My favorite OT security vendor threat / incident report was released last week: The Waterfall / ICS Strive 2026 OT Cyber Threat Report. It’s my favorite because of their criteria of “cyber incidents causing physical impacts” and because they include the data on each incident so you can analyze it yourself.

If you want a TL;DR: The number of publicly revealed cyber incidents causing physical impacts in 2025 remained very small and largely unchanged from the number and impact in 2022 – 2024.

More detailed comments and analysis:

  1. Huge credit to Waterfall / ICS STRIVE for leading the report by acknowledging the number of incidents in 2025 decreased by 25% from 2024. It’s rare, even for this report, to not lead with a stat written to be picked up and hyped by the media and many OT security conference presentations.
  2. They couldn’t resist a hype stat in the 2nd paragraph. “Nation-state and hacktivist attacks doubled.” The raw numbers were 7 in 2024 and 14 in 2025. Very small and very small. They also could have written nation-state attacks decreased by 50% (from 6 to 3). To be fair they have lumped these two threat agent categories together in past reports. The hacktivist attacks increased 11-fold (from 1 to 11). It’s all small numbers so percentages aren’t useful for analysis.
  3. The 2025 Report hype line was on the number of sites impacted, “2024 saw a 146% increase in sites suffering physical impairment of operations because of cyber attack.” This was largely due to three incidents hitting 600, 200, and 156 sites, and this stat was the lede in many articles on the report and threat over the last year. The number of sites impacted is not in the 2026 report. Hmm. It’s a good decision to omit this stat regardless of the reason.
  4. 23 of the 57 incidents in 2025 were ransomware, on IT or OT, that affected Operatons. This is down from 45 ransomware caused incidents in 2024. This decrease in ransomware caused incidents largely accounts for the overall decrease in the 2025 data.

The (subliminal?) choice of the iceberg graphic on the cover page was interesting and not mentioned in the text. The report does acknowledge there are more incidents that are not made public, and it doesn’t attempt to characterize the percentage.

Thanks to Waterfall and ICS STRIVE for continuing to put out this report, particularly the data set in Appendix A.

The post Number Of Cyber Incidents With A Physical Impact Down In 2025 appeared first on Dale Peterson: ICS Security Catalyst.