Nation-state actors have shifted focus. For years, critical infrastructure attacks were rare, high-profile events. Today, they are routine — and the targeting of operational technology (OT) environments is accelerating.
This article breaks down the top threats we're tracking in 2026 and what industrial organizations can do right now.
The Shift Toward OT Targeting
OT environments — SCADA systems, PLCs, DCS, and industrial control networks — were historically air-gapped and isolated. That's no longer the case. The convergence of IT and OT networks, driven by efficiency and remote monitoring needs, has dramatically expanded the attack surface.
In the past 18 months, our team has responded to incidents across:
- Energy and utilities (power generation, water treatment)
- Oil and gas (upstream and downstream)
- Manufacturing (automotive, pharmaceutical, food & beverage)
- Transportation infrastructure
Top Attack Vectors in 2026
1. Living-off-the-Land in OT
Attackers are increasingly using native OT protocols (Modbus, DNP3, OPC-UA) to blend in with normal traffic. Traditional IT security tools don't understand these protocols and generate no alerts when they're abused.
What to do: Deploy passive OT-aware monitoring that understands industrial protocols and can baseline normal behavior.
2. Remote Access Exploitation
VPNs and remote access tools deployed during COVID-era expansions were never properly hardened. We're still finding unpatched Fortinet, Pulse Secure, and Citrix vulnerabilities being actively exploited to reach OT jump servers.
What to do: Audit all remote access paths into your OT environment. Implement MFA and dedicated OT remote access solutions with session recording.
3. Supply Chain and Vendor Access
Third-party vendors with remote access to PLCs and HMIs represent one of the highest-risk entry points. The 2021 Oldsmar water treatment incident began with a compromised vendor credential.
What to do: Implement vendor access controls, time-limited sessions, and audit logging for all third-party OT access.
4. Ransomware Targeting Historians and HMIs
Ransomware groups have learned that encrypting historian servers and HMIs is more disruptive — and therefore more profitable — than targeting corporate IT. Production stops, and the pressure to pay is intense.
What to do: Ensure OT systems have offline, immutable backups. Test restoration procedures regularly.
The IEC 62443 Framework
If you're not already aligning to IEC 62443, now is the time. The standard provides a structured approach to OT security through Security Zones and Conduits, with Security Level (SL) requirements that map directly to your risk profile.
Key elements to prioritize:
- Zone and Conduit modeling — define clear security boundaries
- SL-T vs SL-C gap analysis — understand where you are vs. where you need to be
- Supply chain requirements — extend security requirements to vendors and integrators
Immediate Actions
- Passive network discovery — know what's on your OT network before attackers do
- Patch what you can — start with internet-facing and remote access infrastructure
- Segment IT from OT — if there's a flat network, this is your highest priority
- Develop an OT IR plan — before you need it, not during an incident
- Train your operations team — security awareness for OT operators is often overlooked
Ready to assess your OT security posture? Our team specializes in non-disruptive OT assessments that give you a clear picture of your risk without touching production systems. Contact us to get started.