OT Security Market Set to Hit $58.94 Billion as Hospitals Get Hit

On June 22, 2026, Tata Electronics confirmed a data breach involving more than 200,000 files allegedly stolen from its systems. The next morning, Bajaj Auto disclosed a ransomware attack on its own systems and those of its wholly owned technology unit. Two Indian giants, two disclosures, nine days apart. Both sit at the edge of the AI-driven buildout in Indian electronics and autos, and both are folded into a pattern of attacks on critical services that has been quietly tightening for two years.

That pattern is the less discussed side of the AI and automation boom. As factories, banks, and hospitals connect more of their operations to software, sensors, and remote access, the same connectivity that makes them efficient makes them exposed. The cybersecurity vendors who protect that operational layer rarely make AI headlines, and yet the global OT security market is on track to grow to $58.94 billion by 2031.

Three Strikes in Three Weeks

Bajaj Auto, the Indian automaker, filed a regulatory disclosure on June 23 stating that a ransomware attack had hit its systems and those of its wholly owned technology subsidiary, Bajaj Auto Technology Ltd (BATL), at around 8 am IST. The company told the Indian Computer Emergency Response Team (CERT-In) under the provisions of the Information Technology Act, 2000, and said the measures taken had mitigated the impact. It did not say whether data had been taken, whether manufacturing was disrupted, or how long recovery would take.

Tata Electronics disclosed its incident a day earlier, on June 22, weeks after the breach was first detected. The company is a key supplier to Apple and Tesla and operates as one of the largest electronics manufacturing platforms in India, employing more than 75,000 people. The hacker group World Leaks posted what it claimed were more than 200,000 files (over 630GB) on a forum, including what TechCrunch’s review identified as Apple supplier specifications and Tesla manufacturing documents. A Tata Electronics spokesperson told TechCrunch the incident had “no impact on our operations across businesses, which remain unaffected,” and the primary documents on each case sit in Bajaj Auto’s June 23 ransomware filing and Tata Electronics’ June 22 disclosure.

• June 23, 2026, Bajaj Auto: ransomware hit the parent company and BATL subsidiary at 8 am IST; CERT-In informed; extent of disruption not disclosed.
• June 22, 2026, Tata Electronics: confirmed cybersecurity incident detected “a few weeks” earlier; World Leaks claims 200,000+ files including alleged Apple and Tesla trade documents.
• February 2024, Romanian hospitals: ransomware on the Hipocrate Information System platform encrypted 25 hospitals and led to 75 more being disconnected as a precaution; attackers demanded 3.5 bitcoin (about $170,000); variant identified as Phobos family “Backmydata.”

A Market Quietly Repricing

The two Indian cases map onto a global pattern. Across sectors, ransomware groups have been concentrating on the entities with the lowest tolerance for downtime: hospitals that cannot cancel surgery, factories that cannot halt a line, banks that cannot pause payments, water and power utilities that cannot stop serving customers.

In 2025, 50 percent of all ransomware attacks targeted critical infrastructure, including manufacturing, healthcare, energy, transportation, and finance. The same year saw more than 420 million attacks on critical infrastructure globally, averaging roughly 13 attacks per second according to reporting from KnowBe4 cited by Anapaya. That volume reflects a wider shift: as industrial operators adopt smart sensors, industrial IoT platforms, and remote operational technologies, they are exposing legacy OT environments to attackers that were previously locked out by air gaps and on-premises controls. The defensive perimeter that used to be defined by physical separation is now defined by software segmentation, which is the work that the OT security vendors sell. Each of those sectors is also where any unplanned downtime carries the highest cost, which is the lever ransomware operators press hardest on.

The companies positioned to absorb the demand are a specific sub-segment of the cybersecurity market: vendors who sell into operational technology, industrial control systems, and supervisory control and data acquisition environments. Their work doesn’t show up in AI keynote slides or in chip roadmaps, but the OT security market they serve is on track to grow from $27.39 billion in 2026 to $58.94 billion by 2031 at a compound annual growth rate of 16.6 percent, per MarketsandMarkets. The forecast assumes continued digitization of industrial operations, rising ransomware targeting of production facilities and energy infrastructure, and regulatory pressure for stronger network segmentation across critical infrastructure. The vendor list MarketsandMarkets tracks across the same categories spans 40 named companies, from specialist pure-plays to enterprise security vendors that have extended into OT.

The trade runs beneath the AI cycle. As AI and automation expand the attack surface, the cybersecurity layer that protects industrial operations compounds in value, and investors who have priced AI exposure through chipmakers, hyperscalers, and application vendors have largely left this layer to industrial conglomerates, automation specialists, and pure-play cybersecurity firms. The same AI cycle that drives the offensive tooling, visible in OpenAI’s Daybreak cybersecurity initiative and in reporting on AI governance gaps already producing security incidents, is also driving the defensive demand.

What an OT Security Stack Looks Like

A stack of capabilities is what industrial buyers actually need from OT security, and the stack maps to how their systems fail: asset discovery, network segmentation, threat detection, incident response, and identity control. Detection and visibility sit on one lane; segmentation and enforcement sit on the other, and mature programs almost always deploy both. The two lanes work together rather than as a ranked list, with detection platforms telling operators what is on the network and what is behaving abnormally while segmentation tools decide what is allowed to talk to what. This is the shape of the market that most analysts and vendors now agree on.

Gartner’s 2025 Magic Quadrant for Cyber-Physical Systems Protection Platforms, the analyst category that covers most of this stack, named Claroty as the leader with the highest execution positioning, followed by Dragos, Nozomi Networks, and Armis. Tenable and Palo Alto Networks also appear in the rankings with OT-specific offerings. MarketsandMarkets publishes the broader OT security market sizing that sits over the same vendor list.

The wider roster runs from industrial incumbents that have added cybersecurity to their automation portfolios to specialist pure-plays and the broader enterprise security vendors that have extended into OT. The broader enterprise security vendors with named OT offerings include Cisco, Microsoft, Fortinet, Check Point, and Palo Alto Networks, per the MarketsandMarkets key players list. The specialist pure-plays include Claroty, Dragos, Nozomi Networks, and Armis, all four named Leaders in Gartner’s 2025 Magic Quadrant for Cyber-Physical Systems Protection Platforms. Industrial automation incumbents with cybersecurity in their portfolio include Honeywell, Siemens, Schneider Electric, and ABB. The wider list MarketsandMarkets tracks across the same categories spans 40 named companies.

The Demand Curve, in Numbers

The market sizing data is one way to see the demand. The incident data is another. Dragos, which tracks ransomware disclosures against industrial organizations through publicly disclosed victim data and ransomware groups’ data leak sites, recorded 1,020 ransomware incidents hitting industrial organizations worldwide in the first quarter of 2026 alone.

Manufacturing accounted for 62 percent of those victims, or 633 incidents. Engineering firms, system integrators, and industrial equipment suppliers added another 139 incidents, and transportation and logistics providers added 87.

The SANS 2025 State of ICS/OT Security Survey found that 22 percent of organizations had experienced a cybersecurity incident affecting their ICS or OT systems in the past year, and that 40 percent of those incidents caused operational disruption. Dragos estimates that OT cyber incidents put $329.5 billion per year at risk globally, of which $172.4 billion is attributable to business interruption. The macro picture is reinforced by the shape of the average OT network: Claroty research found that 55 percent of OT environments now contain four or more remote access tools, each one a potential entry point. MarketsandMarkets sizes the upside in the OT security market growth forecast to 2031.

The Attackers Are Pushing Harder

Ransomware targeting of industrial sectors has entered a sustained state in which adversaries focus on entities with the lowest tolerance for downtime.

A small set of high-volume ransomware-as-a-service brands now does most of the work in industrial ransomware, per Dragos’s Q1 2026 analysis. In Q1 2026, Qilin and Akira accounted for the highest volume of claims against industrial organizations, with The Gentleman, LockBit 5.0, and Play rounding out the top five. Qilin has held the top position among industrial-targeting groups since March 2025, after law enforcement disruption of LockBit and RansomHub displaced experienced affiliates into its ranks. The Gentleman alone jumped from 18 incidents claimed in Q4 2025 to 83 in Q1 2026, the sharpest acceleration Dragos tracked. The same report cites Mandiant data showing that adversaries targeted virtualization infrastructure in 43 percent of ransomware intrusions the firm responded to in 2025, up from 29 percent in 2024.

The Romanian incidents illustrate the same pressure in real time. In late December 2025, Complexul Energetic Oltenia, Romania’s largest coal-based power producer, disclosed a ransomware incident attributed to The Gentleman group that encrypted enterprise IT systems and temporarily took down corporate email, document management, and public-facing services. The same month, Romanian Waters, the national water management authority, was hit by a separate ransomware attack that locked staff out of approximately 1,000 computer systems; for context on the same country’s earlier hit, see the Romanian hospital IT platform attack.

The attackers do not need ICS-specific malware to produce operational damage. Dragos’s Q1 2026 report notes that ransomware deployed on Windows or Linux servers hosting enterprise applications that support OT functions is sufficient to disrupt engineering systems, production planning, and OT visibility. The convergence of IT and OT networks amplifies the operational impact, which is why an attack on a third-party IT platform in Romania in 2024 could cascade into 25 hospitals going offline even though the affected hospitals’ medical devices were never directly touched. The full Q1 2026 breakdown sits in Dragos’s industrial ransomware analysis.

The Risk That Could Reprice It All

For investors looking at the OT security thesis from the demand side, the growth story stops mattering the moment the protection fails. Bajaj Auto’s regulatory filing did not disclose the extent of the disruption, whether data had been taken, or how long recovery would take. The same filing said the measures taken had been successful in mitigating the impact.

Tata Electronics’ case is the harder one. The company told TechCrunch the incident had no impact on its operations, but Apple was reported to be investigating the alleged exposure of its supplier specifications, and a ransom demand was reportedly made. The 200,000+ files in the World Leaks posting, if authenticated, would represent a leak of customer IP from a single incident that the company itself said it had contained. The market will not know the answer on day one.

For the OT security trade to keep its trajectory, defenders have to close the gap with attackers. SANS’s survey found that only 22 percent of organizations had experienced an ICS or OT incident in the past year, but the same data shows that 40 percent of those incidents caused operational disruption. The size of that gap is what will determine whether the vendor side captures the full benefit of the next attack cycle.

The MarketsandMarkets forecast assumes the kind of regulatory and corporate spend acceleration that has been visible since 2024, an assumption the latest incident cluster from India has not contradicted. Whether the next two years deliver that acceleration or stall it is the open question for the thesis.

Frequently Asked Questions

What is OT cybersecurity?

Operational technology (OT) cybersecurity protects the hardware and software that monitors or controls physical processes: industrial control systems, supervisory control and data acquisition environments, programmable logic controllers, and connected sensors in factories, power plants, water systems, and hospitals. The OT security market is distinct from the IT security market because industrial systems run on legacy equipment that often cannot accept agents, tolerate downtime, or be re-architected into new network segments without operational disruption.

Who are the biggest OT cybersecurity vendors?

The clearest leaders in 2025 analyst coverage are Claroty, Dragos, Nozomi Networks, and Armis, all four named Leaders in Gartner’s Magic Quadrant for Cyber-Physical Systems Protection Platforms in 2025. Tenable and Palo Alto Networks also rank in the broader category through their OT-specific offerings. Other named vendors in the OT security market include Honeywell, Siemens, Schneider Electric, ABB, Fortinet, Cisco, Microsoft, Check Point, and Darktrace.

Why are hospitals, factories, and banks getting hit more often?

Two structural reasons. Industrial operators have connected more of their operations to software, sensors, and remote access tools as part of AI and automation rollouts, expanding the attack surface, and they have low tolerance for downtime, which makes them more likely to pay a ransom. Claroty research found that 55 percent of OT environments now contain four or more remote access tools, each one a potential entry point.

How big is the OT security market?

MarketsandMarkets projects the global OT security market to grow from $27.39 billion in 2026 to $58.94 billion by 2031, a 16.6 percent compound annual growth rate. The forecast assumes continued digitization of industrial operations, rising ransomware targeting of production facilities and energy infrastructure, and regulatory pressure for stronger network segmentation across critical infrastructure.

Is this a near-term trade or a multi-year opportunity?

Multi-year. Dragos recorded 1,020 ransomware incidents hitting industrial organizations in Q1 2026 alone, with manufacturing accounting for 62 percent of victims. The combination of rising incident volume and tightening industrial automation is what underpins the 16.6 percent CAGR forecast through 2031.