In the Netflix thriller Leave the World Behind, a massive cyberattack plunges the U.S. into a complete electrical and technological blackout. While the scope and scale of the fictional attack are improbable, research suggests real-world malicious hackers are increasingly interested in causing physical harm.
Cyberattacks with physical impact are still rare, with just 57 globally in 2025, according to Waterfall Security Solutions, a cybersecurity vendor headquartered in Rosh Ha'Ayin, Israel. But that might not always be the case, given a disturbing trend recently noted by Washington-based cybersecurity vendor Dragos.
Once inside an operational technology environment, Dragos researchers revealed in the company's "2026 OT/ICS Cybersecurity Report," attackers are no longer just conducting reconnaissance, as has long been the norm in OT intrusions. Multiple threat groups, independently and across geopolitical alignments, are now actively mapping control loops and learning how to disrupt physical processes. Their documented activities include accessing and manipulating engineering workstations and exfiltrating configuration files, alarm data and operational intelligence.
"This is the removal of the last practical barrier between having access and being able to cause physical consequences," the Dragos researchers wrote. "It indicates that the teams behind these operations are being told to prepare to act, not just to maintain options."
A perfect storm
Analysts said the shift in attacker behavior is troubling but unsurprising, given the confluence of geopolitical tensions, widely available technical documentation, the democratization of attack toolkits and a decreasing price point for experimentation.
The good news: Organized cybercrime groups typically have little interest in accessing OT and industrial control systems (ICSes) to cause physical harm, said Forrester analyst Paddy Harrington. Rather, they want to make money, and hurting innocent people is inherently bad for business.
"Blowing up a pipeline or an oil rig or taking down an operating room in healthcare -- because you can actually do that if you compromise the systems enough -- leaves a bad taste in everyone's mouth," Harrington said. "You're no longer this Robin Hood figure for taking down Jaguar Land Rover. You hurt people."
In other words, there is a vast difference between run-of-the-mill cybercriminals and Netflix-style cyberterrorists. Even nation-state threat actors are likely constrained by the principle of mutually assured destruction, knowing that a targeted nation could respond in kind.
The bad news: Generative AI could empower a host of attackers with diverse personal or political motives and an appetite for destruction. Capabilities that were once largely limited to well-funded nation-state groups are now broadly accessible, said Gartner analyst Katell Thielemann.
"My concern is that in the age of AI, where technical drawings and process manuals can be ingested at will from public sources, we may not just be dealing with attackers 'being told to prepare to act,'" per the Dragos report, Thielemann said. "Hacktivists or anyone determined enough, with any kind of motive, can learn about these control loops."
Harrington noted that larger attack groups are already using open source models to build their own LLMs focused specifically on cyberattacks. "They can map out -- based on previous OT attacks, vulnerabilities and exploits -- exactly what they need to do," he said. "That, plus the whole geopolitical situation, is driving things faster than I think we've ever seen before."
What OT threats mean for enterprise CISOs
Most organizations have cyber-physical systems, whether they recognize it or not.
"This is not just about OT/ICS in water utilities or process manufacturing," Thielemann warned. Rather, any environment where digital assets interact with the physical world, such as a typical office building, data center or warehouse, could become a target.
Yet, even as threat actors seek to gain physical control of OT environments, enterprises remain largely ill-equipped to defend against them.
"If attackers are learning about control loops, so should CISOs," Thielemann said. "If they are still defending with an IT-centric mindset and have not yet realized that their remit includes cyber-physical systems that need completely different security governance and tooling, they need to catch up -- fast."
If attackers are learning about control loops, so should CISOs.
Katell Thielemann Analyst, Gartner
Harrington agreed, suggesting CISOs start by identifying entry points into their OT environments -- edge devices, cloud connections, internet connections and internal IT/OT cross-connections -- and eliminating any that aren't operationally necessary. Then, he said, drop a firewall across each remaining connection to block threats that might enter the environment from third-party service providers, OEMs or IT.
"Start doing something," Harrington urged. "So many OT environments don't have much of anything. All they're doing is asset discovery and relying on what they think is an air gap, which hasn't existed in the vast majority of environments for a long time."
Harrington admitted he worries about worst-case-scenario cyberattacks on critical infrastructure, the stuff of nightmares and Netflix films. But he also finds the growing push to improve OT security encouraging.
"I'm just hoping it's fast enough."
Alissa Irei is senior site editor of Informa TechTarget Security.
