Top Highlights
- Cyber breaches with physical impacts decreased by 25% in 2025, primarily due to ransomware activity dropping temporarily, but nation-state and hacktivist attacks doubled, mainly targeting critical infrastructure.
- Ransomware remains the leading threat, responsible for most attacks from 2019 to 2025, with many ‘Unknown’ incidents also linked to it, indicating a persistent cyber risk.
- High-profile incidents like Jaguar Land Rover and Collins Aerospace highlight the severe costs and operational disruptions caused by cyberattacks on industrial systems, emphasizing the need for stronger defenses.
- The report underscores that traditional software protections are insufficient for safety-critical environments, advocating for hardware-enforced, deterministic controls to address evolving cybersecurity threats in industrial settings.
Key Challenge
The Waterfall Threat Report 2026 reveals a complex landscape of cyber threats targeting heavy industry and critical infrastructure worldwide. In 2025, publicly recorded cyber breaches resulting in physical consequences decreased by 25%—from 76 incidents in 2024 to 57—mainly due to temporary declines in ransomware activity, which historically has been the dominant threat. However, this apparent drop is misleading because the report indicates that cyberattacks by nation-states and hacktivists doubled in 2025 compared to the previous year, mainly targeting sectors like oil and gas, water, and power, with Russia, the US, and Germany experiencing the highest impact. These adversaries, especially nation-states, increasingly operate with sophisticated tools and organized structures, blurring traditional distinctions with hacktivist groups that often support state objectives. As a result, the report warns that the threat will likely escalate again in 2026 or 2027, emphasizing that cyberattacks often lead to tangible physical damage, such as manufacturing shutdowns, flight disruptions, and maritime incidents, which pose serious risks to public safety and economic stability. The report stresses that, while organizations have made progress, many continue to rely heavily on software-based protections that are inherently vulnerable, advocating for stronger, hardware-enforced defenses and more resilient cybersecurity strategies to effectively mitigate these evolving threats.
Furthermore, the report discusses the causes behind these incidents. Most are attributed to ransomware, which damages OT systems directly or indirectly by causing shutdowns or cascading failures through dependencies on compromised IT systems. It also notes a troubling decline in publicly available attack details, making it difficult to understand or prevent future breaches. Critical infrastructure sectors, especially those relying on distributed and cloud-based systems, remain particularly exposed. The report also highlights that current defenses are often inadequate because they lack deterministic hardware-based protections, which are crucial for safety-critical environments. To address these vulnerabilities, the report urges organizations to question how long they can tolerate adversaries controlling critical processes, prioritize the identification of security gaps, and shift from software-only protections toward more robust, hardware-enforced measures. This approach aims to prevent “design failures” in cybersecurity, ensuring that infrastructure remains resilient even as threat actors grow more sophisticated and organized.
What’s at Stake?
The Waterfall Threat Report 2026 reveals that the apparent slowdown in ransomware attacks might hide a more concerning trend: a shift toward sophisticated nation-state attacks targeting critical infrastructure. This shift means your business could face increased risks from advanced threats designed to cause widespread disruption or damage. Unlike typical ransomware, these state-sponsored attacks aim to undermine essential systems, such as energy, transportation, or health services, which your operations may rely on. If targeted, your business could suffer not just data loss but also operational shutdowns, financial loss, and reputational damage. Moreover, such attacks are often highly coordinated and difficult to detect, making preparedness crucial. Therefore, regardless of your industry size or scope, it’s vital to recognize that even a slow ransomware environment may be masking a grave threat—one that can significantly impact your business’s stability and security if left unaddressed.
Possible Next Steps
In today’s rapidly evolving cyber landscape, the importance of timely remediation cannot be overstated, especially as threat actors shift tactics and targets, often hiding behind apparent slowdowns in attacks like ransomware to prepare for larger, more strategic strikes.
Detection Enhancement
Invest in advanced monitoring tools that can quickly identify signs of intrusion or anomalous activity within critical infrastructure systems.
Incident Response
Develop and regularly update comprehensive incident response plans tailored to infrastructure-specific threats, ensuring rapid mobilization when an attack is detected.
Threat Intelligence
Leverage current threat intelligence to stay ahead of emerging nation-state tactics, enabling proactive defense measures.
Vulnerability Management
Conduct frequent vulnerability assessments, prioritizing patching and remediation of known weaknesses in critical systems.
Access Controls
Implement strict identity and access management policies, including multi-factor authentication, to restrict unauthorized access.
Employee Training
Provide ongoing cybersecurity awareness training to staff, emphasizing the importance of recognizing and reporting suspicious activity.
Network Segmentation
Segment networks to contain breaches and prevent lateral movement across critical infrastructure components.
Regular Backups
Maintain secure, up-to-date backups of essential data and systems to facilitate swift recovery post-incident.
Policy Development
Establish clear cybersecurity policies aligned with national standards to ensure a proactive, consistent approach to threat mitigation.
Collaboration
Engage in information sharing and collaboration with government agencies, industry peers, and security communities to stay informed of threat developments and best practices.
Stay Ahead in Cybersecurity
Stay informed on the latest Threat Intelligence and Cyberattacks.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
