⚡ Key Takeaways

Dragos 2026 OT report: 49% ransomware surge to 3,300 industrial victims. Three new threat groups (SYLVANITE, AZURITE, PYROXENE) now map physical control loops — sensor-controller-actuator chains — to prepare for process-disrupting operations.

Bottom Line: Industrial operators without OT-specific network visibility are flying blind: organisations with dedicated OT monitoring contained incidents in 5 days vs the 42-day industry average. Deploy passive OT monitoring and audit internet-facing assets this quarter.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
Sonatrach’s oil/gas infrastructure, Sonelgaz’s power grid, and expanding industrial digitalisation face the same OT threat landscape
Infrastructure Ready?
Partial
ASIS coordinates national cyber incident response but OT-specific monitoring tools are not yet widely deployed in Algerian industrial facilities
Skills Available?
Partial
cybersecurity capacity is growing through vocational training expansion but OT-specialised engineers (ICS/SCADA security) remain scarce
Action Timeline
6-12 months
OT visibility tools can be deployed within one budget cycle; the threat groups documented here are active now
Key Stakeholders
Sonatrach CISO, Sonelgaz IT/OT team, Ministry of Energy digital security units, ASIS, industrial operators in manufacturing and water utilities
Decision Type
Strategic
This article provides strategic guidance for long-term planning and resource allocation.

Quick Take: Algeria’s industrial sector — anchored by Sonatrach and Sonelgaz — operates critical OT infrastructure that mirrors the targets documented in the Dragos 2026 report. The immediate priority is deploying passive OT network monitoring at key facilities and extending third-party security requirements to system integrators handling Algerian energy and utility assets. The 5-day vs 42-day detection gap is a reachable target, but only with dedicated investment in OT-specific tooling.

Advertisement

From Network Breach to Physical Consequence

Industrial cybersecurity crossed a threshold in 2025. Adversaries are no longer satisfied with encrypting files or stealing data — they are learning how factories, pipelines, and water treatment plants actually work.

According to the Dragos 2026 OT Cybersecurity Year in Review, Dragos now tracks 26 OT-focused threat groups globally, with 11 active during 2025. Three of those groups — SYLVANITE, AZURITE, and PYROXENE — were newly identified during the reporting period and represent a qualitative shift in adversary sophistication: they are not simply exploiting known vulnerabilities, they are learning the process logic of industrial systems before striking.

This distinction is operationally critical. A threat actor who has mapped the relationship between a sensor, a controller, and a physical actuator can cause targeted physical damage — a pipeline overpressure, a motor burnout, a water treatment dosing error — without ever touching a business IT system. The attack surface has moved from the server room to the shop floor.

The Numbers Behind the Shift

Ransomware impacting industrial organisations surged 49% year-on-year in 2025, affecting 3,300 organisations globally. The Dragos report identifies 119 ransomware groups capable of affecting operational environments — up from 80 in 2024 — with manufacturing absorbing over two-thirds of all ransomware victims in the industrial sector.

Three threat-group profiles from the 2026 report illustrate the breadth of the new threat landscape:

KAMACITE systematically mapped U.S. infrastructure control loops, targeting human-machine interfaces (HMIs), variable frequency drives, and remote gateways to understand exactly how commands originate, travel through a network, and affect physical systems. The group also expanded operations into European supply chains. SYLVANITE operates as an access broker — rapidly exploiting internet-facing vulnerabilities in products such as Ivanti, F5, SAP, and ConnectWise to establish footholds, then transferring that access to more capable groups. PYROXENE conducts supply chain compromises targeting aviation, aerospace, defence, and maritime sectors, positioning itself inside vendor networks to reach multiple asset owners through a single compromise.

One data point in the Dragos report is particularly revealing: organisations with strong OT-specific visibility contained incidents in 5 days on average, versus the 42-day industry average for those without it. Visibility is not a nice-to-have — it is an 8× multiplier on response speed.

Advertisement

Why Control Loop Mapping Changes the Risk Equation

Traditional OT security thinking assumed that disruption required direct access to a programmable logic controller (PLC) or a distributed control system (DCS). The 2026 Dragos findings invalidate that assumption.

According to the SANS Institute’s analysis of the Dragos report, “OT disruption often occurs without touching controllers.” Adversaries have learned that virtualisation platforms, identity systems, and engineering workstation software — which sit adjacent to the control plane — are sufficient to cause operational outages. VOLTZITE, a more established group tracked in the same report, manipulated engineering workstation software and compromised Sierra Wireless gateways inside U.S. pipeline networks — without ever writing a rogue command to a PLC.

The control loop mapping activity documented for KAMACITE goes further. By systematically harvesting alarm thresholds, safety system activation conditions, sensor-controller relationships, and operator shift information, an adversary constructs a digital replica of the physical process. That replica can then be used to time an attack for maximum physical impact — targeting a turbine during a peak-load cycle, or manipulating a safety interlock to prevent an emergency shutdown.

What Industrial Security Teams Should Do About It

1. Audit Every Internet-Facing OT Asset This Quarter

SYLVANITE’s success depends on organisations leaving Ivanti, F5, SAP NetWeaver, and ConnectWise exposed to the internet without current patches. The access-broker model means a single unpatched gateway can be sold to five different groups. Conduct an authenticated scan of all internet-reachable assets in the OT/IT DMZ. Any device that has not been patched within the last 60 days should be treated as compromised until verified. Use network segmentation to ensure that even a compromised DMZ asset cannot reach the process control network directly.

2. Deploy OT-Specific Network Visibility Before Year-End

The 5-day versus 42-day detection gap is entirely explained by passive OT visibility tools (such as Dragos Platform, Forescout, or Nozomi Networks) that baseline normal process communications and alert on anomalous command sequences. Business IT security tools — SIEMs, EDRs — do not speak Modbus, DNP3, or EtherNet/IP and cannot detect HMI enumeration or control loop reconnaissance. Organisations without a dedicated OT monitoring layer are flying blind. Budget this for H2 2026 if it is not already in place.

3. Inventory Engineering Workstations and Limit Remote Access

AZURITE and PYROXENE both target engineering workstations because they are the authoritative source of configuration files, network diagrams, alarm thresholds, and GIS data — exactly the control loop intelligence that advanced adversaries seek. Every engineering workstation should be inventoried, patched on a fixed cycle, and accessible only through a hardened jump server with multi-factor authentication. Remote access sessions should be recorded and anomalous off-hours connections should trigger immediate alerts.

4. Extend Third-Party Risk Management to System Integrators

The Dragos report explicitly flags engineering firms, system integrators, and managed service providers as priority targets — one compromised integrator gives an adversary access to dozens of asset owners. Require all third parties with remote or on-site access to OT environments to complete an annual OT security assessment, demonstrate network segmentation between customer environments, and notify you within 24 hours of any security incident on their own infrastructure. The same supply chain logic that brought PYROXENE into aerospace and defence networks applies to any sector that relies on external commissioning or maintenance.

5. Run an Annual Control Loop Documentation Audit

If an adversary is trying to map your control loops, the asymmetry of knowledge matters: they need months to reconstruct what your own engineers already know — or should know. Commission an annual review that documents, for each critical process unit: the sensor-controller-actuator chain, the safety interlock logic, the alarm thresholds, and the manual override procedures. Store this documentation in an air-gapped system. Any deviation from the baseline during an active incident is an immediate indicator of compromise.

The Bigger Picture: OT Risk Is Now Board-Level Risk

The 2026 Dragos data captures something that quarterly threat bulletins rarely state plainly: the convergence of IT and OT networks, driven by cloud connectivity, remote monitoring, and digital twin adoption, has eliminated the “air gap advantage” that industrial operators relied upon for decades.

With 119 ransomware groups now capable of affecting operational environments, and three newly identified groups specifically focused on understanding the physical consequences of a cyberattack, the risk profile for industrial operators has shifted from “we might get encrypted” to “we could lose physical control of a process.” Insurance carriers and regulators are catching up: the EU’s NIS2 Directive explicitly covers operators of essential services, and the U.S. TSA pipeline security directives mandate OT-specific incident response planning.

The organisations that will navigate this environment well are those that treat OT security not as an IT sub-problem, but as a discipline in its own right — with its own visibility tools, its own incident response playbooks, and its own board-level reporting cadence. The 5-day containment benchmark is achievable. The 42-day average is not a technology limitation: it is an investment decision waiting to be made.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

What makes the Dragos 2026 OT report different from previous years?

The 2025 reporting period marks the first time Dragos has documented adversaries systematically mapping industrial control loops — the sensor-controller-actuator relationships that govern physical processes — rather than simply exploiting network access for data theft or ransomware deployment. This shift from IT-focused intrusion to OT-process intelligence gathering represents a qualitative escalation in adversary capability and intent.

Which industries are most at risk from the 2025 OT threat surge?

Manufacturing absorbed over two-thirds of all industrial ransomware victims in 2025. Energy (electric utilities and pipelines), water and wastewater utilities, and the aerospace/defence supply chain also face elevated risk based on the threat-group profiles documented in the Dragos 2026 report, particularly from KAMACITE (energy/infrastructure), AZURITE (manufacturing and defence), and PYROXENE (aviation and maritime).

What is the single most important control for OT environments in 2026?

The Dragos data points to OT-specific network visibility as the highest-leverage control: organisations with dedicated OT monitoring contained incidents in 5 days versus the 42-day industry average. Passive monitoring tools that understand industrial protocols (Modbus, DNP3, EtherNet/IP) are the foundation. Without that visibility layer, no amount of patching or policy writing will close the detection gap.

Sources & Further Reading