Daily OT Security News: June 23, 2026
Today’s briefing highlights escalating OT-focused threats, market consolidation in OT cybersecurity, and a continued need to realign risk models away from IT-era assumptions. Analysts and government exercises emphasize preparedness for destructive attacks on physical processes, while vendors and service providers introduce OT-native AI and strategic combinations of capabilities intended to address coverage and visibility gaps.
ICS Exploit Pipeline Structurally Biased Toward Destruction, Not Data Theft
A Suzu Labs analysis of 464 ICS vendor CVEs disclosed in 2025 shows a pronounced tilt toward causing physical disruption: vulnerabilities affecting availability or integrity outnumber those targeting confidentiality by roughly 5:1. The study also documents a six-fold increase in access-enabling OT attack surface entries in CISA’s KEV catalog between 2021–22 and 2023–24, and highlights nation-state scanning by groups such as KAMACITE aimed at HMIs, drives, and metering modules to identify shutdown triggers. The report warns that organizations relying on IT-era, data-breach-centric risk models are underestimating exposure to physical-consequence scenarios and should adopt threat-informed, consequence-driven assessments.
Source: Suzu Labs
Dragos Launches EmberAI: OT-Native AI Built on World’s Largest OT Cybersecurity Dataset
Dragos announced EmberAI, an OT-native assistant leveraging the company’s Intelligence Fabric—claimed to include petabytes of OT telemetry, a decade of adversary tracking, and frontline incident response data. EmberAI accepts plain-language queries about assets, vulnerabilities, and network activity and returns OT-contextual answers grounded in real adversary data. The product is positioned to alleviate the OT skills shortage while keeping customer telemetry and models inside the customer environment, rather than sending data to external cloud models.
Source: Dragos
Accenture Acquires Dragos, RunZero, and NetRise in $4.175 Billion OT Security Deal
Accenture announced plans to acquire a majority stake in Dragos and full ownership of RunZero and NetRise in a transaction valued at approximately $4.175 billion, signaling significant consolidation in the OT cybersecurity market. The combined capabilities are intended to span monitoring, exposure assessment, device and firmware visibility, and software supply chain analysis, and will operate under the Dragos brand as an independent Accenture business after closing (expected Aug–Sep 2026). The deal underscores growing enterprise demand and a projected 16% CAGR in the OT security market through 2031.
Source: Consulting.us
OT Vulnerability Management Is Failing Critical Infrastructure, Experts Warn
Industry experts told Industrial Cyber that traditional vulnerability management practices—rooted in IT assumptions and CVSS-centric scoring—are inadequate for OT environments where medium-severity flaws can cause safety incidents or production shutdowns. Large operators routinely manage thousands of unpatched CVEs through risk-pooling rather than targeted remediation. Analysts recommend shifting to consequence-based risk models that account for asset role in safety hierarchies, exposed interfaces, and worst-credible physical outcomes, prioritizing investment on crown-jewel assets over blanket patch coverage.
Source: Industrial Cyber
DOE CESER Conducts Critical OT/ICS Security Exercises for Oil and Natural Gas Sector
The Department of Energy’s CESER announced a series of OT/ICS security exercises for the oil and natural gas sector to test emergency response and close gaps in operator security plans. CESER highlighted persistent nation-state pre-positioning and rising opportunistic threats against the subsector. Upcoming events include Clear Path XIV—which will examine cyber/physical impact on regional power ahead of the LA 2028 Olympics—and Liberty Eclipse, which offers live cyber and physical defensive training under simulated attack conditions.
Source: U.S. Department of Energy
Key takeaways: defenders must adopt consequence-driven risk models and prioritize visibility and remediation for crown-jewel OT assets; expect continued market consolidation that may accelerate integrated detection, asset inventory, and firmware analysis capabilities; and operators should participate in government-led exercises and apply threat-informed controls to mitigate destructive, physically impactful attacks.
