OT and ICS Security Strategies for CISOs to Protect Critical Infrastructure

Industrial organisations are facing unprecedented pressure as cyber adversaries increasingly set their sights on operational technology (OT) and industrial control systems (ICS).

The past year saw a significant surge in ransomware attacks, newly disclosed vulnerabilities and wider exposure of critical infrastructure environments.

OT security provider Dragos said it observed 3300 industrial organisations hit by ransomware in 2025, compared with 1693 in 2024. The firm recorded total of 119 ransomware groups targeting industrial organisations in 2025, a 49% increase from the 80 tracked the year before.

Additionally, security vendor Cyble found that disclosed vulnerabilities in ICS doubled in 2025, with 2451 flaws observed, up from 1690 in 2024.

This rise of reported ICS vulnerabilities is partly due to a growth in exploits by cyber threat actors, who increasingly scour for security gaps in human-to-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems.

Cyble’s findings showed manufacturing and healthcare – both heavily dependent on ICS systems – as the leading ransomware targets, while Dragos’ telemetry data ranked manufacturing and transportation as the most targeted industries.

Hacking groups known for targeting ICS and OT systems specifically include all types of adversaries:

• Nation-state and state-aligned groups like Kamacite and Electrum, two groups associated with Russian interests and allegedly responsible for Ukraine’s 2015 and 2016 power outages, and Azurite, a newly-identified Chinese-aligned group that overlaps with Flax Typhoon (aka Ethereal Panda)
• Ransomware gangs like Clop
• Hacktivist groups like Z-Pentest, Dark Engine (aka Infrastructure Destruction Squad) and Sector 16

Security vendors are not the only ones observing heightened cyber threats to industrial systems.

The UK’s National Cyber Security Centre (NCSC) issued an alert to CNI providers, urging them to act now to protect against “severe” cyber threats.

The alert came in February 2026, following coordinated cyber-attacks which targeted Poland’s energy infrastructure with malware in December.

In a recent interview with Infosecurity Magazine, Darren Curley, CTO at National Gas, shared valuable insights on securing OT and safeguarding Critical National Infrastructure (CNI).

Curley emphasised the importance of simplifying security architectures, aligning IT and OT strategies and fostering collaboration between CTOs, CISOs and security teams. 

At National Gas, Curley told Infosecurity he has chosen to simplify the security tech stack used in the organisation and standardise approaches across enterprise IT, OT systems and CNI infrastructure.

His recommendations to other CISOs and CTOS included:

• Consolidating security tools: avoid tool sprawl by standardising on a core set of vendors
• Unifying security policies: apply consistent security controls across IT, OT and CNI domains (e.g. same firewall rules, but with OT-specific adaptations)
• Reducing supply chain risks by limiting third-party software dependencies to minimise attack surfaces
• Adopting a "white room" approach in which you restrict external devices in OT environments to prevent insider threats (e.g. no USB drives, strict device whitelisting)

The approach of simplifying the tech stack may add friction between the CTO and other cybersecurity functions, like the CISO or the members of the security operations centre (SOC), Curley admitted.

“Sometimes, one person is used to a certain technology stack, but another one believes it doesn't fall in with our strategy,” he said.

However, he explained that this issue could easily be solved by encouraging collaboration, upskilling people and retraining the workforce on new technologies.

His recommendations to other CISOs and CTOS included:

• Breaking down silos: ensure CISOs, CTOs, SOC analysts and OT engineers collaborate on security decisions (e.g. joint architecture reviews)
• Encouraging cross-training (e.g. IT security teams learning OT basics, OT teams learning cyber hygiene)

Compliance for CNI organisations is vital, for instance adherence to the NCSC’s Cyber Assessment Framework (CAF), a collection of best practice security advice for CNI firms that was last updated in August 2025.

His recommendations to other CISOs and CTOS included:

• Following the NCSC’s CAF or any equivalent framework (e.g. NIST Cybersecurity Framework 2.0)
• Prioritising CAF’s Objective D aimed at minimizing incident impact
• Developing playbooks to recover critical assets

Cybersecurity and technology leaders at industrial organisations, and especially CNI entities, to follow current events, ought to follow current events, monitoring evolving geopolitical tensions and potential nation-state threats.

“At National Gas, we've got a team of people whose specific job is to stay up to date with current threats. We also work with Mandiant and rely on them to help map the threats to our company using the MITRE ATT&CK framework,” Curley said.

His recommendations to other CISOs and CTOS included:

• Monitoring geopolitical threats: dedicate a threat monitoring team and subscribe to government and industry-specific threat feeds (e.g. information-sharing analysis centres, or ISACs)
• Implementing continuous vulnerability scanning

As cyber threats to OT and ICS environments continue to escalate, CISOs must take proactive, strategic steps to safeguard critical infrastructure.

By simplifying security architectures, strengthening workforce skills, aligning IT and OT practices and investing in robust threat intelligence, industrial organisations can build the resilience needed to withstand today’s rapidly evolving attack landscape.

Those who elevate OT security today will be best positioned to withstand tomorrow’s evolving industrial cyber threats.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?