2026 Dragos OT Report: Foreign Adversaries Inside Utility Networks + How to Protect Your OT Environment In this Off The Wire episode, Anthony and Tanner break down the 2026 Dragos OT report, describing it as sobering and highlighting claims that foreign adversaries are already embedded in U.S. utility networks. They discuss how these actors differ from typical fast-moving ransomware by staying hidden, mapping OT environments, studying SCADA points, alarms, configuration files, and normal process behavior, with detection potentially taking days even in best cases. The conversation covers attacker specialization and handoffs between teams for initial access, reconnaissance, and exploitation, sometimes involving transactions between groups. They highlight the gap between vulnerability disclosure, patch availability, and exploitation (reported as ~24 days), and emphasize the need for mitigation beyond patching. Visibility is a major theme: only 46% reportedly have OT monitoring, with average detection cited as ~5 days with monitoring versus ~42 days without, often only discovered after something breaks. They discuss why OT is hard to secure (limited logging, fragile legacy systems, insecure protocols like Telnet/LDAP, flat networks, and weak IT/OT separation) and why monitoring helps detect anomalies and insecure traffic. The episode also addresses third-party and remote-access risk, including targeting of engineering firms and edge devices, exploitation of cellular router devices, and the growing reliance on stolen credentials and valid logins (including MFA fatigue), citing a stat that 73% of breaches involve stolen credentials. They note a reported 49% increase in ransomware groups affecting OT, 119 groups targeting OT, and over 3,300 impacted OT environments, with many OT incidents misclassified as IT-only. The hosts recommend focusing on fundamentals: an OT incident response plan, asset inventory, behavior-based monitoring, tight restrictions on remote access, and unique credentials supported by password managers. They announce a five-episode miniseries springboarding from this overview, with upcoming episodes on OT monitoring/visibility, securing users via a secure browser approach, improving email defenses against phishing, and revisiting third-party remote access. 00:00 Dragos 2026 OT Report: Why This One Hits Different 01:24 Adversaries Already Inside: Quiet Recon in Utility OT Networks 02:59 Specialized Attack Teams & Access Handoffs (Initial Access → Recon → Exploit) 05:07 Patch Lag vs Exploit Speed: Why Mitigation Matters in OT 06:24 Visibility Gap: OT Monitoring Stats and Detection Time Reality 07:49 Why OT Monitoring Works: Protocols, Anomalies, and Holistic Context 09:56 Third-Party Remote Access: Vendors, VPNs, Edge Devices, and Cellular Routers 13:07 Valid Credentials Are the New Exploit: Detecting “Legit” Logins 17:06 Ransomware Moves Into OT: Scale, Misclassification, and Rising Risk 18:56 Old Problems Still Breaking OT: Flat Networks, Legacy Protocols, No Segmentation 22:15 Disruption Is the Goal: OT Security Fundamentals to Focus On Now 25:58 Mini-Series Preview + Final Takeaways (Stolen Credentials, Next Episodes) 29:01 Wrap-Up and What’s Next: OT Monitoring & Visibility Episode Teaser
