In the past year, ransomware attacks against industrial organizations have increased 87%, according to industrial cybersecurity consultant Dragos. The company adds that 75% of those events disrupted operations.

According to the firm’s 2025 OT Security Financial Risk Report, the rise in ransomware attacks illustrates a broader increase in threat intensity.

“All sectors face increasing OT cyber risk,” the report states. “While the rise isn’t always year-over-year, the overall likelihood has grown steadily over the past decade. This trend is shaped by multiple factors—including (insurance) policy and coverage changes, evolving regulations, global events, and shifting attacker incentives.”

Those attackers include cyber criminals, hacktivists and government adversaries, Dragon says. The firm adds that many hacking groups are developing or already using malware that is specifically designed to target industrial control systems.

Companies in North America and Europe have the highest likelihood of being attacked, Dragon assesses. The consultant and software provider adds that companies generally face greater risk as their revenue increases.

To reach these conclusion, Dragos conducted simulations based on a decade of breach and insurance claims data analyzed by the Marsh McLennan Cyber Risk Intelligence Center, which Dragon describes one of the world’s largest repositories of cyber risk data.

For companies in the oil and gas sector, there is a 0.66% chance each year of an insurable loss resulting from cyber events affecting OT networks. For the oil and gas extraction subsector, that number drops to 0.56%.

Because the report is partly for insurers, it initially estimates the financial impact of cybersecurity incidents in terms of global business insurance claims. On average, $12.7 billion is at risk each year, the report finds. Expand the estimate’s scope to include cybersecurity incidents that do not lead to a claim, and the cost can rise to as much as $31.1 billion.

Dragos says much of the financial risk associated with breaches comes not from the direct effects of the breech but from indirect effects, such as damage to equipment that the operational system supports or the downtime associated with companies shutting down connected systems.

“The model estimates that not only are indirect costs more likely—impacting roughly 70% of the breaches that affect OT—but they also incur a steeper cost curve over time,” Dragos comments. “While direct breach costs are typically bound by predictable remediation costs, indirect costs tend to be ‘blank check’ losses incurred due to business interruption and long-term fallout.”

Limiting Risk

To help companies prioritize investments in cybersecurity, Dragos analyzed Marsh’s historical data and its simulations to evaluate how much the five critical controls outlined by the Sans Institute reduce the likelihood and severity of an incident. Dragos says it chose these controls because they “stand as the leading framework for building cyber-resilient OT infrastructure.”

The five critical controls are:

• Incident response planning, which involves developing strategies for detecting, responding to and recovering from cyber incidents;
• Defensible architectures, meaning systems designed to minimize attack surfaces, limit the effects of compromises and streamline monitoring and response efforts;
• ICS network visibility and monitoring, or the ability to watch network traffic and device behavior in real time;
• Secure remote access, which aims to ensure that only authorized users access the system; and
• Risk-based vulnerability management, which entails prioritizing patch deployment and other security efforts based on how much the breaches a vulnerability enables would impact the organization, as well as how likely threat actors are to target that vulnerability.

In the oil and gas extraction subsector, the report indicates that all five strategies reduce risk by at least 14%. Defensible architecture has the biggest impact at 21.32%, followed by ICS network visibility and monitoring at 20.44%. Secure remote access (15.71%), risk-based vulnerability management (14.38%) and incident response planning (14.24%) round out the list.

For the oil and gas industry overall, incident response planning jumps from the last spot to the top position with a 25.99% risk reduction. Defensible architectures follow at 21.99%, with network monitoring delivering 20.31%, risk-based vulnerability management contributing 18.90% and secure remote access providing 15.12%.

Because many of these controls relate to and reinforce each other, Dragos says it is difficult to predict their exact effect or the cumulative impact of deploying them in tandem. “However, the individual percentages remain valuable, as they confirm that each control delivers measurable risk reduction,” it says.

Maximizing that risk reduction requires commitment, Drago emphasizes. “Deploying, implementing, and operationalizing cybersecurity controls is an ongoing process—not a onetime effort,” it states. “The quality of deployment and the effectiveness in how controls are operationalized are critical factors not modeled here and remain difficult to quantify. Still, the reality is clear: continued investment is essential to sustain and maximize risk reduction over time.”

The full 2025 OT Security Financial Risk Report includes Dragos’ recommendations for next steps, which provide more detail on each of the five critical security controls. The report also offers risk estimates for four other sectors (manufacturing; utilities; building automation and warehousing; construction; and healthcare/hospitality), and context for why Dragos created the report.

“Executives are increasingly accountable for managing cyber risks, but many still lack a clear line of sight into OT environments,” comments Robert M. Lee, chief executive officer and co-founder of Dragos. “This report fills a critical gap by translating OT security into measurable financial risk and assessing controls aimed at mitigating that risk.”