OT Security in 2026: Preparing for Adversaries Who Plan Years Ahead

THE OT RISK FRONTLINE REMAINS MANUFACTURING

OT risk is no longer confined to utilities, pipelines, or traditional critical infrastructure sectors. Manufacturing remains the frontline for industrial OT risks because it provides attackers with the mix that they are looking for: uptime dependence, criticality, legacy systems, and widespread third-party access.

IBM's X-Force Threat Intelligence Index 2025 stated that the share of attacks by the critical infrastructure organizations was 70% of the total attacks IBM X-Force handled in 2024. Manufacturing was the most targeted industry for the fourth consecutive year, accounting for 26% of incidents.1

The implications of manufacturing cyber exposure extend far beyond the factory floor. Any compromise within an enterprise setting may lead to knock-on effects regarding logistics, supplier networks, production timelines, customer deliveries, and supply chain availability.

Ransomware continues to be a significant threat, though its approach has evolved. Attackers do not always need to encrypt systems when data theft, operational pressure, and extortion can create similar leverage. IBM’s reporting shows how cybercriminals increasingly exploit identity gaps, hybrid cloud complexity, and exposed access points rather than relying only on destructive malware.1

For enterprise security leaders, the manufacturing story is a warning about industrial dependency. OT risk is no longer isolated to the plant. It also impacts enterprise resilience, logistics, procurement, distribution, and executive risk management.

NATION-STATE ACTORS ARE NOW STARTING TO POSITION THEMSELVES FOR FUTURE ATTACKS

State-backed cyber operations are no longer limited to intelligence gathering and espionage.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other allied agencies have issued various alerts on China-sponsored threat actors exploiting the "living off the land" approach, stolen credentials, network devices, and administrative access rights. 2

Volt Typhoon remains the most strategically important example. U.S. agencies have assessed that the group’s activity is consistent with pre-positioning inside U.S. critical infrastructure networks to enable potential disruption during future geopolitical conflict.2

That distinction matters.

A criminal actor usually wants payment.
A state-backed actor may want leverage.
A pre-positioned actor is often seeking the ability to disrupt operations at a time of their choosing.

This makes the risk harder to measure using normal breach metrics. The immediate objective may not be data resale or ransomware deployment. It may be infrastructure mapping, credential collection, operating procedure discovery, network diagram theft, or lateral movement preparation.

The Littleton Electric Light and Water Department's case showed how serious that risk can become. Reporting indicated that Volt Typhoon-linked activity remained inside the Massachusetts utility environment for more than 300 days, with activity connected to operational intelligence collection.3

Salt Typhoon presents a related but distinct concern. U.S. and allied agencies have associated Salt Typhoon activity with telecommunications and other critical sectors, with reporting and advisories emphasizing surveillance, access persistence, and strategic intelligence value.4

Boards should understand the difference between these threat profiles. Salt Typhoon-style activity may create intelligence exposure. Volt Typhoon-style pre-positioning may create disruption potential. Both require stronger visibility across IT, OT, cloud, identity, and third-party access paths.

HACKTIVIST PRESSURE ON WATER, ENERGY, AND FOOD SYSTEMS

Nation-state actors are not the only industrial threat.

CISA, FBI, NSA, EPA, Department of Energy, and international partners have also warned that pro-Russia hacktivist groups are targeting U.S. and global critical infrastructure. Government advisories have identified several pro-Russia hacktivist collectives, including Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16, as active participants in campaigns targeting critical infrastructure.5

These campaigns are often described as opportunistic and lower in sophistication than advanced persistent threat operations. That does not make them harmless.

The advisory describes targeting of internet-accessible OT systems, including SCADA and human-machine interface environments, especially where VNC, weak passwords, default credentials, or poor exposure management create access opportunities.6

Sectors that are particularly susceptible when the OT systems are made available online through remote access include water and wastewater management, energy, food, and agriculture.

In addition, CISA issued another warning in May 2025, noting that even unsophisticated cyber actors had been attacking internet-connected industrial control systems and SCADA devices in critical sectors.7

The message here could not be clearer: lack of sophistication doesn’t mean lack of impact.

A weakly protected HMI, remote access session, or exposed controller can still create operational disruption. In OT environments, even simple attacks can produce an outsized impact when systems are poorly segmented, weakly authenticated, or difficult to recover.

FIGURE 1: Priority OT/ICS Threat Profiles for Security Leaders in 2026 

THE IDENTITY PROBLEM INSIDE INDUSTRIAL ENVIRONMENTS

Industrial cybersecurity is no longer only a segmentation problem. It is also an identity problem.

OT environments now depend on remote engineering access, vendor maintenance accounts, cloud-based monitoring, Industrial IoT platforms, centralized orchestration tools, and managed service connections. Each connection introduces identity risk.

IBM X-Force’s 2025 reporting shows how attackers increasingly exploit credentials and identity-based access. IBM reported that identity-based attacks represented 30% of total intrusions, while infostealers delivered via phishing emails rose 84% year over year. The same reporting highlighted growth in stolen credentials listed in dark web markets and the expanding role of infostealers as a pipeline for follow-on attacks.1

This matters inside OT because the identity surface often extends beyond the enterprise identity program.

Vendor accounts may sit outside normal access review.
Engineering workstations may use shared credentials.
Remote access may rely on legacy VPNs.
Service accounts may lack ownership.
Industrial systems may not support modern authentication.
Contractor access may remain active after work is complete.

Attackers understand these weaknesses.

A compromised vendor credential can become an OT entry path. A stolen engineer credential can become a maintenance window. A mismanaged remote access account can become long-term persistent.

Security leaders should therefore treat OT identity governance as a core control, not an IT-only function.

REGULATORY AND RESILIENCE PLANNING: WHAT CISA IS SIGNALING

CISA’s CI Fortify initiative, released in May 2026, signals a shift in expectations for critical infrastructure operators. The initiative is designed to help critical infrastructure entities continue delivering vital services during a crisis or conflict, even when systems are under attack.8

Two concepts stand out: isolation and recovery.

Isolation means preparing to operate when connections to third-party, business, or external technology networks are degraded or intentionally disconnected.

Recovery means restoring critical operations when control systems, supporting systems, or connected IT environments are compromised.

For security leaders, CI Fortify should be treated as more than guidance. This reflects the direction that the regulatory expectations, board-level attention, cyber-insurance underwriting, and critical infrastructure procurement processes may take.

Indeed, CISA continues to stress the importance of critical infrastructure protection and resilience as a national security issue, with both sectoral reporting and CIRCIA implementation leading organizations towards more timely incident reporting and operational preparedness.9

The investment environment reflects this urgency. Gartner forecasts worldwide end-user spending on information security to reach $213 billion in 2025 and rise 12.5% to $240 billion in 2026.10

Industrial and cyber-physical systems security is expected to remain a priority because organizations now recognize that cyber disruption can become operational disruption.

FIGURE 2: OT/ICS Risk Indicators for 2026

WHAT SECURITY LEADERS SHOULD PRIORITIZE NOW

Five actions should move to the top of the OT/ICS security agenda.

1. Build an “as-operated” OT asset inventory

Security teams need an accurate view of what is actually connected, not only what is listed in procurement or engineering records.

The above should consist of controllers, HMIs, engineering workstations, historians, jump servers, vendor connection points, remote access software, network appliances, IIoT devices, cloud-capable sensors, and OT systems interconnected with IT systems.

Visibility question number one is relatively simple: what do we have, how is it interconnected, and who has access to it?

2. Enforce MFA for all OT remote access

Remote engineering access, vendor maintenance, third-party support, and administrator access must require MFA wherever technically feasible.

This control should extend beyond employees to contractors, suppliers, integrators, and managed service providers.

IBM’s identity findings and CISA’s repeated advisories make the same point: valid credentials are now one of the most important industrial attack paths.1

3. Review patching against high-risk OT advisories

Industrial patching is difficult, but long patch windows create predictable exposure.

The security team should examine open vulnerabilities with respect to CISA advisories, known exploited vulnerabilities, exposed devices, and critical assets. The critical security vulnerabilities that pertain to the perimeter network devices, remote access infrastructure, firewalls, the VPN appliances, and the external OT networks need prompt action.

4. Test isolation and recovery procedures

CI Fortify makes resilience planning explicit. Organizations should know whether they can operate essential services without normal external connectivity, vendor access, or business network dependencies.8

This requires tabletop exercises, offline recovery testing, manual operating procedures, backup validation, and clear authority for emergency isolation.

5. Reduce IT-to-OT lateral movement paths

Segmentation remains one of the most important controls against both nation-state actors and ransomware groups.

Security teams should identify pathways from corporate IT into OT, including shared identity systems, file transfer paths, remote access tools, unmanaged VPNs, jump boxes, engineering laptops, and monitoring platforms.

The objective is not theoretical segmentation. It is operational containment.

BOARD ASKS

Enterprise security leaders should take the following actions to the board or executive risk committee:

These are not abstract investments. They are resilience controls tied directly to continuity, safety, production reliability, and regulatory readiness.

CONCLUSION

The OT and critical infrastructure threat landscape has moved into a more dangerous phase.

Manufacturing remains the most targeted industrial sector because disruption pressure creates leverage. State-backed actors are not only stealing data; they are pre-positioning for future disruption. Pro-Russia hacktivists are exploiting weakly protected water, energy, and food-sector systems. Credential abuse and remote access exposure are creating new pathways into environments that were once assumed to be isolated.

The strategic lesson is clear: OT security is now enterprise security.

Security leaders cannot treat industrial resilience as a separate engineering concern. It must sit beside business continuity, cyber risk, supply chain resilience, and crisis planning.

Gartner's projection of spending $240 billion on information security globally by 2026 indicates that companies know how much it takes to make an impact.10

The better prepared companies will be those who go beyond just knowing and get ready operationally through full asset visibility, managed remote access, network segmentation, disaster recovery testing, and threat-based monitoring.

Resilience in the OT environment goes beyond just stopping the threat from being exploited.

It's about operating even after the point of no return.

Be Ready for What’s Next

Subscribe to Cyber Tech Intelligence for insightful analysis of the adoption of artificial intelligence and digital transformation powered by data. 

REFERENCES

1. IBM (2025) X-Force Threat Intelligence Index 2025. IBM Corporation, 2025.

2. Cybersecurity and Infrastructure Security Agency (CISA) (2024) PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. CISA, 2024.

3. SecurityWeek (2024) China’s Volt Typhoon Hackers Dwelled in U.S. Electric Grid for 300 Days. SecurityWeek, 2024.

4. Cybersecurity and Infrastructure Security Agency (CISA) (2025) People’s Republic of China State-Sponsored Cyber Actor Activity. CISA, 2025.

5. Cybersecurity and Infrastructure Security Agency (CISA) (2025) Opportunistic Pro-Russia Hacktivists Attack U.S. and Global Critical Infrastructure. CISA, 2025.

6. Cybersecurity and Infrastructure Security Agency (CISA) (2025) Pro-Russia Hacktivists Conduct Opportunistic Attacks Against U.S. and Global Critical Infrastructure. CISA, 2025.

7. Cybersecurity and Infrastructure Security Agency (CISA) (2025) Unsophisticated Cyber Actors Targeting Operational Technology. CISA, 2025.

8. Cybersecurity and Infrastructure Security Agency (CISA) (2025) CI Fortify: New Initiative to Fortify America’s Critical Infrastructure. CISA, 2025.

9. Cybersecurity and Infrastructure Security Agency (CISA) (2025) Critical Infrastructure Security and Resilience. CISA, 2025.

10. Gartner (2025) Worldwide End-User Spending on Information Security Forecast. Gartner, Inc., 2025.