Topics:
As 2025 comes to a close, some of our Nexus contributors and experts have provided us with a look back on the year in cybersecurity, and their predictions for the next year within their industries and specialty areas. Today, Don C. Weber, principal consultant and founder of Cutaway Security LLC, reflects on the speed of AI-enabled cyberattacks, and predicts 2026 will bring the emergence of the ICS script kiddie.
Throughout 2025, AI-enabled automation made industrial cyberattacks faster, not necessarily smarter. Attack timelines compressed between initial access, movement, and impact while simultaneously lowering the barrier to entry for less sophisticated threat actors.
Anthropic's disruption of sophisticated cybercriminal operations demonstrated how artificial intelligence (AI) agents now autonomously execute reconnaissance, exploitation, and data exfiltration at unprecedented speed. Traditional assumptions about the relationship between threat actor sophistication and attack complexity no longer hold when AI can provide instant expertise.
Claroty Team82's analysis of nearly one million OT devices confirmed this troubling trend. The research found that 40% of organizations have assets insecurely connected to the internet, while 12% of industrial organizations had OT assets communicating with malicious domains. This demonstrates that adversaries are achieving awareness over sophistication.
Claroty's research revealed that 32% of organizations admit to directly connecting cyber-physical systems to the internet via exposed open ports. Even more concerning, 55% have four or more remote access tools deployed in OT environments, with 33% having six or more. This creates excessive risk and operational burdens.
In 2026, this emergence of the "ICS Script Kiddie" enabled by AI will become a strategic liability for critical infrastructure. Organizations must invest more personnel with OT and IT experience into addressing the foundational SANS Five ICS Cybersecurity Critical Controls. Automation is amplifying reconnaissance, privilege escalation, and OT-protocol misuse while simultaneously enabling actors with minimal ICS knowledge to affect industrial systems.
Defenders are losing time even though the core indicators remain unchanged. Organizations that stay ahead of both AI-augmented attackers and growing regulatory scrutiny are those that commit increased operational expenditure (OPEX) funding to staff explicitly focused on implementing and maintaining these controls. This work must begin with secure remote access, the most exploited vector into operational environments. Organizations must reinforce capabilities through quarterly tabletop exercises designed to pressure-test defenses against rapid-fire, automated intrusion scenarios conducted by adversaries who may have no genuine understanding of the systems they're attacking.
Don C. Weber is the Principal Consultant and Founder at Cutaway Security, LLC, an information security consulting company. Don's previous experiences include large-scale incident response efforts for organizations with international assets and interests, the certification and accreditation of classified federal and military systems, assessment and penetration testing of worldwide commercial assets, and, as a Navy contractor, the management of a team of distributed security professionals responsible for the security of mission-critical Navy assets.
