The volume of major operational technology (OT) security incidents declined in 2025, marking the first reduction in seven years. Security metrics rarely show a downward trend without significant changes in the scene, making this anomaly an important data point for evaluating industrial defense strategies.
Historically, the number of OT incidents resulting in physical consequences for affected organizations has consistently grown, rising from a few isolated events prior to 2019 to 76 recorded incidents in 2024. According to the newly published annual report from Waterfall Security Solutions, 2025 deviated from this pattern. The organization identified 57 physically impactful OT incidents over the year. A 25% decrease that brings the total below both 2024 and 2023 levels.
Understanding the drivers behind this shift helps security teams anticipate future trends and focus their resources effectively.
Factors influencing the decline
Researchers propose three primary hypotheses for the reduction in public OT incidents last year.
The first suggests that improved security practices are successfully protecting critical systems and giving defenders an edge. While difficult to measure comprehensively, this theory contrasts with the nature of some incidents that still occurred. For example, in January 2025, an unauthorized individual in Italy gained access to a system that allowed them to alter the routes of oil tankers and transport ships in the Mediterranean Sea. Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, notes that threat actors frequently access exposed human-machine interfaces (HMIs) using default or compromised credentials. As a foundational protective measure, he strongly recommends that organizations ensure all HMIs are removed from the public internet.
A second hypothesis points to a decrease in public reporting. While many jurisdictions have implemented stricter disclosure regulations in recent years, these rules do not universally apply to all regions experiencing frequent OT incidents. Furthermore, aggregated reporting in sectors like European critical infrastructure often anonymizes the data before it reaches the public. Legal liabilities also play a role. Following cases where organizations faced legal action over initial incident disclosures—such as Marquis initiating a lawsuit against its firewall vendor SonicWall in early 2025 for allegedly underestimating an incident's impact, legal counsel frequently advises companies to limit public details strictly to what the law mandates.
The most prominent theory links the decline to a temporary reduction in ransomware events, which drove the majority of major OT incidents in the early 2020s. Law enforcement actions in the United States and Russia recently disrupted the incentive structures and operations of major ransomware groups, providing a temporary reprieve for OT environments. However, Ginter anticipates that this ecosystem is stabilizing. As new entities step in to provide the necessary technical infrastructure, organizations should prepare for activity to normalize in 2026.
Technical complexity and event severity
Beyond frequency, the technical complexity of public OT incidents in 2025 was generally lower than in previous years. While 2024 saw the discovery of multiple new OT-specific malware strains—demonstrating a capacity to write custom code to implement protocols for programmable logic controllers (PLCs) and remote terminal units, 2025 lacked similar novel developments. Threat actors primarily relied on established methods and general IT-focused tools rather than specialized industrial protocols.
Exceptions to this lower technical complexity were observed in geopolitical contexts, such as the ongoing Russia-Ukraine conflict. Additionally, unconfirmed reports suggested sophisticated knowledge of anti-aircraft systems was leveraged against facilities in Iran and Venezuela in 2025, though reliable public details remain limited.
Despite the drop in volume and technical novelty, the severity of the incidents that did occur remained high. The security event affecting Jaguar Land Rover, for instance, resulted in an estimated $1 billion in direct losses and a $2.5 billion impact on the broader United Kingdom economy.
Additionally, politically motivated threat actors demonstrated continued interest in critical infrastructure. In one instance, unauthorized parties gained widespread access to Poland's solar and wind infrastructure. While they rendered an undisclosed number of automation devices inoperable, the event did not ultimately disrupt power delivery.
Overall, while incidents with physical consequences dropped 25%, the report found that targeting of critical infrastructure without physical disruption doubled over the same period. The data indicates that while the total number of physical disruptions decreased last year, the underlying risk to operational technology remains significant, requiring sustained, proactive defense.