| SecurityWeek’s Cyber Insights 2026 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we explore securing industrial control systems and the strategies organizations are adopting to build long-term resilience. |
The cybersecurity challenge for Industrial Control Systems (ICS) is they were designed in conditions of peace but now operate in a continuous war zone.
Bryson Bort, CEO and founder at SCYTHE, starts his conversations on ICS security with a joke: ‘How can you tell a computer is an ICS?… It’s at least 20 years old.’ The purpose is not to elicit laughter but to make people think. “Once the humor passes and the reality sets in, the scale of the problem – an entrenched ecosystem with the inertia of security challenges baked in for years – becomes apparent..”
The continuing problem for securing ICS
This is the biggest problem for ICS security. “Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle,” explains Tim Mackey, head of software supply chain risk strategy at Black Duck. “In effect, legacy best practices may not be up to the task of mitigating current threats; or worse – those that might be deployed in the coming years.”
ICS are vulnerable. This is exacerbated by the operators’ reluctance, if not inability, to take the systems off-line to patch any vulnerabilities. Dario Perfettibile, VP and GM of European operations at Kiteworks, expands, “ICS security problems will unfortunately persist in 2026 because the core challenge is both economic and operational. Critical infrastructure operators simply cannot accept downtime for comprehensive overhauls, and legacy systems with 20- to 30-year lifespans weren’t designed for today’s cyber threats.”
Mackey continues, “Attackers know that critical infrastructure providers are measured in their up-time or service availability; so, once a device is compromised, the attackers have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic.”
Industrial Control Systems were built for reliability and safety, not cybersecurity; and their weaknesses are persistent. “Many devices still rely on outdated protocols without authentication, flat network architectures, and long hardware lifecycles that make patching or replacement difficult,” says Jeff Macre, principal OT security solutions architect at Darktrace. “These challenges are compounded by limited visibility into assets and the operational risks of downtime, so the fundamental security problems in ICS environments will persist well into the future.”
This is the challenge for both industry and society – the critical industries we depend upon, themselves depend upon some of the most vulnerable computer systems.
Cyberattacks against ICS
Both nation states and cybercriminals target ICS: the former for political expediency and the latter for financial extortion. “The critical infrastructure (CI) has become a strategic target as nation states and criminal groups both understand its value and vulnerability,” comments Raed Albuliwi, CPO at Xona.
The need to keep ICS operational makes it more susceptible to ransomware from criminals, while taking down areas of the critical infrastructure can adversely affect public sentiment and disrupt society for political purposes. Elite nation state actors also breach and quietly occupy critical industries – a process known as pre-positioning – so they can neutralize the CI in rapid order either in response to, or preparation for, kinetic warfare.
Michael Freeman, head of threat intelligence at Armis, warns, “By 2026, more than a third of global energy and utilities infrastructure will have experienced cyber pre-positioning activity – quiet access, data collection, and operational mapping by both human and AI-assisted adversaries.”
Gary Schwartz, go-to-market lead at NetRise, adds, “State-aligned actors increasingly prioritize pre-positioning during periods of relative calm by infiltrating software supply chains that feed into network infrastructure. These footholds may appear benign today: simple reconnaissance, credential harvesting, mapping. But in a geopolitical crisis, the same access can be rapidly weaponized to disrupt industrial operations.”
The fusion of IT, OT and IoT exposes every sector of the CI to new attack vectors. “Attackers could weaponize ‘smart city’ systems or exploit minor IoT devices as entry points, and then laterally move into core operational networks to cause physical damage or service outages,” says Alex Mosher, president and CRO at Armis. “Agriculture, transportation, healthcare, and energy grids will face cyber sabotage designed to disrupt essential services rather than steal information.”
Joe Saunders, founder and CEO at RunSafe Security, notes that artificial intelligence (AI) is powered by vast amounts of electricity. “The surge in demand will bring renewed attention to the resilience of ICS and SCADA environments that power energy production, transmission, and data center operations.”
He continues, “Greater dependency on the energy grid and data centers gives adversaries more incentive to target industrial systems for both disruption and leverage, as the consequences of an attack will be much higher. Securing these environments will move from a technical challenge to a national security imperative.”
The ICS stakes can be very high. Consider, for example, the November 2025 announcement that the UK plans to build Small Modular Reactors (SMRs) in Wales. “The ICS systems in the SMRs will undoubtedly be computer controlled, and internet connected – massively increasing the threat landscape,” suggests Jeremy Epstein, security co-chair of the ACM US technology policy committee, and principal research scientist at Georgia Tech Research Institute.
“Nation-state adversaries and terrorists can be expected to be monitoring the progress of SMRs in the UK, US, and everywhere else, developing new types of attacks. And whatever gets installed will probably be there for 30-50 years, the lifecycle of a nuclear power plant.”
The current nation state situation will get worse. “Attacks will demonstrably increase as geopolitical tensions worsen. Russia’s Ukrainian power grid attacks and Chinese reconnaissance of U.S. water systems establish ICS as legitimate targets,” comments Perfettibile.
“Geopolitical conflicts are fueling a surge in OT/ICS attacks,” adds Vikesh Khanna, CTO and co-founder at Ambient.ai. “State-sponsored actors and hacktivists target critical infrastructure for disruption, as seen in DDoS campaigns, ransomware, and even physical sabotage attempts. This convergence of cyberwarfare and geopolitics heightens risks.”
Macre adds, “We’re already seeing more OT‑focused malware and ransomware linked to geopolitical conflict. For example, VoltRuptor is a sophisticated ICS/SCADA malware developed by the Infrastructure Destruction Squad, featuring multi-protocol support, persistence, and anti-forensics capabilities. It has been deployed in attacks against critical infrastructure and is sold on dark web forums. Analysts believe it is aligned with state-sponsored campaigns targeting countries that aren’t either pro-Russia or China, making it a significant geopolitical cyber threat.”
Bort believes, “Ransomware will continue to increase. The asymmetric advantages of these kinds of cyberattacks will continue to increase.” It is often difficult to accurately attribute ransomware to criminals, state actors or a mix of the two since disruption could be the result of criminal activity or the purpose of state actors. Cyble reported it observed ‘a staggering 5,967 (ransomware) attacks globally in 2025’, with many of these targeting critical industries.
Andrew Lintell, GM for EMEA at Claroty, adds, “With 12% of OT devices expected to carry known exploitable vulnerabilities (KEVs) and 7% linked to ransomware campaigns, industrial cybersecurity will need to be treated as a continuous operational priority.”
ICS is a nut caught between cybercriminals and state actors, and between them it will increasingly be targeted and cracked in the coming years.
ICS in 2026 and beyond
The overriding belief is that ICS will seek and require greater resilience in 2026, although Trevor Dearing, Director of critical infrastructure at Illumio stresses the need to go further into ‘anti-fragility’, “Aiming not just to withstand attacks, but to emerge stronger from them… It’s not just about recovery, it’s about adaptation, learning, and improvement.”
Since the primary cause of ICS problems is the longevity of the hardware, the most obvious solution would be to rip them out and replace them with modern, more secure systems. Although replacement may happen gradually over time, this is not considered a short term solution.
“Many ICS assets are designed for 10‑ to 20‑year lifecycles, and replacing them outright is rarely cost‑effective. The equipment itself is expensive, and new components often have interoperability challenges with existing systems. Mixing old and new technologies can introduce more risk than it solves,” explains Macre.
Khanna comments, “Practical and financial hurdles like downtime, compatibility, and high costs (often millions per site) slow progress, particularly when factoring in physical retrofits.”
Saunders adds, “The economic and operational barriers to replacement are simply too high. Gradual modernization will happen over time, but resilience has to start now, with cybersecurity that protects existing assets while the industry transitions.”
As a result, improvements to security will need to co-exist with aging hardware. “Industrial systems and critical infrastructure are entering a new era of hybrid automation. Modern controllers, robots, and automation software are making real-time decisions alongside decades-old, legacy equipment,” says Anusha Iyer, Founder and CEO at Corsha.
Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.
“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.
Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”
Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”
Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.
The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.
Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”
He adds that SBOMs and vendor transparency are becoming essential. “Supply-chain failures like Log4Shell and XZ Utils demonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”
Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.
Carlos Buenano, CTO for operational technology at Armis, believes that CTEM will become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”
He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”
AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.
“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.
AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”
Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”
However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”
He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”
SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”
But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”
In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”
Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”
So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”
Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”
In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”
Learn More at SecurityWeek’s ICS Cybersecurity Conference
Related: CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Attack
Related: Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas Firm
Related: NIST Publishes Guide for Protecting ICS Against USB-Borne Threats
Related: Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning
