Key Takeaways
- Operational Technology (OT) systems are increasingly targeted as IT/OT convergence expands the attack surface.
- In the 12‑month period ending March 2025, industrial organisations suffered 2,073 ransomware attacks, representing 29.6 % of all ransomware activity on average each month.
- Capital‑goods manufacturers—especially machinery (442 attacks) and construction & engineering (394 attacks) sub‑sectors—were the most affected, accounting for 1,192 of the total incidents.
- OT disruptions can halt production, interrupt essential services, and threaten public safety, moving the risk beyond mere data loss.
- Experts warn that many organisations still prioritize IT security while under‑estimating OT exposure, leaving them vulnerable to operational, regulatory, and safety consequences.
- Regulatory frameworks such as the UK’s Network and Information Systems (NIS) Regulations, the Cybersecurity Act, and sector‑specific guidance now explicitly require cyber‑risk management across both IT and OT environments.
- Effective OT risk management demands treating OT with the same rigor as IT, including proportionate technical controls, organisational measures, incident‑reporting protocols, and supply‑chain security.
Overview of OT and IT/OT Convergence
Operational Technology (OT) encompasses the hardware and software that monitor, control, and interact directly with physical processes—think of programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and distributed control systems (DCS) that keep factories, power plants, water treatment facilities, and transportation networks running. Over the past few years, the line between OT and traditional Information Technology (IT) has blurred as organisations pursue IT/OT convergence to gain real‑time analytics, predictive maintenance, and streamlined operations. This convergence integrates data‑management platforms, cloud services, and corporate networks with the once‑isolated OT layer, creating a unified but also expanded attack surface. While convergence delivers operational efficiencies, it also exposes legacy OT components—often designed without modern security considerations—to the same threats that plague IT environments, such as ransomware, credential theft, and lateral movement by adversaries seeking to maximise impact.
Ransomware Attack Statistics for Industrial Sector
According to analysis from global cybersecurity firm NCC Group covering the 12‑month window from March 2024 to March 2025, industrial organisations were the most targeted sector for ransomware, experiencing 2,073 confirmed attacks. This figure translates to an average of 29.6 % of all ransomware activity observed each month, consistently topping the threat landscape throughout the period. The sheer volume underscores a strategic shift by threat actors: rather than focusing solely on data exfiltration or financial extortion in typical IT settings, attackers are increasingly seeking to cripple OT‑dependent operations where downtime can translate directly into halted production lines, stalled supply chains, and potential threats to public safety. The concentration of attacks in this sector highlights both the high value of disrupting industrial processes and the perceived likelihood of success given historic underinvestment in OT security.
Impact of OT Disruptions
When ransomware successfully encrypts or disables OT assets, the consequences extend far beyond the loss of corporate data. Production lines can grind to a halt, leading to immediate revenue loss and downstream effects on customers who rely on just‑in‑time deliveries. Essential services—such as electricity generation, water purification, or gas distribution—may be interrupted, jeopardising public health and safety. In extreme cases, compromised safety‑instrumented systems could fail to prevent hazardous conditions, putting workers and nearby communities at risk. Moreover, the reputational damage from a prolonged outage can erode stakeholder trust, trigger regulatory investigations, and invite costly litigation. Thus, OT‑centric cyber incidents constitute a blend of business continuity, national resilience, and public‑safety concerns that demand a holistic risk‑management approach.
Sector‑Specific Vulnerabilities: Capital Goods
Within the broader industrial umbrella, capital‑goods organisations—those that design, manufacture, and supply machinery, equipment, and infrastructure—bore the brunt of the ransomware wave, accounting for 1,192 of the 2,073 attacks observed. Breaking this down further, the machinery sub‑sector endured 442 incidents, while construction and engineering firms faced 394 attacks. These sub‑sectors are particularly reliant on OT for precision manufacturing, automated assembly lines, and heavy‑equipment control, making them attractive targets for adversaries seeking maximum operational disruption. The high attack frequency also reflects the complex, often heterogeneous OT environments found in capital‑goods facilities, where legacy systems coexist with newer, network‑enabled devices, creating numerous potential entry points for ransomware payloads.
Expert Perspectives on OT Risk Underestimation
Ray Robinson, OT Director at NCC Group, emphasised a common shortcoming in organisational cyber‑strategy: “Many organisations continue to prioritise IT security while underestimating the exposure of their operational environments.” He noted that when OT systems are disrupted, the impact transcends data loss—production can halt, essential services can be curtailed, and, in certain scenarios, lives can be endangered. Katarina Sommer, Global Head of Government Affairs and Analyst Relations at NCC Group, echoed this sentiment, warning that regulators now view OT as squarely within the scope of cyber‑resilience obligations, especially when those systems underpin essential services or public safety. She cautioned that focusing compliance efforts solely on IT leaves organisations exposed to operational, regulatory, and safety repercussions, urging a parity of effort between IT and OT risk management.
Regulatory Landscape: NIS, Cybersecurity Act, Guidance
The rising tide of OT‑focused attacks has prompted regulators to tighten expectations. In the United Kingdom, the Network and Information Systems (NIS) Regulations mandate that operators of essential services implement proportionate technical and organisational measures to manage cyber risk across both IT and OT domains. Complementing this, the Cybersecurity Act and a series of updated sector‑specific guidance documents reinforce requirements around OT governance, incident reporting, resilience planning, and supply‑chain security. These frameworks collectively shift the paradigm from voluntary best practice to enforceable obligation, requiring organisations to conduct regular risk assessments, maintain asset inventories, segment networks, apply patch management where feasible, and develop tested response plans that address OT‑specific scenarios such as process‑shutdown or safety‑system failure.
Conclusion and Recommendations
The data presented by NCC Group makes clear that OT environments are no longer peripheral concerns but central battlegrounds in the cyber‑threat landscape. IT/OT convergence, while delivering operational benefits, has amplified the attack surface, making industrial organisations—especially capital‑goods manufacturers—prime targets for ransomware that can halt production, disrupt supply chains, and endanger public safety. To mitigate these risks, organisations must elevate OT security to the same strategic level as IT: conduct comprehensive OT risk assessments, enforce strict network segmentation, maintain up‑to‑date inventories of legacy and modern devices, invest in monitoring tools capable of detecting anomalous OT behaviour, and ensure incident‑response plans include OT‑specific playbooks. Aligning these measures with regulatory expectations under NIS, the Cybersecurity Act, and sector guidance will not only reduce the likelihood of successful attacks but also bolster national resilience and protect the safety of communities that depend on uninterrupted industrial operations.