<p>In the Netflix thriller <i>Leave the World Behind, </i>a massive cyberattack plunges the U.S. into a complete electrical and technological blackout. While the scope and scale of the fictional attack are improbable, research suggests real-world malicious hackers are increasingly interested in causing physical harm.</p>
<p>Cyberattacks with physical impact are still rare, with just 57 globally in 2025, according to Waterfall Security Solutions, a cybersecurity vendor headquartered in Rosh Ha’Ayin, Israel. But that might not always be the case, given a disturbing trend recently noted by Washington-based cybersecurity vendor Dragos.</p>
<p>Once inside an operational technology environment, Dragos researchers revealed in the company’s “2026 OT/ICS Cybersecurity Report,” attackers are no longer just conducting reconnaissance, as has long been the norm in <a href=”https://www.techtarget.com/searchsecurity/tip/Top-OT-threats-and-security-challenges”>OT intrusions</a>. Multiple threat groups, independently and across geopolitical alignments, are now actively mapping control loops and learning how to disrupt physical processes. Their documented activities include accessing and manipulating engineering workstations and exfiltrating configuration files, alarm data and operational intelligence.</p>
<p>”This is the removal of the last practical barrier between having access and being able to cause physical consequences,” the Dragos researchers <a target=”_blank” href=”https://www.dragos.com/ot-cybersecurity-year-in-review” rel=”noopener”>wrote</a>. “It indicates that the teams behind these operations are being told to prepare to act, not just to maintain options.”</p>
<section class=”section main-article-chapter” data-menu-title=”A perfect storm”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>A perfect storm</h2>
<p>Analysts said the shift in attacker behavior is troubling but unsurprising, given the confluence of <a target=”_blank” href=”https://www.darkreading.com/cybersecurity-operations/geopolitics-ai-cybersecurity-insights-rsac-2026″ rel=”noopener”>geopolitical tensions</a>, widely available technical documentation, the democratization of attack toolkits and a decreasing price point for experimentation.</p>
<p>The good news: Organized cybercrime groups typically have little interest in accessing OT and <a href=”https://www.techtarget.com/searchsecurity/tip/Top-10-ICS-cybersecurity-threats-and-challenges”>industrial control systems</a> (ICSes) to cause physical harm, said Forrester analyst Paddy Harrington. Rather, they want to make money, and hurting innocent people is inherently bad for business.</p>
<p>”Blowing up a pipeline or an oil rig or taking down an operating room in healthcare — because you can actually do that if you compromise the systems enough — leaves a bad taste in everyone’s mouth,” Harrington said. “You’re no longer this Robin Hood figure for taking down Jaguar Land Rover. You hurt people.”</p>
<p>In other words, there is a vast difference between run-of-the-mill cybercriminals and Netflix-style cyberterrorists. Even nation-state threat actors are likely constrained by the principle of mutually assured destruction, knowing that a targeted nation could respond in kind.</p>
<p>The bad news: <a href=”https://www.techtarget.com/searchsecurity/feature/AI-powered-attacks-What-CISOSs-need-to-know-now”>Generative AI could empower a host of attackers</a> with diverse personal or political motives and an appetite for destruction. Capabilities that were once largely limited to well-funded nation-state groups are now broadly accessible, said Gartner analyst Katell Thielemann.</p>
<p>”My concern is that in the age of AI, where technical drawings and process manuals can be ingested at will from public sources, we may not just be dealing with attackers ‘being told to prepare to act,'” per the Dragos report, Thielemann said. “Hacktivists or anyone determined enough, with any kind of motive, can learn about these control loops.”</p>
<p>Harrington noted that larger attack groups are already using open source models to build their own <a target=”_blank” href=”https://blog.talosintelligence.com/cybercriminal-abuse-of-large-language-models/” rel=”noopener”>LLMs focused specifically on cyberattacks</a>. “They can map out — based on previous OT attacks, vulnerabilities and exploits — exactly what they need to do,” he said. “That, plus the whole geopolitical situation, is driving things faster than I think we’ve ever seen before.”</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”What OT threats mean for enterprise CISOs”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i&
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: