Google Cybersecurity Forecast 2026 warns ICS, OT risks escalating from cybercrime, nation-state attacks - Industrial Cyber

Attacks And Vulnerabilities Control Device Security Critical Infrastructure Industrial Cyber Attacks Malware, Phishing & Ransomware News Reports Secure Remote Access Secure-By-Design Supply Chain Security System Design & Architecture Threat Landscape Vulnerabilities Google Cybersecurity Forecast 2026 warns ICS, OT risks escalating from cybercrime, nation-state attacks NOVEMBER 07, 2025 Google security leaders highlighted in the Cybersecurity Forecast 2026 report that cybercrime will remain the foremost disruptive threat to ICS (industrial control systems) and OT (operational technology) environments. The report predicts that AI-enabled attacks will shift from rare occurrences to standard practice, reshaping the cyber threat landscape. Ransomware, data theft, and multifaceted extortion are expected to continue as the most financially damaging forms of cybercrime worldwide, driven by both the frequency of incidents and the cascading economic effects on suppliers, customers, and communities beyond the initial targets. “We expect to see ransomware operations specifically designed to impact critical enterprise software (such as ERP systems), severely disrupting the supply chain of data essential for OT operations,” Google’s Cybersecurity Forecast 2026 report identified. “This vector is effective because compromising the business layer cripples the industrial environment, forcing quick payments. Meanwhile, poor hygiene, like insecure remote access, will continue to allow common Windows malware to breach OT networks.”  The report also recognized that targeted nation-state attacks, though less frequent, will remain highly sophisticated and tied directly to specific geopolitical conflicts.  Defenders will have to prioritize network segmentation to rigorously isolate the OT from the IT network, preventing ransomware from pivoting from the enterprise side. All remote access must be secured with multi-factor authentication (MFA) and least privilege principles to block entry via compromised credentials. To ensure recovery, implement immutable, offline backups of both industrial configurations and critical enterprise data, like ERP logs, and network monitoring to critical IT/OT paths. The Cybersecurity Forecast 2026 reported that in 2026 and beyond, Russia’s cyber operations are expected to undergo a strategic shift, moving past a singular focus on short-term tactical support for the conflict in Ukraine to prioritize long-term global strategic goals. “While sustained cyber espionage targeting the Ukrainian government and defense sectors will remain a priority—likely seeking critical intelligence for kinetic operations or political developments such as potential peace talks—the apparatus’ focus will widen.” It added that the steady pace of cyber espionage in Europe and North America in 2025, alongside renewed use of novel and creative TTPs (tactics, techniques and procedures), suggests a transition towards long-term development of advanced cyber capabilities, intelligence collection to support Russia’s global political and economic interests, and obtaining strategic footholds within international critical infrastructure environments. Despite a decline in disruptive and destructive cyberattacks since 2022, organizations must continue to remain vigilant against this threat in 2026. The report assessed that pro-Russia hacktivist groups will continue to pose a substantial and unpredictable threat, notably to OT environments, as demonstrated by an April 2025 compromise of a Norwegian dam. Moving to China, the Cybersecurity Forecast 2026 assessed that in 2026, the volume of China-nexus cyber operations is expected to continue surpassing that of other nations. “This sustained, high-pace threat activity will continue to support China’s longstanding strategic interests of maintaining internal stability and strengthening its political and economic influence globally. China’s cyber threat apparatus is expected to not only maintain its current high volume, but it will also prioritize the ability to conduct stealthy operations and field novel capabilities in the coming year,” it added.  The report anticipates China-nexus cyber espionage TTPs will continue to focus on maximizing operational scale and success, with some threat actors also working to minimize opportunities for detection. Chinanexus threat actors will continue to aggressively target edge devices, which typically lack endpoint detection and response solutions, and exploit zero-day vulnerabilities. They will also target third-party providers, since compromising one trusted partner may enable access to many downstream organizations, and abuse of legitimate partner connections makes the resulting malicious access challenging to identify. The Cybersecurity Forecast 2026 report flagged one area of particular interest for these operations would be the semiconductor sector, where competition, U.S. export restrictions, and increased demand related to AI adoption may result in espionage, underscoring the importance of a layered approach to network defense.  Google evaluated that the escalating regional tensions, exemplified by the Gaza conflict and the exchange of strikes between Iran, Israel, and the U.S. in 2025, will continue to fuel increased cyber espionage, disruptive attacks, and information operations (IO) targeting Israel and its allies. “We anticipate Iranian cyber capabilities will continue to be resilient, multifaceted, and semideniable, deliberately blurring the lines between espionage, disruption, hacktivism, and financially motivated activity. This integrated approach allows the same actors and access to be leveraged for different missions, complicating defense and attribution for adversaries.”  Additionally, it anticipates the risk of wiper deployment to remain elevated, building on the aggressive tactics observed since October 2023. The Cybersecurity Forecast 2026 report cautioned that Iran-aligned IO will remain critical for galvanizing support around Middle East conflicts, sowing discord in target countries, and influencing elections. “This activity will rely heavily on inauthentic, news-focused websites to seed political content aligned with Tehran’s interests. The use of AI-generated content and the amplification of narratives through clusters of inauthentic social media personas, with an increased focus on platforms like Telegram, will accelerate.”  Moreover, the ability to rapidly pivot pre-positioned influence infrastructure, as demonstrated by shifts in messaging after the April 2025 Pahalgam Terror Attack, confirms their agility in leveraging emerging global stressors. The report expects the core objectives to remain fixed, including continued monitoring of regime critics, intelligence gathering against entities and individuals linked to Iranian or regional politics, and the targeting of technologies that could support the military. When it comes to North Korea’s cyber threat apparatus, the Cybersecurity Forecast 2026 report identified that it is expected to sustain its primary objectives of revenue generation and traditional cyber espionage against perceived adversaries, primarily the U.S. and South Korea, in 2026.  “North Korean cyber threat actors will escalate their highly successful and lucrative operations against cryptocurrency organizations and users,” the report added. “The tactics observed in 2025, which included the largest recorded cryptocurrency heist valued at approximately $1.5 billion, provide a clear indication of their focus on high-yield, financially motivated attacks. We anticipate that North Korean actors will intensify their technical innovation. This includes tactics such as convincing targets to execute malicious code, and conducting extensive internal reconnaissance of cloud environments to locate and steal high-value assets.” The Google report estimated that North Korean IT worker activity is projected to continue its expansion globally (notably in Europe), adapting to and attempting to circumvent increased law enforcement pressure and growing awareness in the U.S. “This global diversification is a direct reaction to the successful disruption of ‘laptop farms’ in the U.S. that were enabling remote access and obfuscating the workers’ true locations.”  Furthermore, the risk associated with North Korean IT worker activity will continue to extend beyond simple salary earnings. One objective will be direct financial gain through the abuse of employer network access, specifically targeting and stealing cryptocurrency from crypto-focused organizations. Additionally, workers will continue to leverage their employment access for strategic espionage, as shown by the theft of sensitive data from a defense contractor developing AI technology. In conclusion, the Cybersecurity Forecast 2026 report observed that 2026 will usher in a new era of AI and security, both for adversaries and defenders.  “While threat actors will leverage AI to escalate the speed, scope, and effectiveness of attacks, defenders will also harness AI agents to supercharge security operations and enhance analyst capabilities,” the report said. “However, this transformation introduces new challenges, such as ‘Shadow Agent’ risks, and the need for evolving identity and access management.”  Alongside, financially motivated operations, particularly ransomware and data theft extortion, will remain a dominant and disruptive force. “Geopolitically, nation-state activity from Russia, China, Iran, and North Korea will continue to pose significant and evolving threats, driven by distinct strategic interests and employing diverse cyber tactics.”  To navigate this complex and rapidly evolving environment, the Google report calls upon organizations to prioritize proactive, multi-layered defense strategies, invest in AI governance, and continuously adapt their security postures to safeguard against emerging threats and ensure operational resilience. Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related ARCON teams with DNV Cyber to strengthen privileged access management capabilities in the Nordics New York introduces cybersecurity rules, $2.5 million grant program to strengthen water infrastructure defenses Building ‘Incident Management for Industrial Control Systems’ to address gaps in OT cyber incident response GAO report highlights risks to CMMC rollout as nation-state attacks target defense contractors Why industrial cybersecurity must evolve as climate disruption and digitalization reshape critical infrastructure ISAC advisory highlights cyber and physical risks to critical infrastructure as Middle East tensions rise Suspected Iran-linked cyberattack hits medical technology giant Stryker amid Middle East tensions Finland’s National Security Overview 2026 flags Russian and Chinese cyber espionage targeting government, critical infrastructure Cydome flags NAVTOR NavBox path traversal and authentication flaws exposing vessel data, networks to cyber risk Iran-linked cyber espionage surges across Middle East as conflict tensions rise, researchers say