2025 OT Security Incidents ‘Quieter, Yet Far Deeper’

2025 was marked by a series of real-world OT and infrastructure incidents across Europe and North America. A dam gate in Norway was remotely opened through a cyber intrusion; major European airports were paralysed by a third-party service compromise; and public-sector operational networks in Canada and Poland came under direct pressure.

Across these events, a clear pattern emerged. Rather than attacking OT systems head-on, adversaries increasingly targeted the operational perimeter — the supplier pathways, connected IT systems and external services surrounding OT. Once these outer layers failed, disruption quickly spread into core operations. 

Top 5 OT-Related Incidents of 2025

1. A cyber intrusion that triggered a physical command

In April 2025, the spillway gate at the Risevatnet Dam in Bremanger was remotely triggered following a confirmed cyber intrusion. No major flooding occurred, but the significance was unavoidable: a cyber operation reached the control layer of a critical asset and executed a physical action.

Confirmed findings included:

• The attacker gained access deep into the control environment.
• A spillway gate was activated, altering reservoir conditions.
• PST (Norway’s Police Security Service) formally confirmed it as a cyber attack.
• Analysts pointed to weak authentication and exposed operational pathways.

The incident demonstrated, perhaps more clearly than any other in 2025, how thin the barrier has become between attempted intrusions and real-world physical manipulation.

2. A public-service breach cascading into water-linked operations

Several Canadian municipalities experienced cyber incidents that disrupted systems tied to public services, including those supporting water operations. Online services were taken offline; internal systems were isolated; and emergency procedures were activated.

Key observations:

• Internal administrative systems were compromised.
• Digital public services were suspended and replaced with manual workflows.
• IT systems closely linked to water operations were isolated for safety.
• No pumps or valves were manipulated, but operational teams were forced into contingency mode.

The incident showed how rapidly an IT-side compromise can cascade into operational uncertainty. OT does not need to be touched directly for operations to be disrupted.

3. An IT-originated compromise causing OT production downtime

A widely reported incident affecting Land Rover once again highlighted the vulnerability of manufacturing operations. Although the intrusion began in IT systems, the operational impact was immediate:

• Production schedules were disrupted.
• Line availability and output were directly affected.
• Supplier or maintenance access routes were suspected in the intrusion path.
• OT systems absorbed the operational consequences, despite not being the initial target.

2025 reinforced an uncomfortable but well-established reality: IT compromise is now a reliable route to OT disruption.

4. An intrusion reaching the edge of operational control

Poland experienced repeated cyber activity targeting public-service and transport systems. In several cases, attackers gained access to systems adjacent to operational decision-making, causing delays and service interruptions.

Findings included:

• Access to public-sector systems tied to operational functions.
• Visible disruption to transport and administrative services.
• No verified manipulation of OT controllers.
• Forensic analysis indicated probing near the operational boundary layer.

This incident illustrated how narrow the gap between IT and OT has become — and how easily that boundary can be tested without breaching the control layer itself.

5. Operational-perimeter compromises disrupting OT-dependent services

2025 also saw multiple operational disruptions that did not originate in OT, but rapidly impacted OT-dependent services.

• European airport paralysis

A compromise of a third-party provider for check-in and boarding systems disrupted operations across Heathrow, Brussels and Berlin Brandenburg. Passengers were unable to complete check-in for several hours.

This revealed:

• • A single compromised operational service can halt multiple airports.
  • The direct target was the supply chain, not the airports themselves.
  • OT-reliant operations were paralysed without any OT compromise.

• Other sectors

The same pattern was observed across manufacturing, maritime logistics and energy:

• • Malware infections affecting engineering laptops and HMIs
  • Theft of supplier VPN credentials enabling internal access attempts
  • Disruption of maritime yard and port scheduling systems
  • Interference with monitoring and auxiliary systems in the energy sector

 Together, these incidents showed that attackers increasingly disrupt OT-dependent operations by striking the joints of the environment rather than the core.

• Additional Context: The Spain–Portugal Blackout

Though not cyber-related, the large-scale blackout across Spain and Portugal highlighted the fragility of essential infrastructure. Grid strain and operational weaknesses triggered widespread outages affecting transport, communications and public services.

The lesson was clear: when resilience is low, the distinction between cyber failure and operational failure becomes irrelevant. OT security cannot be separated from the resilience of the infrastructure that supports it.

What 2025’s Incidents Actually Reveal

Across all incidents, one conclusion stands out: Attackers did not change their tools — they changed their route.

• Compromise began at the operational perimeter.
• Supplier access paths and operational IT remained the weakest links.
• Small digital failures triggered large operational consequences.
• In some cases, like Bremanger, the control layer was actually reached.
• And when resilience was weak, as seen in the Iberian blackout, disruption became systemic regardless of cause.

The pattern is unmistakable: The greatest weaknesses in OT security now sit at the boundaries — where OT, IT and external services intersect.

If these boundary layers remain vulnerable, internal hardening alone cannot prevent operational failure.

The key question as we move into 2026

The events of 2025 were not dramatic in scale, but decisive in what they revealed about risk.

The opened spillway gate in Norway, the halted airports, the emergency procedures in Canada and Poland, and the Iberian blackout all point towards one unavoidable truth:

“We cannot secure OT if the systems around it remain exposed.”

This is where 2026’s OT security priorities must begin.