OT/ICS Security in 2026: Why Operational Resilience Must Replace Reactive Defense

1. Executive Summary

Operational technology has become a central element of enterprise risk, national security, and operational resilience.

Energy systems, water utilities, manufacturing facilities, distribution networks, and industrial control environments face increasing attention from both nation-state and criminal threat actors. The significance of these campaigns extends beyond technical compromise. Adversaries recognize OT disruption as a means of creating operational, economic, regulatory, and public safety consequences.

A successful intrusion into an OT environment can interrupt production, reduce visibility into industrial processes, disrupt energy or water delivery, affect critical operations, damage equipment, and trigger safety-related incidents. OT/ICS security therefore represents a business continuity and resilience priority as much as a cybersecurity concern.

Threat intelligence continues to highlight the scale of the challenge. IBM X-Force reported manufacturing accounted for 27.7% of all cybersecurity incidents investigated in 2025, making it the most targeted industry for the fifth consecutive year. The finding reflects sustained adversary interest in environments where cyber intrusions can translate directly into operational disruption and financial impact. ¹ 

IBM’s OT threat research also found that 15% of organizations studied experienced breaches affecting OT infrastructure, with an average cost of $4.56 million per OT-affecting breach. ²

The vulnerability landscape reinforces the risk. IBM X-Force tracked 670 OT-relevant vulnerabilities disclosed in H1 2025, with 49% rated Critical or High and 21% of critical vulnerabilities already having public exploit code available at disclosure. ²

This whitepaper argues that OT/ICS security in 2026 must move beyond compliance checklists and reactive remediation. The new priority is verified operational resilience: knowing which assets are exposed, which identities can reach critical systems, which vulnerabilities are actively exploitable, and how quickly the organization can detect, contain, and recover from an industrial cyber event.

2. OT/ICS Risk in 2026: From Cyber Incident to Operational Disruption

The OT/ICS threat landscape has shifted as adversaries place greater emphasis on industrial environments and the operational consequences associated with them.

In traditional IT environments, compromise is typically measured through data loss, service disruption, financial fraud, or regulatory exposure. In OT environments, consequences extend into the physical world. Production interruptions, loss of control-system visibility, process instability, equipment damage, safety incidents, and disruption across interconnected services can all result from a successful intrusion.

This reality is particularly significant for energy, water, and manufacturing organizations. These sectors operate under uptime requirements that often conflict with conventional security practices. System patching may require operational downtime. Legacy assets frequently lack support for modern security controls. Engineering workstations depend on specialized software and configurations. Vendor connectivity remains operationally necessary yet difficult to govern consistently. Network segmentation strategies may be well designed but prove difficult to maintain under operational and incident-response conditions.

As a result, adversaries do not require advanced capabilities across every stage of an attack. A single exposed edge device, unpatched asset, compromised credential, overprivileged account, or poorly governed connection between IT and OT environments may provide sufficient access to achieve operational objectives.

Evidence from 2025 and early 2026 demonstrates the practical nature of this risk. Public-facing application exploitation, exposed industrial assets, identity-based compromise, and rapid lateral movement continue to shape the threat environment confronting industrial organizations. The challenge is not theoretical. It is operational.

3. Manufacturing as the Primary Target Zone

Manufacturing remains the clearest example of how cyber risk becomes operational risk.

The sector’s exposure is structural. Manufacturers typically operate both enterprise IT and OT environments. They also depend on production availability, supply-chain timing, plant-floor reliability, and continuous process visibility. Any disruption can quickly translate into revenue loss, contractual penalties, customer delays, or safety concerns.

Unlike many purely digital organizations, manufacturers cannot simply isolate every affected system without operational trade-offs. A decision to shut down production may be necessary during a cyber incident, but that decision carries immediate financial consequences. This is one reason attackers continue to target manufacturing: the pressure to restore operations quickly increases the leverage of extortion, disruption, and operational blackmail.

IBM’s OT threat research underlines the financial exposure. Across a study of 6,485+ organizations, 15% reported incidents that affected OT networks, and 23% of those OT-affecting incidents caused actual damage to OT systems. The average cost of an OT-affecting breach reached $4.56 million, compared with the global average breach cost of $4.44 million. ²

These figures show why manufacturing security cannot be treated as a standard IT risk program. Industrial cyber defense must be built around the realities of production continuity, equipment protection, plant-floor recovery, and business interruption.

4. Nation-State Activity: Persistence, Pre-Positioning, and Strategic Access

The most important change in the OT/ICS threat environment is not simply the number of attacks. It is the intent behind them.

Nation-state actors are increasingly interested in persistent access to critical infrastructure. Microsoft’s critical infrastructure analysis, published in March 2026, warned that threat operators are establishing low-visibility access in critical environments where IT/OT visibility is often incomplete. ³

This activity should be understood as pre-positioning. In other words, adversaries are not always seeking immediate disruption. They may be building access that can be activated later during geopolitical tension, military conflict, sanctions escalation, or broader strategic confrontation.

CrowdStrike’s 2026 Global Threat Report adds further context to the nation-state threat picture. The report found that China-nexus activity increased 38% year over year in 2025. It also reported that 67% of vulnerabilities exploited by China-nexus actors provided initial access, while 40% targeted internet-facing edge devices. ⁴

The activity is not limited to China-nexus actors. CrowdStrike also observed that Russia-nexus FANCY BEAR deployed LLM-enabled malware known as LAMEHUG to automate reconnaissance, while DPRK-nexus incidents increased by more than 130% in 2025, with FAMOUS CHOLLIMA activity more than doubling. ⁴

For OT/ICS leaders, the strategic implication is clear: critical infrastructure operators are not only defending against opportunistic cybercrime. They are defending against adversaries that may view industrial access as leverage in a future crisis.

5. Criminal Threat Actors and the Industrial Extortion Economy

The criminal threat to OT/ICS environments is intensifying because ransomware and extortion groups have learned the value of operational pressure.

IBM X-Force reported 109 distinct extortion groups operating in 2025, up from 73 in 2024, representing a 49% increase. ⁵

This fragmentation of the extortion ecosystem creates a more unpredictable threat environment. Smaller groups may operate with less discipline, more opportunism, and a higher willingness to target exposed organizations quickly.

Manufacturing remains especially attractive for extortion because downtime is expensive. A plant that cannot produce, ship, or operate safely faces immediate business consequences. Attackers understand that even an IT-layer compromise can pressure leadership into urgent recovery decisions if production systems must be paused as a precaution.

This is why the line between IT compromise and OT impact is becoming less meaningful. An attacker may never directly manipulate a PLC or SCADA system, yet the organization may still halt production because it cannot trust its systems, data flows, credentials, or network environment.

Criminal groups are also adopting techniques once associated primarily with nation-state actors. IBM X-Force and CrowdStrike have both noted the blurring line between strategic and financially motivated operations. Criminal actors now exploit edge devices, target identity infrastructure, move quickly across networks, and use industrial disruption as leverage.

Figure 1: OT/ICS Threat Landscape — Key Statistics, 2025–2026

Sources: IBM X-Force, CrowdStrike, and Cyber Tech Intelligence Analysis.

6. The Three Exposure Paths Driving OT/ICS Compromise

OT/ICS compromise in 2026 is being driven by three recurring exposure paths: internet-facing systems, IT/OT convergence, and weak configuration control. These areas appear repeatedly across IBM X-Force, Microsoft, CrowdStrike, and CISA reporting.

6.1 Internet-Facing Edge and Industrial Assets

Internet-facing devices remain one of the most reliable entry points into industrial environments.

IBM X-Force documented a 44% year-over-year increase in attacks beginning with public-facing application exploitation in 2025. ⁵

The growth was linked to missing authentication controls and AI-enabled vulnerability discovery.

The exposure problem is also visible in industrial asset data. A 40% rise in internet-exposed ICS devices was documented between 2024 and 2025. CISA’s ICS advisory program also published more than 500 ICS advisories for the first time in a single year in 2025, with 82% rated High or Critical severity. 6

For OT environments, these numbers are especially concerning because patching and remediation are rarely straightforward. Uptime requirements, vendor dependencies, safety validation, and production constraints can delay fixes. This means exposed systems often remain vulnerable for longer than equivalent IT assets.

6.2 IT/OT Convergence and Identity-Based Access

The convergence of IT and OT has created a new identity-driven pathway into industrial environments.

Microsoft Threat Intelligence reported that cloud and hybrid incidents increased 26% in early 2025 as identity, automation, and remote management converged inside cloud control planes. ³

The same analysis found that more than 97% of identity-based attacks in critical infrastructure environments targeted password-based authentication, including password spraying and brute-force techniques. ³

This is particularly dangerous for OT because industrial systems were not designed around modern identity layers. A compromised account in a hybrid environment may provide access to remote management tools, engineering resources, vendor portals, documentation, or systems that support operational processes.

IBM X-Force’s OT analysis also documented how adversaries exploit trusted IT/OT bridges, unsecured field devices, and maintenance laptops to reach process control networks and safety systems.

The lesson is clear: identity compromise in IT can become operational exposure in OT.

6.3 Default Credentials and Misconfiguration

Default credentials remain one of the most persistent and preventable weaknesses in OT environments.

CISA’s February 2026 alert on the Poland energy sector incident showed how attackers used default credentials to pivot from internet-facing edge devices to HMIs and RTUs. The attackers destroyed data on HMIs, corrupted system firmware, and caused loss of view and control between facilities and distribution system operators.

IBM X-Force Red penetration testing engagements in 2025 also identified misconfigured access controls as the most common entry point across all engagements.

Microsoft’s critical infrastructure analysis similarly noted that many intrusions begin with preventable exposure, including internet-facing VPNs left enabled too long, contractor identities that outlive project timelines, and dormant privileged accounts that provide low-effort entry points.

This is not a sophisticated failure. It is a governance failure. Default credentials, unmanaged remote access, dormant accounts, and misconfigured controls continue to create avoidable pathways into high-impact environments.

Figure 2: Primary OT/ICS Attack Surfaces, 2025–2026

Sources: IBM X-Force, Microsoft, CISA, and Cyber Tech Intelligence Analysis.

7. 2025 Incident Lessons for Industrial Operators

The 2025 incident landscape showed that OT/ICS risk is not confined to theoretical scenarios. Real-world events demonstrated how exposed systems, weak credentials, and IT/OT dependencies can translate into industrial disruption.

7.1 Poland Energy Sector Attack

On 29 December 2025, threat actors targeted OT and ICS infrastructure across multiple facilities in Poland’s energy sector, including renewable energy generation facilities, a Combined Heat & Power plant, and a manufacturing-sector facility.

CISA’s February 2026 advisory outlined a chain of activity that reflected several known OT risk patterns: vulnerable internet-facing edge devices, default passwords, lateral movement toward HMI and RTU systems, wiper malware deployment, HMI data destruction, OT firmware corruption, and loss of view and control between facilities and distribution system operators.

Attribution assessments varied. CERT Polska attributed the attack to Berserk Bear, while ESET and Dragos attributed it to Sandworm with medium confidence.

The operational lesson is more important than the attribution debate. The attack demonstrated that exposed edge systems, default credentials, and OT lateral movement can create real physical-world consequences in energy environments.

7.2 Nucor Production Disruption

In May 2025, Nucor halted production after a cyberattack resulted in unauthorized access to internal IT environments. IBM X-Force cited the incident as evidence of the operational dependency between IT and OT.

The significance of the Nucor incident is that a cyber event does not need to directly compromise industrial control systems to affect production. If leadership cannot trust the integrity of IT systems, credentials, communications, or operational dependencies, production may be paused as a precaution.

For manufacturers, this creates a difficult reality. An IT compromise can produce OT consequences even when OT systems are not the direct initial target.

8. Five-Pillar Framework for OT/ICS Resilience

A mature OT/ICS security strategy in 2026 should be built around resilience, not only prevention. The following five pillars align with the attack surfaces and incident patterns documented by IBM X-Force, Microsoft, CISA, and CrowdStrike.

Pillar 1: Hyper-Prioritized Patch Management

OT patching must be risk-driven because industrial systems cannot always be updated immediately. Organizations should use the CISA Known Exploited Vulnerabilities catalog, OT-specific threat intelligence, vendor advisories, and active exploitation data to prioritize remediation.

When patching must be delayed, compensating controls should include segmentation, application allowlisting, restricted access, vendor-access controls, and anomaly monitoring.

Pillar 2: Sector-Specific Threat Mapping

OT security programs need to reflect sector-specific adversary behavior.

Energy, water, and manufacturing organizations face different operational dependencies and threat profiles. Generic frameworks are useful, but they must be mapped to sector-relevant techniques, assets, and consequences.

MITRE ATT&CK for ICS, E-ISAC, Water-ISAC, and MFG-ISAC can help security teams align controls to the adversaries most likely to target their environment. Microsoft’s critical infrastructure analysis also recommends identifying the most likely attack paths to critical assets and continuously mitigating them.

Pillar 3: Identity Hardening Across IT and OT

Identity is now one of the most important controls for OT security.

Microsoft’s readiness framework emphasizes phishing-resistant MFA, removal of standing privilege, elimination of legacy authentication, and stronger governance for contractor and service identities.

In OT environments, identity hardening must also include default credential remediation on HMIs, RTUs, internet-facing edge devices, engineering workstations, and remote access systems. This directly addresses the pathway exploited in the Poland energy-sector attack.

Pillar 4: Layered Network Defense and IT/OT Segmentation

Segmentation remains essential because an IT compromise can become an OT risk.

Industrial organizations should maintain a clear separation between enterprise IT, operational networks, engineering environments, vendor access pathways, and safety systems. Firewalls, DMZs, unidirectional gateways, and tightly governed remote access can reduce the blast radius of compromise.

Passive deep packet inspection and OT-aware behavioral anomaly detection can also help identify suspicious activity without disrupting industrial processes.

Pillar 5: Adversary-Emulation Testing and Board-Level Governance

Industrial resilience cannot be proven by policy alone. It must be tested.

Organizations should conduct adversary-emulation exercises based on realistic scenarios, including Sandworm-style grid disruption, Volt Typhoon-style living-off-the-land persistence, ransomware-driven production pressure, and credential-led OT access.

IBM X-Force and Microsoft both frame OT security as a C-level issue requiring executive sponsorship, operational ownership, and board visibility.

Figure 3: Five-Pillar OT/ICS Defense Framework, 2026

Sources: IBM X-Force, Microsoft, and Cyber Tech Intelligence Analysis.

9. Regulation, Governance, and Executive Accountability

OT security is increasingly moving from voluntary guidance toward enforceable expectations.

Critical infrastructure cybersecurity is treated as a national security priority in the United States National Cybersecurity Strategy. Under the Cyber Incident Reporting for Critical Infrastructure Act, covered entities are required to report qualifying cyber incidents.

In Europe, the NIS2 Directive raises baseline cybersecurity expectations for essential entities. Canada is also advancing more prescriptive requirements through Bill C-8.

Microsoft’s critical infrastructure threat analysis states that regulatory direction across jurisdictions is moving toward mandatory continuous posture monitoring, documented incident response capability, and enforceable minimum security standards for OT environments.

For executive leadership, this means OT cybersecurity should not be managed as an isolated technical workstream. It should be tied to enterprise risk, compliance, resilience, capital planning, safety, operational continuity, and incident reporting.

Organizations that align OT security programs with NIST CSF 2.0, IEC 62443, and NERC CIP can reduce duplication across regulatory, operational, and security requirements. The goal is not to satisfy one framework in isolation. The goal is to build a defensible operating model that can withstand both cyber incidents and regulatory scrutiny.

10. The Financial Case for OT/ICS Security Investment

The financial case for OT/ICS investment is no longer difficult to make.

IBM X-Force found that OT-affecting breaches cost an average of $4.56 million during the March 2024 to February 2025 study period, compared with a global average breach cost of $4.44 million. ²

For organizations where downtime affects production, energy delivery, water operations, or industrial safety, the true business impact may extend well beyond the direct breach-cost figure.

The speed of modern intrusion further strengthens the investment case. CrowdStrike’s 2026 Global Threat Report found that the average eCrime breakout time fell to 29 minutes in 2025, with the fastest observed breakout at 27 seconds. In one observed intrusion, data exfiltration began within four minutes of initial access. ⁴

These timelines are incompatible with manual, slow-moving detection and response. OT environments that rely on delayed alert review, fragmented logging, and informal escalation may not contain adversaries quickly enough to prevent operational impact.

The business case is therefore not limited to avoiding breach cost. It is about reducing downtime exposure, improving recovery confidence, protecting physical operations, and ensuring that leadership can make informed decisions under pressure.

Figure 4: Financial Case for OT/ICS Security Investment, 2024–2026

Sources: IBM X-Force, CrowdStrike, and Cyber Tech Intelligence Analysis.

11. Key Data Summary

Sources: IBM X-Force, Microsoft, CrowdStrike, CISA, and Cyber Tech Intelligence Analysis.

12. Conclusion

OT/ICS security in 2026 is defined by convergence: convergence of IT and OT systems, convergence of nation-state and criminal tradecraft, convergence of cyber incidents and physical-world consequences, and convergence of regulatory accountability with operational resilience.

The evidence is consistent across leading threat intelligence sources. Manufacturing remains the most targeted industry. OT-affecting breaches carry higher-than-average costs. Public-facing applications and exposed ICS devices continue to expand the attack surface. Identity-based attacks dominate critical infrastructure intrusion patterns. Nation-state activity is increasing, while criminal groups are becoming faster and more industrially focused.

The Poland energy-sector attack and the Nucor production disruption illustrate two sides of the same problem. In one case, exposed OT pathways and default credentials enabled direct operational impact. In the other, the IT compromise created enough risk to halt production. Both show that industrial resilience now depends on more than securing the plant floor alone.

The organizations best positioned for 2026 will be those that treat OT security as a continuous operational discipline. They will know which assets are exposed, which vulnerabilities matter most, which identities can reach critical systems, and how quickly they can respond when an intrusion begins.

Compliance will remain important, but it is not enough. The real standard is operational readiness under adversary pressure.

Learn more or connect with our team.

13. References

1. IBM Think (2026) Why Manufacturing Companies Are Most Vulnerable to Hacking. Published April 2026.

2. IBM X-Force (2025) The Operational Technology Threat Landscape: Insights from IBM X-Force. Published November 2025.

3. Microsoft Security Insider (2026) The Threat to Critical Infrastructure Has Changed. Has Your Readiness? Published 31 March 2026.

4. CrowdStrike (2026) 2026 CrowdStrike Global Threat Report: AI Accelerates Adversaries and Reshapes the Attack Surface. Published 24 February 2026.

5. IBM X-Force (2026) 2026 X-Force Threat Intelligence Index: Making the Case for Securing Identities, AI-Enhanced Detection and Proactive Risk Management. Published 25 February 2026.

6. Infosecurity Magazine (2026) Industrial Control System Vulnerabilities Hit Record Highs. Published 19 February 2026.