This article attempts to frame the question after my back and forth with Robert M. Lee last Friday.
Question: How many cyber attacks are resulting in non-trivial consequence events in OT / Operations?
Stipulation 1: Ransomware and other causes of outages on IT cyber assets (outside the OT security perimeter) are the largest cause of outages in the ability of Operations to deliver the product or service. Reducing the impact when this occurs should be a priority for Operations.
Stipulation 2: OT that is accessible by anyone on the Internet, OT that can be found by Shodan or similar scans, is at great risk and has led to numerous, mostly small scale, outages and other impacts. Removing this accessibility should be prioritized.
Revised Question: How many cyber attacks, not including ransomware on IT or Internet accessible OT, are resulting in non-trivial consequence events in OT / Operations?
Public Data Answer … A Very Small Number
Public data includes regulatory reporting requirements, verified media reports, and industry / vendor reporting.
The answer for every year to date is a very small number. The best data I’ve seen is the annual Waterfall / ICSSTRIVE report. This report tracks public information on “cyber attacks with physical consequences”. There were 76 cyber attacks with physical consequences in 2024 (the 2025 report). 10 of the 76 cyber attacks were not the result of ransomware or other incident on IT impacting OT. Many of those 10 are small water utilities directly connected to the Internet. This data supports the Very Small Number answer.
Another data source for US public companies are the 8K filings when a cyber incident had a material impact. This data supports the Very Small Number answer.
Many security vendors with access to additional private data put out annual reports of cyber attack activity and related happenings from the previous year. Let’s consider two recent Dragos reports, since the back and forth last Friday was with Rob:
This report focuses on increased number and capabilities of threat actors, and is very light on incidents and metrics outside of ransomware and Internet accessible OT (that info was good and helpful). Some attacks in Ukraine would meet the OT / Operations criteria, an attack on Moscow utility censors would meet the OT / Operations criteria, and Voltzite was exfiltrating OT information from IT. I’d consider this very little given the huge population of OT systems around the world.
Key Quote: “Ransomware compromises accounted for the majority of cases that Dragos responded to, with 25 percent resulting in a complete shutdown of an OT site, and 75 percent resulting in at least some disruption to operations.”
Key Quote: Dragos did not find signs of an adversary exfiltrating data from OT environments
This is an excellent report. A careful reading would result in an understanding that 1) ransomware on IT and Internet connected OT is the cause of almost all OT / Operations incidents and 2) Dragos believes the threat actors are growing and increasing in skills and direct cyber attacks on OT are likely to increase in the future.
2025 OT Security Financial Risk Report
The key quote is in the methodology: “For this report, historical data about cyber breaches from 2014 through 2024 where OT was involved or directly related was examined. Due to relative forensic scarcity in OT reporting, a parallel analysis was also performed to investigate the financial damage from additional incidents in that timeframe that indicated the potential for OT impacts.“
The study created a model based on real and potential incidents and iterated it 1,000 times. I’m a huge fan of metrics and efforts like this, and we have to admit that the data from 2014 to 2024 don’t support the numbers in this report. The report assumes an increased threat and impact.
I don’t scour through every vendor report because the data to answer the revised question would typically be in the executive summary and highlighted in the media if it existed. Still I probably have missed some data and would appreciate you highlighting any you’ve come across in the highlights that would answer the revised question.
I’m certain there are a number of OT/Operations incidents that have occurred and remained private. Which leads us to the Private Data Answer.
Private Data Answer … Low to Moderate and Most Importantly Growing
Rob correctly stated that I don’t have the access to OT cyber incident data that he and his team have. I’ve noted this in many articles as well. It’s likely that Dragos and Mandiant have the best information on cyber incidents that have caused a non-trivial impact on OT / Operations. They are the two company’s most frequently called when there is a cyber incident that has concern related to OT. Their information is likely better than even government organizations.
OT detection vendors, governments, large consulting practices, and large ICS vendors have non-public information as well, and many of them issue reports.
Without exception those with the best information speak in dire terms about the current and growing threat to OT from cyber attacks. Most, but not all, also state or imply that the number of OT targeted cyber incidents is increasing and is no longer small.
There is a conflict of interest in most issuers of reports. If you are selling umbrellas, you want to tell people it’s going to rain. That being said, if there’s threat and incident inflation I don’t think it’s to sell more products or services in most cases.
It more likely is a dedication to the mission and the day-to-day environment. Looking back at how I felt while at NSA I get this. When your mission statement is “safeguarding civilization” (the Dragos mission statement), and you don’t want to fail, it’s going to make you hyper vigilant.
Solution
The crux of the problem is the public data says one things and the people with access to the most information say something else. What OT cyber incident information should an asset owner use when making a risk decision?
Why Does This Matter – – HILF Diversion
You’re going to address the Internet accessible OT and impact of ransomware on IT affecting your ability to function in Operations. Attacks related to these two items are not low frequency events.
However if direct attacks on OT are rare, then you are in the High Impact Low Frequency case. Spending resources to reduce your frequency (likelihood) after the basic security controls are in place is not going to have much of an impact on risk. You should spend your risk reduction resources on reducing the impact if the low frequency event happens.
If it is not low frequency, as asserted by those with the best data, then spending money to further reduce likelihood may be warranted.
After this long article, the solution is simple. Those with the best data, the private data, should share summary data that answers the question.
We can’t expect these organizations to provide the sensitive details, but the overall data in categories would be very helpful and answer the question. How much you can categorize the data is based on the volume of the data. For example, if you only have 20 total incidents then breaking it down by sector is of lesser value.
Here is what I would suggest:
The data set would combine public and private incident information. Unfortunately no two data sets would be the same since each organization would have their own private incident information.
Top Level:
Total Number of Incidents With A Physical Consequences (the Waterfall ICSSTRIVE criteria)
Second Level:
Categorize Each Incident As:
- Cyber Incident On IT Causing Physical Consequences
- Cyber Incident On OT Causing Physical Consequences Due To Internet Connection
- Cyber Incident On OT Causing Physical Consequences Not Due To Internet Connection
Categorize Each Incident As:
- High Consequence
- Medium Consequence
- Low Consequence
This would then help people like myself and most asset owners without access to the private information. The key number to look at would the number of 3. Cyber Incident On OT Causing Physical Consequences Not Due To Internet Connection and the breakdown of consequence level for that key number.