Cyber Insights 2026: The Ongoing Fight to Secure Industrial Control Systems

Bort believes, “Ransomware will continue to increase. The asymmetric advantages of these kinds of cyberattacks will continue to increase.” It is often difficult to accurately attribute ransomware to criminals, state actors or a mix of the two since disruption could be the result of criminal activity or the purpose of state actors. Cyble reported it observed ‘a staggering 5,967 (ransomware) attacks globally in 2025’, with many of these targeting critical industries.Andrew Lintell, GM for EMEA at Claroty, adds, “With 12% of OT devices expected to carry known exploitable vulnerabilities (KEVs) and 7% linked to ransomware campaigns, industrial cybersecurity will need to be treated as a continuous operational priority.”ICS is a nut caught between cybercriminals and state actors, and between them it will increasingly be targeted and cracked in the coming years.ICS in 2026 and beyondThe overriding belief is that ICS will seek and require greater resilience in 2026, although Trevor Dearing, Director of critical infrastructure at Illumio stresses the need to go further into ‘anti-fragility’, “Aiming not just to withstand attacks, but to emerge stronger from them… It’s not just about recovery, it’s about adaptation, learning, and improvement.”Since the primary cause of ICS problems is the longevity of the hardware, the most obvious solution would be to rip them out and replace them with modern, more secure systems. Although replacement may happen gradually over time, this is not considered a short term solution.“Many ICS assets are designed for 10‑ to 20‑year lifecycles, and replacing them outright is rarely cost‑effective. The equipment itself is expensive, and new components often have interoperability challenges with existing systems. Mixing old and new technologies can introduce more risk than it solves,” explains Macre.Khanna comments, “Practical and financial hurdles like downtime, compatibility, and high costs (often millions per site) slow progress, particularly when factoring in physical retrofits.”Saunders adds, “The economic and operational barriers to replacement are simply too high. Gradual modernization will happen over time, but resilience has to start now, with cybersecurity that protects existing assets while the industry transitions.”As a result, improvements to security will need to co-exist with aging hardware. “Industrial systems and critical infrastructure are entering a new era of hybrid automation. Modern controllers, robots, and automation software are making real-time decisions alongside decades-old, legacy equipment,” says Anusha Iyer, Founder and CEO at Corsha.Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.James Maude, field CTO at BeyondTrust.Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”He adds thatSBOMsand vendor transparency are becoming essential. “Supply-chain failures likeLog4ShellandXZ Utilsdemonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.Carlos Buenano, CTO for operational technology at Armis, believes thatCTEMwill become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”Jeremy Epstein, Security Co-Chair, ACM US Technology Policy Committee, and Principal Research Scientist, Georgia Tech Research Institute.Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”Learn More at SecurityWeek’s ICS Cybersecurity ConferenceRelated:CISA Warns of ScadaBR Vulnerability After Hacktivist ICS AttackRelated:Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas FirmRelated:NIST Publishes Guide for Protecting ICS Against USB-Borne ThreatsRelated:Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning

Andrew Lintell, GM for EMEA at Claroty, adds, “With 12% of OT devices expected to carry known exploitable vulnerabilities (KEVs) and 7% linked to ransomware campaigns, industrial cybersecurity will need to be treated as a continuous operational priority.”ICS is a nut caught between cybercriminals and state actors, and between them it will increasingly be targeted and cracked in the coming years.ICS in 2026 and beyondThe overriding belief is that ICS will seek and require greater resilience in 2026, although Trevor Dearing, Director of critical infrastructure at Illumio stresses the need to go further into ‘anti-fragility’, “Aiming not just to withstand attacks, but to emerge stronger from them… It’s not just about recovery, it’s about adaptation, learning, and improvement.”Since the primary cause of ICS problems is the longevity of the hardware, the most obvious solution would be to rip them out and replace them with modern, more secure systems. Although replacement may happen gradually over time, this is not considered a short term solution.“Many ICS assets are designed for 10‑ to 20‑year lifecycles, and replacing them outright is rarely cost‑effective. The equipment itself is expensive, and new components often have interoperability challenges with existing systems. Mixing old and new technologies can introduce more risk than it solves,” explains Macre.Khanna comments, “Practical and financial hurdles like downtime, compatibility, and high costs (often millions per site) slow progress, particularly when factoring in physical retrofits.”Saunders adds, “The economic and operational barriers to replacement are simply too high. Gradual modernization will happen over time, but resilience has to start now, with cybersecurity that protects existing assets while the industry transitions.”As a result, improvements to security will need to co-exist with aging hardware. “Industrial systems and critical infrastructure are entering a new era of hybrid automation. Modern controllers, robots, and automation software are making real-time decisions alongside decades-old, legacy equipment,” says Anusha Iyer, Founder and CEO at Corsha.Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.James Maude, field CTO at BeyondTrust.Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”He adds thatSBOMsand vendor transparency are becoming essential. “Supply-chain failures likeLog4ShellandXZ Utilsdemonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.Carlos Buenano, CTO for operational technology at Armis, believes thatCTEMwill become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”Jeremy Epstein, Security Co-Chair, ACM US Technology Policy Committee, and Principal Research Scientist, Georgia Tech Research Institute.Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”Learn More at SecurityWeek’s ICS Cybersecurity ConferenceRelated:CISA Warns of ScadaBR Vulnerability After Hacktivist ICS AttackRelated:Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas FirmRelated:NIST Publishes Guide for Protecting ICS Against USB-Borne ThreatsRelated:Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning

ICS is a nut caught between cybercriminals and state actors, and between them it will increasingly be targeted and cracked in the coming years.ICS in 2026 and beyondThe overriding belief is that ICS will seek and require greater resilience in 2026, although Trevor Dearing, Director of critical infrastructure at Illumio stresses the need to go further into ‘anti-fragility’, “Aiming not just to withstand attacks, but to emerge stronger from them… It’s not just about recovery, it’s about adaptation, learning, and improvement.”Since the primary cause of ICS problems is the longevity of the hardware, the most obvious solution would be to rip them out and replace them with modern, more secure systems. Although replacement may happen gradually over time, this is not considered a short term solution.“Many ICS assets are designed for 10‑ to 20‑year lifecycles, and replacing them outright is rarely cost‑effective. The equipment itself is expensive, and new components often have interoperability challenges with existing systems. Mixing old and new technologies can introduce more risk than it solves,” explains Macre.Khanna comments, “Practical and financial hurdles like downtime, compatibility, and high costs (often millions per site) slow progress, particularly when factoring in physical retrofits.”Saunders adds, “The economic and operational barriers to replacement are simply too high. Gradual modernization will happen over time, but resilience has to start now, with cybersecurity that protects existing assets while the industry transitions.”As a result, improvements to security will need to co-exist with aging hardware. “Industrial systems and critical infrastructure are entering a new era of hybrid automation. Modern controllers, robots, and automation software are making real-time decisions alongside decades-old, legacy equipment,” says Anusha Iyer, Founder and CEO at Corsha.Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.James Maude, field CTO at BeyondTrust.Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”He adds thatSBOMsand vendor transparency are becoming essential. “Supply-chain failures likeLog4ShellandXZ Utilsdemonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.Carlos Buenano, CTO for operational technology at Armis, believes thatCTEMwill become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”Jeremy Epstein, Security Co-Chair, ACM US Technology Policy Committee, and Principal Research Scientist, Georgia Tech Research Institute.Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”Learn More at SecurityWeek’s ICS Cybersecurity ConferenceRelated:CISA Warns of ScadaBR Vulnerability After Hacktivist ICS AttackRelated:Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas FirmRelated:NIST Publishes Guide for Protecting ICS Against USB-Borne ThreatsRelated:Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning

The overriding belief is that ICS will seek and require greater resilience in 2026, although Trevor Dearing, Director of critical infrastructure at Illumio stresses the need to go further into ‘anti-fragility’, “Aiming not just to withstand attacks, but to emerge stronger from them… It’s not just about recovery, it’s about adaptation, learning, and improvement.”Since the primary cause of ICS problems is the longevity of the hardware, the most obvious solution would be to rip them out and replace them with modern, more secure systems. Although replacement may happen gradually over time, this is not considered a short term solution.“Many ICS assets are designed for 10‑ to 20‑year lifecycles, and replacing them outright is rarely cost‑effective. The equipment itself is expensive, and new components often have interoperability challenges with existing systems. Mixing old and new technologies can introduce more risk than it solves,” explains Macre.Khanna comments, “Practical and financial hurdles like downtime, compatibility, and high costs (often millions per site) slow progress, particularly when factoring in physical retrofits.”Saunders adds, “The economic and operational barriers to replacement are simply too high. Gradual modernization will happen over time, but resilience has to start now, with cybersecurity that protects existing assets while the industry transitions.”As a result, improvements to security will need to co-exist with aging hardware. “Industrial systems and critical infrastructure are entering a new era of hybrid automation. Modern controllers, robots, and automation software are making real-time decisions alongside decades-old, legacy equipment,” says Anusha Iyer, Founder and CEO at Corsha.Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.James Maude, field CTO at BeyondTrust.Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”He adds thatSBOMsand vendor transparency are becoming essential. “Supply-chain failures likeLog4ShellandXZ Utilsdemonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.Carlos Buenano, CTO for operational technology at Armis, believes thatCTEMwill become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”Jeremy Epstein, Security Co-Chair, ACM US Technology Policy Committee, and Principal Research Scientist, Georgia Tech Research Institute.Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”Learn More at SecurityWeek’s ICS Cybersecurity ConferenceRelated:CISA Warns of ScadaBR Vulnerability After Hacktivist ICS AttackRelated:Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas FirmRelated:NIST Publishes Guide for Protecting ICS Against USB-Borne ThreatsRelated:Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning

Since the primary cause of ICS problems is the longevity of the hardware, the most obvious solution would be to rip them out and replace them with modern, more secure systems. Although replacement may happen gradually over time, this is not considered a short term solution.“Many ICS assets are designed for 10‑ to 20‑year lifecycles, and replacing them outright is rarely cost‑effective. The equipment itself is expensive, and new components often have interoperability challenges with existing systems. Mixing old and new technologies can introduce more risk than it solves,” explains Macre.Khanna comments, “Practical and financial hurdles like downtime, compatibility, and high costs (often millions per site) slow progress, particularly when factoring in physical retrofits.”Saunders adds, “The economic and operational barriers to replacement are simply too high. Gradual modernization will happen over time, but resilience has to start now, with cybersecurity that protects existing assets while the industry transitions.”As a result, improvements to security will need to co-exist with aging hardware. “Industrial systems and critical infrastructure are entering a new era of hybrid automation. Modern controllers, robots, and automation software are making real-time decisions alongside decades-old, legacy equipment,” says Anusha Iyer, Founder and CEO at Corsha.Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.James Maude, field CTO at BeyondTrust.Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”He adds thatSBOMsand vendor transparency are becoming essential. “Supply-chain failures likeLog4ShellandXZ Utilsdemonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.Carlos Buenano, CTO for operational technology at Armis, believes thatCTEMwill become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”Jeremy Epstein, Security Co-Chair, ACM US Technology Policy Committee, and Principal Research Scientist, Georgia Tech Research Institute.Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”Learn More at SecurityWeek’s ICS Cybersecurity ConferenceRelated:CISA Warns of ScadaBR Vulnerability After Hacktivist ICS AttackRelated:Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas FirmRelated:NIST Publishes Guide for Protecting ICS Against USB-Borne ThreatsRelated:Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning

“Many ICS assets are designed for 10‑ to 20‑year lifecycles, and replacing them outright is rarely cost‑effective. The equipment itself is expensive, and new components often have interoperability challenges with existing systems. Mixing old and new technologies can introduce more risk than it solves,” explains Macre.Khanna comments, “Practical and financial hurdles like downtime, compatibility, and high costs (often millions per site) slow progress, particularly when factoring in physical retrofits.”Saunders adds, “The economic and operational barriers to replacement are simply too high. Gradual modernization will happen over time, but resilience has to start now, with cybersecurity that protects existing assets while the industry transitions.”As a result, improvements to security will need to co-exist with aging hardware. “Industrial systems and critical infrastructure are entering a new era of hybrid automation. Modern controllers, robots, and automation software are making real-time decisions alongside decades-old, legacy equipment,” says Anusha Iyer, Founder and CEO at Corsha.Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.James Maude, field CTO at BeyondTrust.Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”He adds thatSBOMsand vendor transparency are becoming essential. “Supply-chain failures likeLog4ShellandXZ Utilsdemonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.Carlos Buenano, CTO for operational technology at Armis, believes thatCTEMwill become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”Jeremy Epstein, Security Co-Chair, ACM US Technology Policy Committee, and Principal Research Scientist, Georgia Tech Research Institute.Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”Learn More at SecurityWeek’s ICS Cybersecurity ConferenceRelated:CISA Warns of ScadaBR Vulnerability After Hacktivist ICS AttackRelated:Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas FirmRelated:NIST Publishes Guide for Protecting ICS Against USB-Borne ThreatsRelated:Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning

Khanna comments, “Practical and financial hurdles like downtime, compatibility, and high costs (often millions per site) slow progress, particularly when factoring in physical retrofits.”Saunders adds, “The economic and operational barriers to replacement are simply too high. Gradual modernization will happen over time, but resilience has to start now, with cybersecurity that protects existing assets while the industry transitions.”As a result, improvements to security will need to co-exist with aging hardware. “Industrial systems and critical infrastructure are entering a new era of hybrid automation. Modern controllers, robots, and automation software are making real-time decisions alongside decades-old, legacy equipment,” says Anusha Iyer, Founder and CEO at Corsha.Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.James Maude, field CTO at BeyondTrust.Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”He adds thatSBOMsand vendor transparency are becoming essential. “Supply-chain failures likeLog4ShellandXZ Utilsdemonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.Carlos Buenano, CTO for operational technology at Armis, believes thatCTEMwill become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”Jeremy Epstein, Security Co-Chair, ACM US Technology Policy Committee, and Principal Research Scientist, Georgia Tech Research Institute.Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”Learn More at SecurityWeek’s ICS Cybersecurity ConferenceRelated:CISA Warns of ScadaBR Vulnerability After Hacktivist ICS AttackRelated:Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas FirmRelated:NIST Publishes Guide for Protecting ICS Against USB-Borne ThreatsRelated:Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning

Saunders adds, “The economic and operational barriers to replacement are simply too high. Gradual modernization will happen over time, but resilience has to start now, with cybersecurity that protects existing assets while the industry transitions.”As a result, improvements to security will need to co-exist with aging hardware. “Industrial systems and critical infrastructure are entering a new era of hybrid automation. Modern controllers, robots, and automation software are making real-time decisions alongside decades-old, legacy equipment,” says Anusha Iyer, Founder and CEO at Corsha.Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.James Maude, field CTO at BeyondTrust.Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”He adds thatSBOMsand vendor transparency are becoming essential. “Supply-chain failures likeLog4ShellandXZ Utilsdemonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.Carlos Buenano, CTO for operational technology at Armis, believes thatCTEMwill become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”Jeremy Epstein, Security Co-Chair, ACM US Technology Policy Committee, and Principal Research Scientist, Georgia Tech Research Institute.Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”Learn More at SecurityWeek’s ICS Cybersecurity ConferenceRelated:CISA Warns of ScadaBR Vulnerability After Hacktivist ICS AttackRelated:Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas FirmRelated:NIST Publishes Guide for Protecting ICS Against USB-Borne ThreatsRelated:Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning

As a result, improvements to security will need to co-exist with aging hardware. “Industrial systems and critical infrastructure are entering a new era of hybrid automation. Modern controllers, robots, and automation software are making real-time decisions alongside decades-old, legacy equipment,” says Anusha Iyer, Founder and CEO at Corsha.Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.James Maude, field CTO at BeyondTrust.Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”He adds thatSBOMsand vendor transparency are becoming essential. “Supply-chain failures likeLog4ShellandXZ Utilsdemonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.Carlos Buenano, CTO for operational technology at Armis, believes thatCTEMwill become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”Jeremy Epstein, Security Co-Chair, ACM US Technology Policy Committee, and Principal Research Scientist, Georgia Tech Research Institute.Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”Learn More at SecurityWeek’s ICS Cybersecurity ConferenceRelated:CISA Warns of ScadaBR Vulnerability After Hacktivist ICS AttackRelated:Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas FirmRelated:NIST Publishes Guide for Protecting ICS Against USB-Borne ThreatsRelated:Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning

Modern security must be added to ICS hardware without interfering with its operational priorities. This will most likely be achieved by modern security controls assisted by artificial intelligence to achieve a degree of automation – and will focus on introducing zero trust principles.“Automation provides a great opportunity for enterprises to optimize and gain efficiencies but also adds complexity and risk. Taking an identity-centric approach to controlling connections and managing risk creates a shared foundation for visibility, trust, and governance across digital and operational domains,” continues Iyer.James Maude, field CTO at BeyondTrust.Understanding and reducing the identity attack surface should be critical thinking for every organization, says James Maude, field CTO at BeyondTrust. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise.”Brian Reed, CMO at Corsha, says “Automated machine identity with continuous authentication establishes that control layer in a way that is simple to deploy, simple to manage, and easy to scale as systems grow.”Identity management is key to any zero trust approach. “The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” continues Maude.The identity security debt accumulated by many organizations represents a greater risk than any other area since it only takes one attacker to login with the right identity and all is lost because of the available paths to privilege.Schwartz comments on the growing adoption of OT-aware zero trust. “Carnegie Mellon’s Software Engineering Institute, Emerson, and Control Engineering have all published guidance showing how zero trust can be adapted to ICS using authenticated engineering actions, granular segmentation, and tightly governed remote access. This reflects the reality that supply-chain compromise is often inevitable, so access must be constrained even for trusted components.”He adds thatSBOMsand vendor transparency are becoming essential. “Supply-chain failures likeLog4ShellandXZ Utilsdemonstrated that operators need visibility into what’s inside their controllers and software stacks. None of these approaches solve everything, but collectively they move ICS toward a more verifiable, trustworthy ecosystem that’s harder to compromise at the source and easier to defend in practice.”Segmentation is an important part of the path to resiliency through zero trust. Agnidipta Sarkar, chief evangelist at ColorTokens, has two recommendations for resilience. The first is microsegmentation. It prevents an attacker using lateral movement to reach the ‘ICS islands of excellence’. The second is to prevent credential misuse “by using cryptographic passwordless authentication. Both approaches are fundamental to adopting zero trust for cyber resilience,” he suggests.Carlos Buenano, CTO for operational technology at Armis, believes thatCTEMwill become the operational center of gravity. “A few years ago, CTEM (continuous threat exposure management) was just another Gartner acronym. In 2026, it’s the organizing principle for any serious OT security program.”He explains, “CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies. But the key difference this year is context. We’re no longer prioritizing based on CVSS scores alone. Instead, we’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.”AI is increasingly included to add speed and efficiency to security controls. Agentic AI offers enormous potential for autonomous action in the future, but the extent to which it may safely be introduced into the ICS ecosphere is unclear and likely to be very slow. However, it has already arrived within ICS physical security.“A key innovation is agentic physical security for proactive threat prevention,” comments Ambient.ai’s Khanna. Such platforms can leverage AI agents to monitor physical spaces in real-time, detecting anomalies such as unauthorized access attempts or suspicious behavior near ICS assets.AI-driven anomaly detection is another recommended use of AI. “It could detect anomalies like unauthorized access attempts or suspicious behavior near ICS assets,” suggests Khanna. “This integrates seamlessly with ICS for holistic monitoring, combining computer vision with access control systems to verify identities and prevent breaches before they escalate. Adaptive protections using ML for real-time encryption and threat response are game-changers, especially when layered with physical barriers and AI-verified access.”Darktrace’s Macre adds, “Passive anomaly detection is safe for fragile ICS networks, and AI can take it further by learning what ‘normal’ looks like for each unique environment. That means fewer false positives and more actionable insights – which is critical for teams who are drowning in ‘noise’. When paired with autonomous response, organizations can stop threats in real time, while still keeping humans in the loop when needed.”However, NetRise’s Schwartz warns, “Its value is often overstated. It can highlight unusual network traffic, suspicious engineering actions, or deviations in process behavior, providing a spotlight on activity that operators might otherwise miss. But anomaly detection only sees what happens after a compromise manifests on the network. It does little to address the deeper software supply-chain risks that now dominate ICS intrusions.”He continues, “Real resilience comes from combining behavioral monitoring with pre-deployment assurance: examining the code that runs on devices, validating its integrity, and governing how updates are introduced into the environment. In other words, anomaly detection watches the symptoms; supply-chain analysis addresses the cause.”SCYTHE’s Bort also warns, “The inclusion of AI, or any security tooling, increases risk: think about it, how exactly do these tools work? Most of them depend on internet connectivity for execution or the updates needed to be current. That connectivity increases risk because it increases direct surface area.”But before resilience and recovery can be realized, ICS environments will need two things in 2026. The first will be a more complete and detailed ‘inventory’ of components in the CPS area. Christian Terlecki, Director of Federal at Armis says, “In 2026, Agencies will need continuous CPS discovery and purpose-aware risk scoring. That means the ability to identify controllers, medical devices, industrial controllers, and edge appliances and to understand not just that a device exists, but what its operational role is, where its interconnections lead, and what safe remediation looks like.”In many federal contexts, he continues, “safe remediation won’t be an automatic patch; it will be a compensating micro-segmentation rule, compensating control or a virtual patch applied at the network layer, and the CPS program must support those options with clear, actionable steps.”Jeremy Epstein, Security Co-Chair, ACM US Technology Policy Committee, and Principal Research Scientist, Georgia Tech Research Institute.Sam Maesschalck, lead OT cyber security engineer at Immersive, suggests the second new requirement: “In 2026, the industry will also face increasing pressure to grow and upskill the OT security workforce. Organizations will prioritize hands-on training, scenario-based exercises, and cross-discipline capability building between IT and OT teams. Those that mature fastest will be the ones investing in continuous education, realistic OT lab environments, and workforce development programs rather than relying solely on tools and external consultancies.”So, how do we defend today’s systems? “Through a continually evolving set of defenses, monitoring systems, and responses,” suggests Epstein. “What works in 2025 will certainly not be good enough in 2030, as the threats will continue to advance, and the systems will continue to evolve adding new attack surfaces.”Will AI be the silver bullet? “No,” he continues. “But it can be part of a solution, going beyond anomaly detection. The protection for the water system for Springfield Ohio will be different from the one from Springfield Virginia and all of the dozens of other Springfields around the country – not even including The Simpson’s hometown. Upgrades to address security will be different for each Springfield, and AI systems addressing security will need to be customized for each one.”In the end, he adds, “It’s hard to be a serious cybersecurity expert without being a pessimist. In nearly 40 years in the field, I’ve seen some things get better (for example, we’re much better at building software than we were), but the threats have evolved more rapidly. ICS needs more attention in the form of industry, government, and academic R&D to build and adapt technologies to address rapidly evolving threats.”Learn More at SecurityWeek’s ICS Cybersecurity ConferenceRelated:CISA Warns of ScadaBR Vulnerability After Hacktivist ICS AttackRelated:Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas FirmRelated:NIST Publishes Guide for Protecting ICS Against USB-Borne ThreatsRelated:Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning

Source: SecurityWeek