The Ghost of Christmas Future: How Red Team Assessments Reveal Tomorrow's OT Threats Today

In Charles Dickens' "A Christmas Carol," Ebenezer Scrooge needed three ghosts to show him past mistakes, present reality and a grim future he could still prevent. Industrial facility managers face a similar reckoning. The ghost of Christmas past arrived in 2024 with a surge of attacks. The ghost of Christmas present haunts 2025 with sophisticated adversaries already inside networks. And the ghost of Christmas future? That's what red team assessments are designed to show you—revealing the 2026 threats waiting just around the corner.

Last year delivered harsh lessons about operational technology vulnerabilities. Dragos documented 1,693 ransomware attacks targeting industrial organizations in 2024, an 87% increase over 2023. Manufacturing bore the brunt with more than 50% of observed victims. But the real story isn't just volume. According to Dragos' 2025 OT/ICS Cybersecurity Report, 75% of these ransomware incidents led to partial OT shutdowns, while 25% caused full operational shutdowns.

The emergence of purpose-built industrial malware made 2024 particularly ominous. FrostyGoop, the ninth known ICS malware family, disrupted heating to more than 600 apartment buildings in Ukraine during sub-zero temperatures in January 2024. Dragos' investigation revealed 46,000 internet-exposed ICS devices worldwide vulnerable to similar Modbus-based attacks. A month later, pro-Ukrainian hacktivists deployed Fuxnet malware against Moscow's municipal infrastructure, demonstrating how readily available these specialized tools have become.

The pattern continued throughout the year. CyberArmyofRussia_Reborn launched a series of attacks against U.S. facilities, posting videos showing manipulation of HMI devices at water treatment plants in Indiana and New Jersey and an oil and gas facility in Texas. Nearly three-quarters of organizations experienced some level of OT intrusion in 2024, with the average cost of industrial data breaches jumping $830,000 per incident.

While defenders scrambled to respond to visible attacks, nation-state actors were playing a longer game. CISA's joint cybersecurity advisory confirms that Volt Typhoon has maintained access in U.S. critical infrastructure for at least five years, targeting communications, energy, transportation and water systems across the continental U.S., territories and Guam. The group's goal isn't espionage. According to U.S. government assessments, they're pre-positioning to disrupt critical communications between the U.S. and Asia during a potential future conflict, specifically to slow military mobilization following a Chinese invasion of Taiwan.

Volt Typhoon exemplifies a sophisticated adversary. Microsoft Security notes the group "goes to great lengths to avoid detection," relying on living-off-the-land techniques using native Windows tools and valid credentials. Dragos tracks 23 threat groups worldwide targeting industrial systems, with nine actively engaged in OT operations during 2024. The Iranian-linked BAUXITE achieved Stage 2 ICS Cyber Kill Chain impacts through what Dragos describes as "trivial compromises" of exposed devices, affecting victims across the U.S., Europe, Australia and the Middle East.

Enter the red team. In November 2024, CISA released results from a red team assessment of a U.S. critical infrastructure organization that revealed exactly what these nation-state actors are looking for. The red team found a path to compromise both the domain controller and the Human Machine Interface dashboard serving as the gateway to operational technology. They didn't even need sophisticated tools. The organization had cleartext passwords in home shares, private keys without password protection and insufficient network segmentation allowing free movement across domains.

Here's the unsettling part: CISA noted the organization had "insufficient technical controls to prevent and detect malicious activity" and that leadership "underestimated the business risk of known attack vectors." The organization relied heavily on endpoint detection without adequate network-layer protections. Sound familiar?

The prediction Gartner made in 2021 has arrived. They warned that by 2025, cyber attackers would weaponize OT environments to successfully harm or kill humans. We're living in that timeline now as 2025 draws to a close, watching the focus shift from business interruption to physical harm. Global information security spending reached $212 billion this year, a 15% increase driven by these heightened threats. The question isn't whether OT attacks will cause casualties. It's when.

Looking ahead to 2026 and beyond, the threat landscape grows more complex. By 2027, according to Gartner analysis, 17% of total cyberattacks will involve generative AI, giving adversaries powerful new tools for large-scale social engineering. By 2028, Gartner predicts 30% of organizations will abandon Zero Trust initiatives due to poor implementation and unclear value, creating security gaps attackers will eagerly exploit. And by 2029, geopolitics will directly drive security strategy as organizations tailor threat models for scenarios where downtime means safety failures or loss of life.

This is where red team assessments become your guide to Christmas yet to come. They don't just find vulnerabilities—they chain them together the way adversaries would, test detection capabilities under realistic conditions and expose blind spots in monitoring that most organizations don't know exist. The value lies in discovering and fixing weaknesses before attackers weaponize them, as the November 2024 CISA assessment clearly demonstrates.

Scrooge got to change his future after seeing what awaited him. Industrial facility managers have the same opportunity. The threats aren't theoretical anymore. Nation-state actors are already inside critical infrastructure networks. Industrial-specific malware is proliferating. And the 2025 warnings about weaponized OT causing physical harm? We're living them right now as this year ends.

Red team assessments serve as your ghost of Christmas future, showing you the 2026 attack paths adversaries will exploit before they do. The CISA assessment from November 2024 demonstrates exactly what these exercises reveal: the cleartext passwords you didn't know existed, the network segmentation gaps allowing lateral movement, the HMI access points waiting to be discovered. Organizations that conduct regular red team assessments identify and fix these issues before attackers weaponize them.

McKinsey's Organizational Cyber Maturity Survey confirms that organizations with mature cybersecurity practices, including regular red team assessments, experience fewer breach incidents and maintain better incident response capabilities. The assessments validate your ability to detect and respond to attacks in real time, using the same tactics, techniques and procedures that groups like Volt Typhoon employ.

The choice is simple but urgent. You can wait for your own Christmas Carol moment, scrambling to respond after an incident reveals gaps you should have known about. Or you can be proactive, using red team assessments to see next year's threats today and fix them while you still have time. The ghosts are showing you the future. The question is whether you're ready to look.