OT cyber attacks are an unknown unknown. We don't know what we don't know because (per the annual Dragos report) only 5-10 percent of even regulated critical infrastructure has the pre-incident visibility into OT network traffic to do root cause analysis or post incident forensics and identify cyber attacks.
But the lead for my OT Today story, and the really scary thing is that ransomware gangs have finally figured out how to get to and disable OT/ICS systems.
Headline: They don't need any special skills. Bog standard identity abuse will get them access. They don't even need to pivot through a (hopefully segmented) enterprise IT network, because there are servers and desktops that provide direct access to OT systems. If they were foreign cyber warriors intent on developing the capability to destroy the system physically, they would begin exfiltrating system configuration files.
But by and large the ransomware IABs attacking industrial organizations are greedy, sadistic and mid-skilled at best (see Scattered Lapsus ShinyHunters). They are after a quick profit and ignorant as they might be, they do know that deploying common or garden ransomware on virtual or desktop machines remotely managing OT/ICS equipment will affect their victims' bottom line much more readily than an email server.
The future is The Com in every OT network.