2026 and beyond: Urgent need for integrated cybersecurity strategies in evolving industrial landscape - Industrial Cyber

AI Attacks And Vulnerabilities Control Device Security Critical Infrastructure Features ICS Security Framework Industrial Cyber Attacks Malware, Phishing & Ransomware News Risk & Compliance Secure Remote Access Secure-By-Design Supply Chain Security Threat Landscape Vulnerabilities 2026 and beyond: Urgent need for integrated cybersecurity strategies in evolving industrial landscape DECEMBER 14, 2025 Industrial cybersecurity is entering a more exposed and strategic phase defined by hard lessons from 2025. Organizations spent the year facing a harsh reality where reactive defenses and siloed IT and OT teams are no longer sufficient against a threat landscape that is rapidly evolving and penetrating further across industrial environments. Evolving cybersecurity strategies must address this new reality by integrating more robust risk management frameworks, strengthening interdepartmental collaboration, and adopting a proactive security posture. Industrial incident analysts are reporting that adversaries are now spending increasing time in networks before being detected, and increasingly utilizing the limited visibility in legacy OT infrastructure. Operational risk consistently identifies the same vulnerabilities, such as partial asset inventories, poorly managed remote access, and monitoring solutions that are simply not deep enough into industrial processes. Nation-state hackers have stepped up that pressure. Industry intelligence and government-sponsored analysis indicate a growing trend in state-related reconnaissance against energy, manufacturing, water, and transportation. These operations are rarely about immediate disruption. Instead, they concentrate on mapping environments, maintaining persistence, and generating future options for leverage, raising the risk for delayed detection and segmented responses across industrial operations. The Fortinet 2025 Operational Technology Security Report disclosed that half of OT organizations fell victim to breaches last year while advancing their programs, and higher maturity was linked to improved results. Analysts also reported growing cultural divisions between IT and OT teams, with only a handful of organizations feeling well-prepared for new kinds of threats, even as the cost of downtime was on the rise. Alongside, nation-state actors and advanced threats began targeting industrial systems more aggressively. Forecasts like the Google Cybersecurity Forecast 2026, which indicate that state-sponsored campaigns are targeting exposed OT assets and supply chains, forcing defenders to raise their game beyond conventional perimeter controls. The advancing threat landscape has led to zero trust emerging as a topic in boardroom discussions, but it still bumps against industrial reality. Legacy OT devices and ‘uptime first’ culture make identity-centric access a hard sell, even as frameworks like ISA/IEC 62443 gain traction. It is still difficult to balance the pace of digitization with risk. As PwC notes, IT/OT convergence increases exposure and demands integrated defenses. Recognizing that such convergence is especially critical in industries where attacks on OT systems controlling energy grids and water supplies can disrupt essential services and pose significant public safety risks, PwC said that emerging threats to OT environments include espionage-motivated cyber campaigns, ransomware targeting production systems, and attacks exploiting IT and OT vulnerabilities. In 2026, integrated cybersecurity approaches that converge governance, visibility, and operational risk will enable resilient industrial operations.  What 2025 taught industrial security leaders about cybersecurity strategies Industrial Cyber asked industrial security experts how they expect AI-driven agents, advanced analytics, quantum computing, digital twins, and autonomous operations to reshape both the threat surface and the defensive playbook for critical systems. They also weighed in on the lessons from 2025 that should shape a more resilient posture in 2026. Jonathon Gordon, directing analyst at Takepoint Research “As industrial environments embed AI-driven analytics and autonomous decision logic, the threat surface shifts upward from devices to decisions,” Jonathon Gordon, directing analyst at Takepoint Research, told Industrial Cyber. “Attackers no longer need direct control of PLCs if they can influence AI models, data pipelines, identities, or optimization logic that guide operations. At the same time, AI and advanced analytics can strengthen defense by improving detection, prioritization, and response, but only when grounded in an operational context.  Gordon highlighted that the key lesson from 2025 is that ambition alone is not enough. “The most resilient organizations used AI to support execution by securing access pathways, tightening identity and change control, and validating resilience through measurable outcomes. In 2026, AI will matter most where it reduces exposure and improves operational decisions, not where it simply adds complexity.” Robert Huber, chief security officer, head of research and president of Tenable Public Sector Robert Huber, chief security officer, head of research, and president of Tenable Public Sector, told Industrial Cyber that AI-driven agents, advanced analytics, and autonomous operations are expanding both capability and risk in industrial environments. “The biggest shift isn’t new attack techniques but the speed and scale with which attackers can now discover misconfigurations, weak identities, and exposed data. As we saw in 2025, AI is being embedded into CRM, HR, and collaboration platforms without undergoing proper review, effectively creating ‘digital employees’ with unclear access rights. If these systems can see emails, files, or operational data, they immediately enlarge the attack surface.” Defensively, Huber identified that organizations are using the same technologies for higher-fidelity detection, faster triage, and automated containment. But autonomous actions come with their own dangers. “For example, a misconfigured rule can take down systems instantly, creating self-inflicted outages. Digital twins are emerging as a safer testbed for modelling attacks, validating segmentation, and rehearsing automated playbooks.” Going into 2026, he suggests treating AI tools as personas that require onboarding and access reviews. “Assume attacks will appear familiar but move faster. Utilise digital twins to rehearse automated responses, ensuring machine-speed actions don’t introduce new failure modes.” Paul Veeneman, board secretary at InfraGard Member Alliance AI and quantum computing are at the forefront as both transformative enablers and existential risks, but are frequently misunderstood or misrepresented regarding process control environments, Paul Veeneman, board secretary at InfraGard Member Alliance, told Industrial Cyber. “Most current industrial control systems remain deterministic, rule-driven, and intentionally conservative in design. They generally don’t require what is often implied in the marketing narratives. The true advantages are less about machines making independent or thoughtful decisions and more about how AI-driven analytics can illuminate what has always been there but is rarely seen at scale.” “Rather than introducing intelligence into the control or process levels, a more valuable application of AI in operational environments lies in observation. Large language models and agentic systems excel at processing and correlating massive amounts of telemetry, logs, and events that would overwhelm traditional monitoring approaches,” according to Veeneman. “In environments where behavior is highly consistent and process variability is intentionally constrained, subtle deviations often signify misconfiguration, predictive failure, or indicators of compromise. Identifying those deviations in real time, across distributed assets and long-lived systems, is where AI can provide measurable value without undermining determinism or safety.” He noted that this shift reframes the defensive paradigm, adding that AI becomes an analytical extension of human expertise, augmenting the ability to detect abnormal patterns, correlate temporal events, and surface context-rich insights for operators and engineers. “In doing so, it strengthens the resilience of process environments while preserving the principles of safety, reliability, and productivity that have long defined industrial practice.” Nation-state actors raise the stakes for OT security As state-sponsored actors escalate their interest in critical infrastructure, executives examine how the tactics, techniques, and procedures behind industrial cyberattacks are evolving. They also outline how the industry is adjusting its defenses to brace for the next wave of threats. These developments are forcing organizations to rethink their cybersecurity strategies, shifting focus from perimeter defense toward persistence detection, identity governance, and operational resilience. Zero trust is increasingly viewed not as a technology choice, but as a foundational element of modern cybersecurity strategies for industrial environments. Gordon sees state-aligned actors becoming more patient and operationally informed, prioritizing persistent access over immediate disruption. “Tactics increasingly focus on identity abuse, remote connectivity, trusted third parties, and the seams between IT and OT rather than core control networks alone. The objective is optionality and positioning, not just impact.”  In response, he identified that the industry is moving away from broad, passive visibility toward tighter control of high-impact actions. “Stronger segmentation, governance of privileged and third-party access, and detection aligned to engineering and operational behavior are now central to preparing for the next wave.” “State-sponsored actors targeting critical infrastructure continue to rely on well-known intrusion techniques such as credential theft, phishing, exposed remote access, and supply-chain entry points, but with far greater automation and persistence,” Huber said. “Incidents in 2025 showed adversaries blending automated reconnaissance with human decision-making to probe for small gaps in identity, monitoring, and policy.” So far, Huber added that there’s been nothing novel in the chemistry of the attacks. “The novelty lies in speed, scale, and the ability to execute attempts until something breaks. Attacks on Australian organizations earlier this year demonstrated that even with controls in place, weaknesses can be quickly exploited once attackers combine automation with targeted manual effort.” “Asset and process owners, cybersecurity teams, and third-party vendors should accept that they are as likely to be attacked by state-sponsored or proxy actors as any other,” Veeneman said. “Accordingly, appropriate levels of protection are necessary, whether it is a ransomware gang or simply commoditized clones of existing attack methods. The modern tactics and techniques, including enterprise vectors, living-off-the-land, supply-chain compromise, authentication abuse, and exploitation of remote and third-party access, previously ‘signatures and calling cards,’ are now widely used regardless of threat group.” He pointed out that a shift to defensible architecture can provide quantifiable resilience not only against whoever the attackers are. “There is rhyme and reason to the constant drumbeat of ‘asset identification, segmentation, least-privilege access, secure remote access, and clear safety boundaries.’”  Veeneman noted that ensuring deterministic behavior, confirming configuration and operational trustworthiness, identifying variance in processes or patterns, work irrespective of the threat, be it a well-funded nation-state, proxy, insider, or low-skilled threat actor. “Too much emphasis on attribution can lead to a lack of strategic insight and become a cognitive distraction.” Zero trust meets industrial reality The executives weigh in on whether zero trust principles can be realistically applied to legacy OT environments in 2026, and what it will take to make that shift real. They explore the technical and cultural changes needed to move from high-level intent to measurable resilience across industrial operations. “The principles of zero trust are universal: never trust, always verify, enforce least privilege, and assume breach. The challenge in OT is not the principles, but the implementation. Industrial environments must operate within safety constraints, legacy systems, and complex vendor ecosystems where disruption is not an option,” Gordon said. “OT zero trust succeeds when it strengthens security without affecting uptime or safety.”  In practice, he added that it is a pragmatic model that blends identity, segmentation, session oversight, and protocol control to remove implicit trust from both remote and local access. “Progress depends equally on technical controls and a cultural shift toward shared ownership between security and operations.” Huber recognizes that zero trust in legacy OT is realistic only in a pragmatic form. “You can’t retrofit modern authentication into every 20-year-old PLC, but you can enforce identity-aware gateways, strict jump-host access, micro-segmentation and protocol allow-lists. These deliver the benefits of zero-trust without requiring intrusive changes to legacy assets.” Pointing out that zero trust must now also apply to non-human actors, Huber mentioned that AI assistants inside email or analytics platforms function like employees with access to sensitive data. “If organizations don’t onboard and govern these digital employees the way they govern humans, zero trust collapses before it starts.” “The cultural shift is as important as the technical one. Many leaders in early 2025 didn’t even know how AI had changed their environment,” Huber said. “Moving from concept to measurable resilience requires cross-team agreement, training operators and engineers on new AI-driven risks, and establishing shared KPIs, such as reduced shared accounts, monitored remote sessions, and approved use of AI-enabled apps.” Traditional process control environments are based on open architecture design, operation, and protocols, Veeneman said, adding that these conflict with the principles of zero trust. “However, there are IT components that are deployed into process control environments, engineering workstations, SCADA servers, network firewalls, and switches. These predominantly IT components benefit from zero trust principles, defining which devices, users, and services are allowed to issue commands, read process values, or modify configurations, even when the protocols themselves lack native security.”  He added that authenticated engineering workstations, policy-driven communication pathways, secure remote-access brokers, signed firmware, and real-time monitoring enforce strict boundaries while preserving interoperability, safety, and productivity. Balancing innovation and risk in hyperconnected OT world The executives examine how industrial organizations are trying to balance fast-moving digital transformation, driven by automation, connectivity, and real-time data, with the rising regulatory, operational, and cyber-risk complexity that comes with it. Gordon mentioned that industrial organizations are increasingly treating digital transformation as a risk trade space rather than a one-way journey. “Automation, connectivity, and real-time data create value, but they also introduce dependency chains that amplify failure when not governed properly. Regulatory pressure is accelerating maturity, but compliance alone does not deliver resilience.”  “The most effective organizations are pulling cybersecurity into design and procurement, aligning controls to operational criticality, and embedding evidence generation into normal engineering and operational workflows,” according to Gordon. “In 2026, balance comes from enabling transformation while preventing it from creating exposure that the operation cannot absorb.” Huber said that organizations are racing to adopt automation, cloud services, and real-time analytics to improve productivity, but business units often enable AI features or introduce secondary apps without any form of security review. Icons can suddenly appear in email or collaboration tools, creating governance blind spots and increasing exposure. “The realistic path forward involves establishing a simple approval process for any new AI-enabled service or secondary tool, providing clear guidance on what employees can input into AI systems, monitoring actual usage to identify shadow AI before it becomes systemic, and conducting proof-of-concept testing that assesses both risk and productivity gains,” Huber identified. “Regulators increasingly expect this level of discipline, and without it, organizations accumulate technical and compliance debt that ultimately overwhelms the benefits they were trying to achieve through transformation.” “It is safe to say that digital transformation increases risk. Integration of systems and information has led to more gaps in access and exposed process environments,” Veeneman said. “In addition to the existing threat vectors from the enterprise, there has also been an increase in exposed systems. One such result, the exponential growth in the deployment of cellular networks and connectivity, the majority of which have limited or no boundary protection, leaving control systems exposed on the public Internet, which is clearly visible in OSINT tools, such as Shodan, ZoomEye, and Censys.” Veeneman recognized that U.S. agencies, such as CISA, TSA, NERC, EPA, SEC, and FDA, have provided governance and directives.” While these efforts improve and support overall risk mitigation, the argument is made that these are largely IT-centric, with recommended frameworks conservatively having a 65% – 70% overlap, even those with a specific OT focus.” He added that the onus then falls to engineering, operations, and information technology teams to work collaboratively to fill the gaps at the process and field levels. “The silver lining is that most threat vectors stem from the IT-centric enterprise networks and integrations, which these frameworks are geared towards, helping to reduce enterprise risk to operations.” Unified cyber strategy becomes critical for 2026 As IT and OT convergence continues in 2026, the executives focus on new approaches to governance, visibility, and risk quantification is required to build unified cybersecurity strategies that maintain reliability and uptime. Recognizing IT and OT convergence as fundamentally a governance challenge, Gordon pointed out that unified strategies require clear ownership of assets, identities, access, and change control across IT, OT, engineering, and third parties. “Visibility must evolve beyond inventory toward operational meaning, focusing on how systems are used and what happens when they fail.”  He said that risk quantification also needs to be consequence-driven, grounded in safety, downtime, and recovery constraints rather than abstract scoring models. In 2026, resilient organizations will be those that reduce high-risk pathways, tightly control privileged actions, and govern convergence without compromising reliability or uptime. “As IT and OT converge, traditional siloed governance models break down. Organizations need unified decision-making structures that cover IT, OT, safety, and AI,” Huber said. “Governance must explicitly treat AI agents and digital employees as identities with lifecycle management, not as background features.” He added that visibility must span assets, identities, data flows, and AI services across both IT and OT. Many organizations still lack the controls to identify what these systems can access or how they behave. This is a foundational problem that must be addressed before advanced controls are effective. “Risk quantification must shift from counting vulnerabilities to describing impacts in operational terms, such as uptime, safety, production quality, and regulatory exposure,” Huber noted. “Boards respond to scenarios where misconfigurations or AI-driven actions could halt operations or expose sensitive data, rather than focusing solely on raw technical metrics.” He further identified that the organizations that succeed in 2026 will be those that cybersecurity strategies unify governance, enforce identity discipline for both humans and machines, and measure cyber risk through the lens of operational continuity. “‘Convergence’ continues to be a contested topic, but the realization is that convergence has been happening since the 1980s when analog signaling was encapsulated in a TCP wrapper, placed on a local area network, and transmitted between systems,” Veeneman said. “The degrees of integration have increased over decades, resulting in the challenges and risks that exist today.” Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related Building ‘Incident Management for Industrial Control Systems’ to address gaps in OT cyber incident response GAO report highlights risks to CMMC rollout as nation-state attacks target defense contractors Why industrial cybersecurity must evolve as climate disruption and digitalization reshape critical infrastructure ISAC advisory highlights cyber and physical risks to critical infrastructure as Middle East tensions rise Suspected Iran-linked cyberattack hits medical technology giant Stryker amid Middle East tensions Finland’s National Security Overview 2026 flags Russian and Chinese cyber espionage targeting government, critical infrastructure Cydome flags NAVTOR NavBox path traversal and authentication flaws exposing vessel data, networks to cyber risk Iran-linked cyber espionage surges across Middle East as conflict tensions rise, researchers say Microchip expands Trust Platform to help manufacturers meet EU Cyber Resilience Act security requirements Texas orders cybersecurity review of state agencies for Chinese-made medical devices after federal warnings