ICS/OT Cyber Insights 2026: The Ongoing Fight to Secure Industrial Control Systems As nation-state actors, ransomware groups, and aging infrastructure collide, organizations must rethink how they defend critical operations through resilience, visibility, and modern security strategies. By Kevin Townsend February 17, 2026 (9:00 AM ET) Flipboard Reddit Whatsapp Email SecurityWeek’s Cyber Insights 2026 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we explore securing industrial control systems and the strategies organizations are adopting to build long-term resilience. The cybersecurity challenge for Industrial Control Systems (ICS) is they were designed in conditions of peace but now operate in a continuous war zone. Bryson Bort, CEO and founder at SCYTHE, starts his conversations on ICS security with a joke: ‘How can you tell a computer is an ICS?… It’s at least 20 years old.’ The purpose is not to elicit laughter but to make people think. “Once the humor passes and the reality sets in, the scale of the problem – an entrenched ecosystem with the inertia of security challenges baked in for years – becomes apparent..” The continuing problem for securing ICS This is the biggest problem for ICS security. “Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle,” explains Tim Mackey, head of software supply chain risk strategy at Black Duck. “In effect, legacy best practices may not be up to the task of mitigating current threats; or worse – those that might be deployed in the coming years.” ICS are vulnerable. This is exacerbated by the operators’ reluctance, if not inability, to take the systems off-line to patch any vulnerabilities. Dario Perfettibile, VP and GM of European operations at Kiteworks, expands, “ICS security problems will unfortunately persist in 2026 because the core challenge is both economic and operational. Critical infrastructure operators simply cannot accept downtime for comprehensive overhauls, and legacy systems with 20- to 30-year lifespans weren’t designed for today’s cyber threats.” Mackey continues, “Attackers know that critical infrastructure providers are measured in their up-time or service availability; so, once a device is compromised, the attackers have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic.” Industrial Control Systems were built for reliability and safety, not cybersecurity; and their weaknesses are persistent. “Many devices still rely on outdated protocols without authentication, flat network architectures, and long hardware lifecycles that make patching or replacement difficult,” says Jeff Macre, principal OT security solutions architect at Darktrace. “These challenges are compounded by limited visibility into assets and the operational risks of downtime, so the fundamental security problems in ICS environments will persist well into the future.” ADVERTISEMENT. SCROLL TO CONTINUE READING. This is the challenge for both industry and society – the critical industries we depend upon, themselves depend upon some of the most vulnerable computer systems. Cyberattacks against ICS Both nation states and cybercriminals target ICS: the former for political expediency and the latter for financial extortion. “The critical infrastructure (CI) has become a strategic target as nation states and criminal groups both understand its value and vulnerability,” comments Raed Albuliwi, CPO at Xona. The need to keep ICS operational makes it more susceptible to ransomware from criminals, while taking down areas of the critical infrastructure can adversely affect public sentiment and disrupt society for political purposes. Elite nation state actors also breach and quietly occupy critical industries – a process known as pre-positioning – so they can neutralize the CI in rapid order either in response to, or preparation for, kinetic warfare. Michael Freeman, head of threat intelligence at Armis, warns, “By 2026, more than a third of global energy and utilities infrastructure will have experienced cyber pre-positioning activity – quiet access, data collection, and operational mapping by both human and AI-assisted adversaries.” Gary Schwartz, go-to-market lead at NetRise, adds, “State-aligned actors increasingly prioritize pre-positioning during periods of relative calm by infiltrating software supply chains that feed into network infrastructure. These footholds may appear benign today: simple reconnaissance, credential harvesting, mapping. But in a geopolitical crisis, the same access can be rapidly weaponized to disrupt industrial operations.” The fusion of IT, OT and IoT exposes every sector of the CI to new attack vectors. “Attackers could weaponize ‘smart city’ systems or exploit minor IoT devices as entry points, and then laterally move into core operational networks to cause physical damage or service outages,” says Alex Mosher, president and CRO at Armis. “Agriculture, transportation, healthcare, and energy grids will face cyber sabotage designed to disrupt essential services rather than steal information.” Joe Saunders, founder and CEO at RunSafe Security, notes that artificial intelligence (AI) is powered by vast amounts of electricity. “The surge in demand will bring renewed attention to the resilience of ICS and SCADA environments that power energy production, transmission, and data center operations.” He continues, “Greater dependency on the energy grid and data centers gives adversaries more incentive to target industrial systems for both disruption and leverage, as the consequences of an attack will be much higher. Securing these environments will move from a technical challenge to a national security imperative.” The ICS stakes can be very high. Consider, for example, the November 2025 announcement that the UK plans to build Small Modular Reactors (SMRs) in Wales. “The ICS systems in the SMRs will undoubtedly be computer controlled, and internet connected – massively increasing the threat landscape,” suggests Jeremy Epstein, security co-chair of the ACM US technology policy committee, and principal research scientist at Georgia Tech Research Institute. “Nation-state adversaries and terrorists can be expected to be monitoring the progress of SMRs in the UK, US, and everywhere else, developing new types of attacks. And whatever gets installed will probably be there for 30-50 years, the lifecycle of a nuclear power plant.” Dario Perfettibile, VP and GM of European operations at Kiteworks. The current nation state situation will get worse. “Attacks will demonstrably increase as geopolitical tensions worsen. Russia’s Ukrainian power grid attacks and Chinese reconnaissance of U.S. water systems establish ICS as legitimate targets,” comments Perfettibile. “Geopolitical conflicts are fueling a surge in OT/ICS attacks,” adds Vikesh Khanna, CTO and co-founder at Ambient.ai. “State-sponsored actors and hacktivists target critical infrastructure for disruption, as seen in DDoS campaigns, ransomware, and even physical sabotage attempts. This convergence of cyberwarfare and geopolitics heightens risks.” Macre adds, “We’re already seeing more OT‑focused malware and ransomware linked to geopolitical conflict. For example, VoltRuptor is a sophisticated ICS/SCADA malware developed by the Infrastructure Destruction Squad, featuring multi-protocol support, persistence, and anti-forensics capabilities. It has been deployed in attacks against critical infrastructure and is sold on dark web forums. Analysts believe it is aligned with state-sponsored campaigns targeting countries that aren’t either pro-Russia or China, making it a significant geopolitical cyber threat.” Bort believes, “Ransomware will continue to increase. The asymmetric advantages of these kinds of cyberattacks will continue to increase.” It is often difficult to accurately attribute ransomware to criminals, state actors or a mix of the two since disruption could be the result of criminal activity or the purpose of state actors. Cyble reported it observed ‘a staggering 5,967 (ransomware) attacks globally in 2025’, with many of these targeting critical industries. Andrew Lintell, GM for EMEA at Claroty, adds, “With 12% of OT devices expected to carry known exploitable vulnerabilities (KEVs) and 7% linked to ransomware campaigns, industrial cybersecurity will need to be treated as a continuous operational priority.” ICS is a nut caught between cybercriminals and state actors, and between them it will increasingly be targeted and cracked in the coming years. ICS in 2026 and beyond The overriding belief is that ICS will seek and require greater resilience in 2026, although Trevor Dearing, Director of critical infrastructure at Illumio stresses the need to go further into ‘anti-fragility’, “Aiming not just to withstand attacks, but to emerge stronger from them… It’s not just about recovery, it’s about adaptation, learning, and improvement.” Since the primary cause of ICS problems is the longevity of the hardware, the most obvious solution would be to rip them out and replace them with modern, more secure systems. Although replacement may happen gradually over time, this is not considered a short term solution. “Many ICS assets are designed for 10‑ to 20‑year lifecycles, and replacing them outright is rarely cost‑effective. The equipment itself is expensive, and new components often have interoperability challenges with existing systems. Mixing old and new technologies can introduce more risk than it solves,” explains Macre. Khanna comments, “Practical and financial hurdles like downtime, compatibility, and high costs (often millions per site) slow progress, particularly when factoring in physical retrof