OT/ICS security

Volt Typhoon-class persistent OT access is the new baseline threat

The 2025-2026 threat landscape has crystallised around state-sponsored, OT-specialised actors with persistent-access objectives. Dragos's 2026 Year in Review identified VOLTZITE (shares technical overlaps with the Chinese Volt Typhoon actor flagged by CISA as actively targeting US critical infrastructure for persistent access in OT environments), AZURITE (overlaps with Flax Typhoon), and PYROXENE (deploying destructive wiper malware in the US, Western Europe, and the Middle East). The progression seen across multiple 2024-2025 incidents is from reconnaissance to credential harvesting to network mapping to demonstrated impact-capability without immediate destructive action - the pre-positioning playbook. The defensive baseline has therefore shifted from 'detect intrusion' to 'assume pre-positioned access and detect operational behaviour' - which is what Dragos's threat-intelligence-first platform and Nozomi's behavioural analytics architecture are built for. Ransomware against industrial organisations surged 49% YoY in 2025 (3,300 organisations) on top of state-sponsored activity; the two streams are converging on the same target list.

State of the art (2026)

The pure-play OT-security tier consolidated in 2026. Mitsubishi Electric completed its ~$1bn acquisition of Nozomi Networks on 28 January 2026, folding the third-ranked dedicated vendor into an industrial OEM rather than an IT-security platform - evidence the OT moat is being bought by automation incumbents, not absorbed by Microsoft or CrowdStrike. Claroty raised a $150m Series F at a $3bn valuation on 22 January 2026; Dragos remains independent (last priced near $1.7bn). Dragoss 2026 Year in Review tracked 119 ransomware groups hitting industrial firms (up from 80), 3,300 organisations, and named VOLTZITE pivoting from Sierra Wireless gateways into US midstream pipeline workstations. The defensive frame has shifted from intrusion detection to assuming pre-positioned access.

Dedicated OT-vendor moat vs IT-cybersecurity convergence is the structural question

Three dedicated vendors anchored the OT-native commercial layer: Dragos (threat-intelligence-first, US-government and energy-sector centre of gravity), Claroty (broad asset visibility and vulnerability management across cloud and on-prem), and Nozomi Networks (AI-driven asset intelligence and behavioural analytics). Their moats are protocol depth, OT-specific threat intel, and the audit-trail integration insurers and regulators have built around. By mid-2026 the answer to the moat-vs-convergence question is taking a third path: rather than IT-security platforms absorbing the category, industrial and services incumbents are buying the OT-native specialists. Mitsubishi Electric completed its acquisition of Nozomi on 28 January 2026 (operated as an independent subsidiary, having passed $100m revenue); Accenture announced a majority stake in Dragos plus runZero and NetRise on 18 June 2026 (~$4.175bn, closing Q3 2026). Claroty raised a $150m Series F at a ~$3bn valuation in January 2026 and is now the largest independent pure-play. From the IT-cybersecurity side, Microsoft Defender for IoT/OT, CrowdStrike Falcon for XIoT, Palo Alto Networks Industrial OT Security, Cisco (Cyber Vision plus Splunk analytics) and Tenable OT Security continue to converge by bundling OT modules into broader platform contracts. The live question is whether the bought-in OT-native depth retains its protocol and threat-intel edge inside a larger parent, or erodes toward a platform sub-module.

Twin regulatory mandates (EU NIS2 + CRA, US TSA + CISA) define the 2026-2027 spend cycle

The single largest demand-side driver for OT/ICS security spending through 2027 is regulatory mandate, not threat-perception. The EU NIS2 Directive (effective 18 October 2024) widened compliance scope to thousands of medium-sized industrial firms with 24-hour incident-reporting deadlines and penalties up to EUR 10 million. The EU Cyber Resilience Act (CRA) entered into force on 10 December 2024 and applies to machine manufacturers, system integrators, and technology vendors simultaneously from the supply side - covering the product lifecycle from design through end-of-support. The two instruments together create the first regulatory regime that hits the OT/ICS market from both the buy side (operators) and the supply side (vendors and integrators). In the US, the TSA Pipeline Security Directives, the Water Cybersecurity Rule, and CISA's CIRCIA reporting framework require automated SCADA telemetry to CISA. NIST SP 800-82 Revision 3 codifies the zero-trust and segmentation expectations. The implication: budgets that were previously discretionary and risk-based are now mandate-driven and audit-driven.