The New Era of ICS Threats: From Network Access to Control-Loop Mapping
- Işınsu Unaran
- 7 days ago
- 3 min read
For years, the primary concern of industrial cybersecurity has been the initial breach, the moment an adversary gains a foothold in a network. In early 2026, however, the industry must confront a more dangerous reality. According to Dragos’ 2026 OT Cybersecurity Year in Review report, a critical line was crossed in 2025: adversaries have moved beyond simple prepositioning for future attacks to actively mapping control loops.
This shift represents the removal of the last practical barrier between having digital access and being able to cause physical consequences. This technical milestone changes the defensive requirements for critical infrastructure and makes the "Intellectual Property of Operations" the new primary target.
The Technical Shift: Moving to Stage 2 Operational Readiness
The cybersecurity community often discusses the ICS Cyber Kill Chain, which differentiates between Stage 1 (Intrusion/Access) and Stage 2 (ICS Attack/Execution). Historically, most observed threat activity remained in Stage 1, gaining access, harvesting credentials, and remaining dormant.
The 2026 findings reveal that multiple threat groups, including newly identified actors, are now systematically operating at the threshold of Stage 2. They are no longer just looking for data; they are learning how your physical processes function.
Why Control-Loop Mapping is Different
A control loop is the fundamental building block of industrial automation, consisting of sensors, controllers (PLCs), and actuators that maintain a physical state (like pressure or temperature). To disrupt a process without triggering an automatic safety shutdown, an attacker needs a "manual" for your specific facility.
Adversaries are now actively exfiltrating the components of this manual:
Engineering workstation (EWS) intelligence: Targeting the hosts that configure PLCs and HMIs to understand the logic governing the process.
Alarm data and configuration files: Learning what the operator sees and, more importantly, what the system is programmed to ignore.
Stopping conditions: Specifically investigating the parameters that would trigger a process to halt, allowing them to engineer "stealth" disruptions that bypass safety thresholds.
The Rise of the Paired Model and Handoff Tactics
The speed at which these operations move has been significantly increased by a "division of labor" among threat actors. Dragos documents a paired model where specialized initial access providers rapidly weaponize edge device vulnerabilities and then "hand off" the compromised environment to Stage 2 adversaries.
This industrialization of the attack chain means that the dwell time (the window of time a defender has to detect an intrusion before it transitions into a physical threat) is shrinking. When an access provider hands over a "ready-to-use" connection to an actor capable of direct PLC manipulation, the time from compromise to operational readiness is measured in days rather than weeks.
The Strategic Risk: Theft of Operational Intelligence
For decision-makers, the risk is no longer just "theft of intellectual property" in the traditional sense of trade secrets or designs. We are seeing the theft of Operational Intelligence.
Adversaries like AZURITE have demonstrated a specific interest in exfiltrating project files, network diagrams, and employee operator information. This data is used to develop highly targeted and sophisticated ICS-capable malware tailored to a specific environment. In essence, the attacker is using your own engineering documentation to build the weapon that will eventually target you.
This activity is often geopolitically motivated, designed to ensure that if a conflict arises, the path to causing loss of view or loss of control in critical utility sectors is already mapped and tested.
Contextualizing Defense in a Post-Mapping Era
If the adversary is focused on the control loop, the defender must be as well. Traditional network-only security is insufficient because it cannot "see" the manipulation of process logic or the exfiltration of PLC configuration files.
Visibility beyond the perimeter: Dragos estimates that fewer than 10% of OT networks worldwide currently have the internal network visibility and monitoring required to detect this type of mapping activity. Without recording transient OT telemetry, you cannot investigate what you cannot see.
Defensible architecture: Segmentation between IT and OT is no longer best practice; it is a structural necessity. Adversaries are leveraging compromised edge devices and SOHO routers as pivot points to reach engineering workstations.
Monitoring internal traffic: Because mapping relies on lateral movement between Level 3 operations systems and Level 2 supervisory control, monitoring internal communication paths is critical for detecting the anomalous protocol usage (such as SOCKS tunnels) that these actors use to stage data.
Engineering Out the Advantage
The shift toward control-loop mapping is a clear signal that adversaries are preparing for act, not just to collect. The window for reactive cybersecurity is closing. To survive in a 2026 threat landscape, organizations must move away from simply guarding the "gate" and start protecting the "logic" of their operations.
By establishing comprehensive OT visibility and implementing hardware-enforced network isolation, organizations can break the attack chain at the reconnaissance phase, before an adversary has the chance to learn your processes better than your own engineers.
Contact our expert team today to conduct an audit and ensure your control loops remain under your exclusive control.
