Skeleton Crews, Full-Scale Attacks: The Holiday OT Security Gap

According to the 2024 Semperis Ransomware Holiday Risk Report, 86% of ransomware attacks occur on weekends or holidays. This timing isn't coincidental. The FBI and Department of Homeland Security have specifically warned that attackers view holiday weekends as "attractive timeframes" for intrusion.

The math is brutal. Cybereason research found that 44% of organizations reduce security staff by up to 70% on weekends and holidays, while one-fifth operate skeleton crews cutting staff by 90%. Even organizations with 24/7 Security Operations Centers deliberately scale back, with Semperis reporting that 85% of these facilities reduce staffing by up to 50% during holiday periods.

Dragos tracking shows that 70% of operational technology encryption attacks occur between 6 p.m. and 8 a.m., with 30% of encryptions beginning specifically on weekends. Attackers aren't opportunistic. They're strategic, waiting for the precise moment when detection is slowest and response capability is weakest.

The numbers from 2024 tell a stark story. According to Fortinet's State of OT and Cybersecurity Report, 73% of organizations experienced intrusions impacting operational technology systems, up dramatically from 49% in 2023. That's not gradual growth. That's an acceleration.

Dragos documented an 87% increase in ransomware attacks on industrial organizations in 2024, with manufacturing accounting for 69% of all attacks. The firm tracked 1,693 industrial organizations that had sensitive data exposed on ransomware leak sites, with attacks averaging 34 industrial organizations per week in the first half of the year, then more than doubling during the second half.

Real incidents throughout 2024 demonstrated the pattern. Supply chain software firm Blue Yonder was hit with ransomware over Thanksgiving weekend, affecting Starbucks and UK supermarkets. California hospital systems were taken offline the same holiday weekend. Toronto's transit system saw driver communication systems shut down over Halloween weekend in 2021.

And on Christmas morning itself, security professional Umair Mazhar described in an IBM Think interview how his company experienced a ransomware attack while systems were less closely monitored. The attacker exploited an unpatched vulnerability, attempting to encrypt critical data that required immediate response.

When attackers succeed during holidays, the financial impact compounds quickly. Comparitech research analyzing 858 manufacturing ransomware attacks found that downtime averages $1.9 million per day. IBM's Cost of a Data Breach Report notes industrial sector downtime can cost up to $125,000 per hour.

The average manufacturing ransomware attack causes 11 to 12 days of downtime. At $1.9 million per day, that's more than $20 million in downtime costs alone. According to Dragos incident response data, 75% of ransomware incidents caused partial operational technology shutdowns, while 25% resulted in complete production halts.

This is precisely why holidays are so dangerous. As one cybersecurity analysis noted, getting the response team "out of bed at 3 a.m. on a Saturday won't be easy." When every hour costs six figures and your incident response coordinator is on a plane to visit family, containment becomes exponentially harder.

Cybereason found that 36% of ransomware victims believed their attacks succeeded specifically because they had no contingency plan and limited staff available during the incident.

The difference between disaster and successful defense often comes down to one factor: preparation. CYPFER documented a case where a manufacturing company faced a New Year's ransomware attack but had conducted a tabletop exercise earlier that year, specifically including holiday skeleton crew scenarios. When the real attack occurred, the team knew exactly how to respond, contained the ransomware within hours and restored from clean backups before customers even noticed.

This is where operational technology red team assessments prove their value. Unlike traditional penetration tests that focus on finding technical vulnerabilities, red team exercises test your people, processes and technology together under realistic attack conditions. As noted by OT security firms like NVISO and SimSpace, red team operations simulate attacks based on adversary tactics, helping organizations assess prevention, detection and response capabilities while identifying improvement areas that traditional assessments miss.

Red team assessments for OT environments require specialized expertise. Bureau Veritas Cybersecurity emphasizes that red teaming in the OT domain differs significantly from IT-focused exercises, requiring careful planning to ensure continued operation and safety. Attacks in operational technology could lead to catastrophic events, making safety paramount during assessments.

These exercises can specifically test holiday scenarios: How does your reduced-staff SOC detect lateral movement? Can your on-call team contain an attack when key decision-makers are traveling? Do your backup systems work when the person who knows how to operate them is celebrating with family? Dragos found that 65% of sites assessed had insecure remote access conditions, including default credentials and unpatched VPNs, exactly the vulnerabilities skeleton crews rely on during holidays.

CISA and the FBI have issued specific warnings about ransomware targeting during holidays, pointing to incidents like the Colonial Pipeline attack over Mother's Day weekend 2021 as evidence of the pattern. The agencies explicitly state that "malicious cyber actors aren't making the same holiday plans as you" and recommend that critical infrastructure partners examine their cybersecurity posture in the run-up to holidays and weekends.

The question facing every plant manager, CISO and critical infrastructure operator is straightforward: Will you test your holiday defenses before attackers do, or will you be the next December 24th logistics company story?

Q1 2026 represents the ideal window for red team assessments. Conduct the exercise now, identify the gaps in your skeleton crew response capabilities, and implement fixes before next Thanksgiving, Christmas and New Year's. Organizations that invest extensively in security AI and automation see breach costs $1.88 million lower than those that don't, according to IBM research. Proactive preparation separated the manufacturing company that stopped the New Year's attack from the logistics company that spent weeks recovering on Christmas.

Red team assessments should be conducted at least annually or after significant system changes. Make this the year you discover your vulnerabilities on your own terms, not when ransomware encrypts your production line at 3 a.m. on Christmas morning.