Organizations with comprehensive OT visibility detect and contain OT ransomware incidents in an average of 5 days, compared to the industry-wide average of 42 days.

The average dwell time for ransomware in OT environments is 42 days.

KAMACITE conducted sustained reconnaissance of U.S. industrial devices from March through July 2025.

The number of ransomware groups targeting industrial organizations increased 49% year-over-year to 119 groups, collectively impacting 3,300 organizations globally.

87% of CIOs say AI agents are already embedded in critical operations.

Attacks using OT protocols surge by 84%, led by Modbus (57%), Ethernet/IP (22%), and BACnet (8%).

Transportation and shipping ranked second in detections by Trellix, accounting for 27.6% of all threats detected from April 1 to September 30, 2025.

Manufacturing represented 41.5% of all Trellix detections of threats targeting operational technology from April 1 to September 30, 2025.

The utilities, energy/oil and gas, and aerospace and defense industries combined accounted for 21.5% of all detections by Trellix between April 1 to September 30, 2025.

PowerShell was the primary attack vector with 96,061 detections by Trellix, followed by Cobalt Strike with 85,986 detections targeting the IT-to-OT boundary.

The average time from vulnerability disclosure to patch deployment in operational technology environments exceeds 180 days, compared to 30 days for traditional IT systems.

There were 333 ransomware attacks detected by Trellix specifically targeting critical infrastructure sectors from April 1 to September 30, 2025.