

This year’s data confirms what process-oriented defenders have long suspected: the gap between cyber visibility and physical reality is widening. And the only way to close it is by monitoring what’s actually happening at Level 0.

The data: Physical consequences are rising faster than we think

While the number of attacks rose only slightly (76 in 2024 vs. 72 in 2023), the scale of impact expanded dramatically:

• 1,015 sites experienced physical disruption in 2024, up from 412 the year prior. A 146% increase.
• Nation-state attacks with physical consequences tripled, driven by escalating campaigns tied to China, Russia, and Iran.
• Three new ICS-specific malware strains were discovered in 2024.  This is half the number discovered over the previous 14 years combined.

Where the threat is coming from

The report classifies most attacks as either ransomware (87%) or nation-state operations. But notably:

• Only 13% of attacks directly touched OT systems.
• Nearly 90% caused physical impact indirectly, often via compromised IT systems or dependencies on cloud-based services.

This aligns with two known weak points:

1. Flat networks, where IT and OT are poorly segmented.
2. Process dependencies on IT infrastructure (e.g., billing, scheduling, control logic hosted in the cloud).

The blind spot: What the report can’t measure

The report focuses on publicly disclosed incidents with confirmed physical outcomes. It does not (and cannot) track:

• Silent failures where control systems were compromised but didn’t result in visible damage.
• Process manipulation that goes undetected because operators have no way to verify if control signals match physical execution.
• False confidence in normal operations that stems from looking only at network traffic or logs, while Level 0 data remains unseen.

This is where traditional OT detection models fall short. If a company’s security stack doesn’t include direct visibility into process-level data – pressure, flow, voltage, actuation -they are relying on inference. And inference is not protection.

Why this matters: Level 0 is the only source of truth

The report provides a conservative picture: one that undercounts the scale of the threat. It does, however, make a powerful argument for change:

• Software-based protections are not enough. Most attacks either evade detection (e.g., “living off the land” tactics like Volt Typhoon) or exploit IT-to-OT dependencies.
• Detection must be grounded in physics. Level 0 signals – unfiltered, electrical measurements -cannot be spoofed, rerouted, or suppressed by an attacker.
• True segmentation means functional isolation, not just firewalls. The ability to detect unauthorized change must exist on the process side, not just the network side.

The authors call for hardened, deterministic protections. But without continuous monitoring of Level 0 behavior, you cannot verify whether those protections are working.

Notable Examples of OT Cyber Incidents in 2025

Oil & Gas: RECOPE (Costa Rica) – A ransomware attack on Costa Rica’s state energy company forced the operator to switch to manual operations, disrupting cargo handling at land and sea terminals due to safety concerns.

Building Automation: Johnson Controls (USA) – A ransomware attack disrupted operations across Johnson Controls and its subsidiaries, including York and Tyco, impacting federal building security systems and prompting a DHS investigation.

Power: Fortum Oyj (Finland) – Finland’s largest power company reported persistent daily cyber intrusion attempts and drone sightings over critical infrastructure sites, indicating hybrid surveillance and intrusion tactics by likely nation-state actors.

Water:  Tipton Municipal Utilities (USA) – A Russian-linked threat group (CARR/Sandworm) claimed to have remotely mis-operated a water treatment HMI; the utility remained operational but confirmed the breach occurred

Bottom line

The 2025 report makes clear that OT-targeted attacks are becoming more frequent, more scalable, and more advanced. But it also reinforces something the report doesn’t directly measure: attackers are succeeding not just because they break in -but because defenders don’t have visibility into what happens next.

If security architecture can’t see the physical process, it can’t protect it.