The Waterfall Threat Report 2026 finds that publicly recorded cyber breaches with physical consequences across heavy industry and critical infrastructure fell by 25% to 57 incidents in 2025, down from 76 in 2024, largely due to temporary factors affecting ransomware activity. At the same time, nation-state and hacktivist attacks doubled, with the majority targeting critical infrastructure systems.
The Waterfall report highlights several significant incidents, including a major production shutdown at Jaguar Land Rover described as the most costly in a decade, a disruption at Collins Aerospace where a crippled software system caused weeks of flight cancellations and delays, maritime incidents involving grounded and misdirected ships that underscored the need for independent verification of external inputs such as GPS signals, and a near-miss event involving Polish distributed generation that points to Russian nation-state activity targeting European critical infrastructure and raises concerns about the risk of ‘bricking’ control systems.
Cyber breaches with physical consequences increased markedly at the turn of the decade, according to the Waterfall Threat Report 2026, adding that the single biggest reason for the step function change was ransomware. The report analyzed that the single type of adversary responsible for a clear majority of attacks in the years 2019 to 2024 is ransomware criminal groups. It is also the conclusion of the research team that in the years 2022 to 2025, the majority of ‘Unknown’ incidents are also ransomware.
Typically, hacktivists mean to make a point with the victim and with the public, and so generally make public claims about their attacks, successful or not. No such claims were made for attacks in the ‘Unknown’ category. Also, nation-state attacks are still comparatively infrequent. For most ‘Unknown’ attacks, there are no details in the public record contradicting the ransomware theory.
Nation-state and hacktivist attacks doubled in 2025 over 2024, with 5 of the 14 attacks clearly linked to the kinetic conflict which is the Russian invasion of Ukraine. This report tracks hacktivists and nation states together, because unlike many ransomware criminals, both hacktivists and nation states deliberately try to bring about physical consequences. In addition, distinguishing between hacktivists and nation states has become difficult.
In principle, hacktivists are amateurs. Hacktivists are not paid to carry out attacks, nor do they profit financially from such attacks. Hacktivists thus generally have no money to buy, nor the organization nor infrastructure needed build their own sophisticated attack tools, and again, have no organization that can coordinate the efforts of large numbers of attackers.
Nation-states are professional attackers, employed by armies, intelligence agencies and other government agencies. These adversaries generally have the money to buy powerful tools, have development teams able to create their own powerful attack tools, and have a strict organizational structure able to coordinate the activities of large numbers of attackers. These distinctions have blurred in recent years. Increasingly, hacktivist groups with limited organizations or budgets have at least the blessing, if not other support from nation states, when those hacktivists act to support nation-state goals and objectives in a physical/kinetic conflict.
Historically, the USA, Germany and Canada have rotated through the ‘top 3’ victim geographies. In part this is due to these regions and economies being heavily automated and comparatively wealthy, thus hosting more targets and more lucrative targets for ransomware attacks. In part it is due to these nations serving as head offices of industrial businesses, when cyber attacks target multiple geographies, this report records the impacted geography as the country hosting the head office for the affected business.
The Waterfall Threat Report 2026 identifies the U.S., Germany, and Russia as the top victim geographies in 2025, with Russia’s exposure driven largely by Ukrainian hacktivist and nation-state activity. Discrete manufacturing emerged as the most affected industry vertical. Critical infrastructure sectors experiencing breaches with physical consequences included oil and gas, water systems, power, metals and mining, and pharmaceutical manufacturing. The takeaway is clear. Risk is not confined by geography or sector. Organizations across industries should implement practical, resilient defenses to mitigate credible real-world impact.
Ransomware disrupts physical operations in four primary ways. It can directly compromise OT automation systems, forcing processes to halt or behave unpredictably. It can trigger precautionary shutdowns as operators take systems offline to contain potential damage. It can cripple IT systems that OT environments depend on, creating cascading operational failures. And it can impact external supply chains, where attacks on key suppliers or customers disrupt the continuity of industrial operations.
Waterfall Threat Report 2026 identified that incident reports are becoming far less detailed, making it increasingly difficult to determine how cyberattacks lead to physical consequences. The necessary information is often missing from the public record. Historically, these impacts have stemmed from precautionary shutdowns, dependencies between OT and IT systems, direct compromise of OT equipment, and disruptions across the supply chain.
To keep cyber sabotage from reaching OT networks, organizations need to harden security at every network connection. Preventing precautionary shutdowns requires stronger controls at the IT/OT boundary so operators can maintain confidence in the safety of critical processes even during a sophisticated IT compromise. Avoiding dependency-driven outages means clearly identifying where OT relies on IT systems and addressing those dependencies in cybersecurity planning. More broadly, strengthening OT security programs reduces the likelihood of direct targeting and limits the need for defensive shutdowns, while ensuring dependencies are understood and managed.
Incidents like the disruption at Jaguar Land Rover underscore the cost of getting this wrong. Executives are likely weighing whether stronger security could have prevented the disruption, accelerated recovery, or both. Cyberattacks are expensive, and where downtime is unacceptable, security investment needs to match that risk.
Highly distributed and cloud-based systems add another layer of exposure, to the point where compromise should be treated as inevitable. When critical operations depend on these systems, particularly those run by third parties, organizations should demand proof of rapid recovery capabilities or maintain well-rehearsed manual fallback procedures to sustain physical operations, even if those measures increase costs.
At the same time, GPS and other positioning systems are routinely jammed or spoofed in conflict zones, including waters near Russia, across Ukraine, and in the Red Sea region. Operators navigating these areas should assume positioning data may be unreliable and deploy compensating controls and fallback procedures. Finally, any internet-exposed elements within control systems represent an immediate risk and should be disconnected on an urgent basis to reduce exposure.
Assessing the reasons for ransomware attacks leveling out in 2025 reduce attacks by constant percentages, the Waterfall Threat Report 2026 mentioned that in the absence of new reasons emerging or percentages changing, ransomware attacks are expected to resume increasing in 2026 -2027.
In its conclusion, the report argues that most OT networks today rely almost entirely on software-based protections, and software fails in predictable ways. If an exploit can take advantage of a vulnerability, it will produce the same result every time. Treating this as a probability issue misses the point. From an engineering safety perspective, cyberattacks are more accurately understood as design failures, not random equipment faults or human error.
The report points to initiatives such as the U.K,’s NCSC Cyber-Informed Engineering guidance and CISA’s secure remote access recommendations, which acknowledge the inherent limits of software defenses and call for deterministic, hardware-enforced protections. As industrial environments become more automated and interconnected, the risk profile shifts in ways that cannot be managed by software alone. The report makes a direct case for deploying so-called ‘unhackable’ deterministic controls alongside traditional cybersecurity measures, arguing that safety-critical environments cannot afford to rely on defenses that are, by design, fallible.
To move forward, defenders need to confront a set of hard questions. Detecting, responding to, and recovering from attacks all take time, and during that window adversaries may control part or all of an industrial automation environment. The first question is straightforward but uncomfortable: how long is it acceptable for an attacker to operate safety-critical or high-value physical processes?
The second question cuts to defensive effectiveness. Which credible attack scenarios and resulting consequences are not mitigated with high confidence under the current security posture, and are those residual risks acceptable in practice? The third question challenges a long-standing assumption. Given the capabilities of modern threat actors and the persistent reality of zero-day exploits, is it still reasonable to rely on software-only defenses to protect industrial operations?
