Three new threat groups were identified in 2025 alone, and adversaries are now exploiting newly published VPN vulnerabilities within hours, not days. Initial access teams are systematically compromising remote access infrastructure to build pre-positioned footholds in industrial environments, while groups like Volt Typhoon conduct long-term reconnaissance to understand exactly how to disrupt operational processes at the most vulnerable moments.

Kai Thomsen draws on Dragos' ninth annual OT Threat Intelligence report and active incident response experience to trace how these attack paths evolve - and what defenders can do to detect them early and limit their impact.

This session will cover:

• How state-linked initial access groups exploit VPN vulnerabilities to reach OT;
• Why monitoring VPN session duration and access patterns is one of the most effective early-warning controls;
• What doing the security basics correctly looks like.