Topics:
Last year proved to be quite the year for the operational technology (OT) and industrial control systems (ICS) risk and threat landscape. An analysis of ENISA's 2025 Threat Landscape found that 4,875 cybersecurity incidents occurred between July 2024 and June 2025, and incidents involving operational technology accounted for 18.2% of recorded cases.
With major disruptive OT/ICS news stories in 2025 involving Jaguar Land Rover, Nucor Corp., and the Lake Risevatnet Dam attack, security experts expect these trends to continue, and possibly intensify, in ways that demand immediate strategic responses from industrial cybersecurity leaders.
Here's how experts say the prevalent trends from last year will shape the year to come:
State-aligned threat actors spent much of 2025 methodically positioning themselves within critical infrastructure. For instance, the VOLTZITE threat group—linked to China's Volt Typhoon operations—compromised small-office routers at electric utilities and telecommunications providers, establishing operational relay networks while exfiltrating geographic information system data, OT network diagrams, and operational instructions.
In 2026, security researchers predict this reconnaissance will transition into operational deployment. "These aren't reconnaissance operations—they're preparation for destructive attacks in the context of a major crisis or conflict," FBI Director Christopher Wray testified at the House Select Committee on the Chinese Communist Party, elevating concerns from cybersecurity to national security imperatives.
Cameron Lee, CEO at sheet metal machinery manufacturer Accurl, said operators will further sharpen their software bill of materials (SBOMs) and use more signed firmware to better combat nation-state-backed and other APTs. "Resilience over prevention," Lee said.
On the manufacturing floors, he advises organizations to put machine segments in their own zones and always use VPNs. They should also initiate brokered, time-boxed vendor access with MFA and session recording, and golden images for PLCs, drives, and organizations should test laser/CNC controls and keep them offline. Also, baseline Modbus/Ethernet/IP traffic and alert on programming writes outside maintenance windows. "The plants that win [will control identities and practice restores," Lee said.
The persistence of conflicts in Ukraine, Middle East tensions, and US-China strategic competition virtually ensures that OT/ICS networks will remain strategic targets for intelligence collection and pre-positioning throughout 2026. ENISA assesses that state-aligned intrusion sets will continue blending espionage, supply-chain access, and information operations, increasingly leveraging compromised infrastructure to mask their activities.
Ransomware operations surged in 2025, according to GuidePoint Security's GRIT 2026 Ransomware and Cyber Threat Report, which recorded a 58% year-over-year increase in ransomware victims. And the manufacturing industry was the heaviest hit, accounting for 14% of attacks, with the technology (9%) and retail/wholesale (7%) industries coming in distant second and third place.
"The GRIT 2026 Ransomware and Cyber Threat Report shows the most active year for ransomware we've ever recorded," said Jason Baker, lead threat analyst at GuidePoint Security. GuidePoint expects 2026 to be another big year for ransomware, finding December 2025 to be the most active month for identified ransomware victims, with 814 successful attacks, which is a 42% year-over-year increase.
The trend toward directly targeting OT networks—rather than merely disrupting IT systems that indirectly impact operations—poses escalating risk in 2026. As ransomware operators gain familiarity with industrial protocols and control systems, experts predict the emergence of malware specifically designed to manipulate industrial processes rather than simply encrypting data.
ENISA assesses that, despite law enforcement successes disrupting primary ransomware operations, displaced or disrupted Ransomware-as-a-Service (RaaS) brands will be promptly replaced by emerging programs. The criminal marketplace will continue formalizing around specialized skills to further scale campaigns, with notable integration of AI, IoT targeting, and large-scale vulnerability exploitation.
Ransomware operators are likely to respond to law enforcement pressure by further decentralizing operations, adopting more aggressive extortion tactics beyond encryption—including operational disruption threats and regulatory compliance blackmail—and capitalizing on victim organizations' operational pressures to maximize ransom payments. The manufacturing sector's vulnerability, where production downtime directly impacts revenue, makes it particularly susceptible to these coercive tactics.
Combined with adversaries' proven willingness to cause physical damage for strategic objectives, this evolution threatens the safety systems and protective measures that prevent industrial accidents. Organizations should expect ransomware groups to weaponize their understanding of industrial processes, potentially causing safety incidents alongside operational disruptions.
While AI remained mostly a defensive tool in 2025, threat actors began experimenting with AI-enhanced phishing campaigns and reconnaissance automation. Fortinet's Threat Landscape Report documented that AI-powered cybercrime began scaling rapidly, with adversaries harnessing AI to make attacks more effective and difficult to detect. Organizations responded by increasing threat intelligence adoption to 49% in 2025, up significantly from 2024, with AI-powered services delivering OT-specific threat data and vulnerability context.
ENISA predicts that AI will accelerate cycles of offensive innovation, enabling rapid campaign development and more effective deception techniques. Deepfake voice and video technologies could allow social engineering attacks that bypass traditional verification mechanisms. At the same time, AI-powered reconnaissance could identify optimal attack paths through complex industrial networks far more efficiently than human operators.
The defensive application of AI will prove critical for organizations attempting to maintain parity with adversaries. Claroty identifies AI/ML as key components of forward-looking cyber-physical systems security programs, with organizations leveraging these technologies for improved threat detection, response, recovery, and predictive analysis of emerging threats. AI can analyze sensor data and network traffic to rapidly detect anomalies, including zero-day vulnerabilities not yet disclosed to vendors, predict likely attack paths, identify risky configurations, and prioritize remediation of flaws most likely to be exploited.
This creates an all-too-familiar arms race dynamic in which defensive AI implementations must continuously evolve to maintain effectiveness against adaptive adversaries. Organizations that fail to integrate AI-powered defensive capabilities in 2026 will find themselves at a severe disadvantage against adversaries who have weaponized these technologies.
Michael Farnum, an advisory CISO and enterprise technology officer at Trace3 and founder/president at CYBR.SEC.CON said that, given the less-than-optimal state of security of these systems, isolation from the Internet is the best way to stop the attacks. "If that's not possible, and sometimes there are business needs that will almost always trump these decisions, then important functional zones should be isolated/segmented within the OT environment. Essentially, control your blast radius," he said.
Despite decades of security guidance recommending network isolation, industrial assets remained systematically exposed throughout 2025. Claroty's analysis of nearly one million OT devices found that 40% of organizations had devices containing known, actively exploited vulnerabilities that were insecurely connected to the Internet. More alarmingly, 7% of devices harbored vulnerabilities linked to ransomware campaigns, with 31% of organizations having such critically exposed assets online.
This fundamental security gap shows no signs of improvement throughout 2026. The systematic exploitation of remote access vulnerabilities by threat groups demonstrates that internet-exposed industrial assets will remain primary attack vectors. CISA's December 2025 release of Cybersecurity Performance Goals 2.0 established baseline expectations for critical infrastructure remote access security, but implementation timelines extend well into 2026 and beyond.
Adversaries will continue to leverage scanning platforms such as Shodan and Censys to systematically identify exposed VPN gateways, firewalls, PLCs, HMIs, and engineering workstations. The BAUXITE threat group's targeting of internet-exposed Unitronics PLCs using default credentials demonstrated that even unsophisticated attack methods succeed when fundamental security hygiene remains inadequate.
Organizations should expect intensified targeting of remote access infrastructure in 2026, particularly as hybrid work arrangements persist and vendor remote support remains operationally necessary. Virtual private networks providing OT access will face accelerated exploitation of newly disclosed vulnerabilities, as VOLTZITE's rapid weaponization of Ivanti Connect Secure zero-days demonstrated the speed with which sophisticated adversaries exploit newly disclosed flaws.
Third-party and supply chain vulnerabilities accounted for a significant share of identified security issues in industrial environments. Claroty's survey revealed that 46% of organizations experienced breaches due to third-party access in the preceding 12 months, with 54% discovering security gaps in vendor contracts only after incidents occurred. The complexity of modern ICS deployments, which integrate components from dozens of vendors with varying security maturity, creates cascading risk, where a single compromised supplier provides adversaries with access to numerous downstream organizations.
Such supply chain risks will intensify in 2026 as geopolitical tensions drive organizations to reconsider the geographic location of their suppliers. Claroty reported that geopolitical uncertainties and economic policy changes caused 67% of surveyed organizations to rethink their supply chain geography to mitigate cyber-physical systems risks, creating transition vulnerabilities as new vendor relationships are established.
Targeting vendors themselves will compound this risk. A joint NSA/FBI/CISA advisory documented a two-year campaign targeting logistics, defense, and technology companies supplying Ukraine, where adversaries compromised over 10,000 surveillance cameras near critical transportation points to gather intelligence. Organizations should assume that their vendors are under active attack and implement appropriate defensive measures.
The regulatory landscape will further complicate supply chain management. European organizations face phased compliance deadlines for the Cyber Resilience Act and NIS2 directive, with implementation timelines varying by member state. These requirements may drive global improvements in vendor security practices as manufacturers align with the most stringent applicable regulations, but transition periods create uncertainty and potential compliance gaps.
Ralph Rodriguez, president of identity verification and authentication provider Daon, said most field equipment can't be patched quickly or at all due to numerous legacy issues. The practical 2026 pattern is segmentation and allow-listing that travels with the process: micro-perimeters at cell/zone, DPI firewalls that understand ICS protocols, command allow-lists for write operations, and one-way paths where possible.
Organizations should implement stringent security requirements in vendor contracts, conduct security assessments before onboarding new suppliers, monitor ongoing supplier security posture, and maintain contingency plans for rapid disconnection from suppliers when compromise indicators emerge.
Organizations implementing comprehensive security programs demonstrated measurably superior outcomes in 2025 that validate the path forward for 2026. Fortinet's research found that organizations at maturity Level 4 reported zero intrusions 65% of the time, versus only 46% for Level 0-2 organizations. More dramatically, organizations deploying unified security solutions across IT and OT environments achieved a 93% reduction in cyber incidents.
The SANS ICS Five Critical Controls framework provides the foundations. Given that 70% of vulnerabilities reside deep within networks on devices that are often difficult to patch, organizations should focus on remediation efforts on the highest-risk exposures.
Critical elements for 2026 include maintaining offline backups of engineering workstation software and controller configurations, implementing multi-factor authentication for all remote access, deploying protocol-aware deep packet inspection that understands industrial communications, and conducting annual attack surface analyses to identify inadvertently exposed devices.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
