ENISA Threat Landscape 2025: Critical OT Security Risks Every Business Must Address

The cybersecurity landscape has reached a critical juncture in 2025, with operational technology (OT) attacks and industrial cyber risks escalating to unprecedented levels. The European Union Agency for Cybersecurity (ENISA) has released its comprehensive Threat Landscape 2025 report, revealing alarming trends that demand immediate attention from organizations across all sectors. 

The Rising Tide of OT Attacks: 18.2% of All Cyber Threats 

According to ENISA's analysis of nearly 4,900 cybersecurity incidents, operational technology threats now represent 18.2% of all identified threat categories, marking a significant shift toward targeting industrial and critical systems. This surge reflects the growing exposure of traditionally isolated industrial networks as they become increasingly connected to broader IT infrastructure. ENISA Threat Landscape 2025 

Manufacturing Under Siege: A 59.3% Cybercrime Target Rate 

The manufacturing sector has become a prime target for cybercriminals, with 59.3% of attacks being cybercriminal in nature. The report identifies several concerning trends: 

• Ransomware dominance: Akira (48.7%), Qilin (20.5%), and FOG (10.3%) emerged as the most deployed ransomware strains against manufacturing targets 

• High-profile incidents: BlackBasta ransomware caused prolonged IT and website disruptions at German consumer electronics maker Medion AG in November 2024 

• Supply chain focus: 94% of impacted manufacturing organizations were linked to defense and automotive sectors, highlighting the strategic nature of these attacks 

New Malware Specifically Designed for Industrial Control Systems 

Perhaps most concerning is the emergence of specialized industrial control system (ICS) malware. In June 2025, the Infrastructure Destruction Squad (IDS) developed VoltRuptor, a sophisticated ICS-specific malware offering: 

• Advanced multi-protocol support 

• Cross-platform operations capability 

• Enhanced persistence and anti-forensics features 

• Availability for purchase on the dark web, democratizing advanced OT attack capabilities 

The group successfully compromised an Italian smart building automation company on June 30, 2025, demonstrating the real-world viability of these specialized tools. 

Hacktivist Groups Target Critical Infrastructure 

The report identifies Z-PENTEST-ALLIANCE as the leading hacktivist group targeting EU critical infrastructure, with a particular focus on energy systems. Their activities include: 

• Targeting Internet-accessible OT management interfaces across energy and water management sectors 

• Geographic concentration: Italy emerged as the most frequently targeted EU member state, followed by Czechia, France, and Spain 

• Psychological warfare: Sharing videos of operators tampering with OT systems to amplify threat perception 

• Potential state connections: Alleged association with Russia-nexus intrusion group Sandworm 

The Convergence of Multiple Threat Vectors 

Ransomware Evolution: 82 Variants and Growing 

The ransomware landscape has become increasingly sophisticated, with 82 distinct ransomware variants observed during the reporting period. Key developments include: 

• Akira leading with 11.6% of all ransomware deployments 

• 68.6% of intrusions leading to data breaches often sold on cybercriminal forums 

• Decentralized operations in response to law enforcement actions 

• Aggressive extortion tactics exploiting regulatory compliance fears 

AI-Powered Threat Acceleration 

By early 2025, over 80% of social engineering attacks leveraged artificial intelligence, representing a fundamental shift in attack methodology. This includes: 

• AI-generated phishing campaigns at massive scale 

• Synthetic media creation for deepfake attacks 

• Automated reconnaissance and supply chain attack research 

• Malicious AI systems like Xanthorox AI and FraudGPT 

Supply Chain Vulnerabilities: 10.6% of Threats 

Supply chain attacks now constitute 10.6% of all threats, with attackers leveraging indirect pathways through third-party providers. Notable examples include: 

• Operation Digital Eye: Targeting professional IT providers in Southern Europe to infiltrate supply chains 

• Browser extension compromises: Multiple Chrome extensions related to AI and VPN services were compromised in late 2024 

• Open-source repository attacks: Malicious npm packages deployed through GitHub repositories 

Economic Impact: Billions in Losses 

The financial impact of these cyber threats has reached staggering proportions: 

• Manufacturing disruptions from ransomware attacks resulted in prolonged business continuity issues across multiple organizations 

Sector-Specific Risk Profiles 

The report reveals clear targeting patterns across industries: 

• Transport: 7.5% - particularly maritime and logistics operations 

• Digital infrastructure and services: 4.8% 

• Manufacturing: 2.9% - though with disproportionately high impact 

Geographic Vulnerability Hotspots 

Certain EU countries face elevated risk levels: 

• Germany leads ransomware targets at 23.4% 

• Italy: 11.33% - also the most targeted for OT attacks by hacktivists 

• Spain: 9.8% 

• France: 9.5% 

• Belgium: 3.7% 

Countries supporting Ukraine's supply chain (Poland, Czechia, Romania) face particular scrutiny from threat actors. 

Critical Vulnerabilities Exploited at Scale 

The report documents over 42,595 new vulnerabilities disclosed during the period (a 27% increase), with critical vulnerabilities weaponized within days of disclosure. Commonly exploited systems include: 

• NetScaler ADC (CVE-2023-3519) 

• Palo Alto Networks PAN-OS (CVE-2024-3400 with 10.0 CVSS score) 

• Sophos Firewall (CVE-2022-3236) 

• Fortinet, Ivanti, Cisco IOS XE, TeamCity vulnerabilities 

Defending Against the New Threat Landscape 

Organizations must adopt a multi-layered approach to address these evolving threats: 

Immediate Priority Actions 

• OT Network Segmentation: Isolate industrial control systems from IT networks 

• Vulnerability Management: Implement rapid patching processes for critical vulnerabilities 

• Supply Chain Security: Vet third-party providers and monitor software dependencies 

• Employee Training: Counter AI-powered social engineering with enhanced awareness programs 

Advanced Defense Strategies 

• Zero Trust Architecture: Assume breach and verify all network access 

• Threat Intelligence Integration: Leverage real-time threat feeds for proactive defense 

• Incident Response Planning: Develop specific procedures for OT environment incidents 

• Continuous Monitoring: Deploy security tools across both IT and OT environments 

The Path Forward: Building Cyber Resilience 

The ENISA Threat Landscape 2025 report makes clear that cybersecurity is no longer just an IT concern—it's a business continuity imperative. With operational technology attacks representing nearly one-fifth of all cyber threats and new specialized malware targeting industrial systems, organizations must evolve their security postures rapidly. 

The convergence of state-aligned actors, cybercriminals, and hacktivists using increasingly sophisticated tools powered by artificial intelligence creates a threat environment unlike any we've seen before. Organizations that fail to adapt their cybersecurity strategies to address these realities face not just data breaches, but potential operational shutdowns, supply chain disruptions, and significant financial losses. 

As we navigate this challenging landscape, partnering with experienced cybersecurity professionals who understand both traditional IT security and the unique requirements of OT environments becomes not just advisable—but essential for survival in the digital age.