This whitepaper covers the three main areas of attack surface that result in OT/ICS exposure, details the events that shaped the threat landscape in 2025-2026, and proposes a defense approach built around five pillars for securing OT/ICS infrastructure in 2026.

2. OT/ICS THREAT LANDSCAPE IN 2026

2.1 Manufacturing: Five Straight Years of Top Target Status

For five straight years, manufacturing has ranked at the top of the IBM X-Force incident landscape. The 2026 X-Force Threat Intelligence Index, released on February 25, 2026, indicated that 27.7% of all cybersecurity incidents recorded by X-Force in 2025 were related to manufacturing. ¹ 

Unlike other companies, manufacturers have two attack vectors that other firms lack: In addition to their IT environment, manufacturers have OT facilities with up-time needs that make patching difficult, legacy technology that is incompatible with newer endpoint protection software, and processes that face real consequences from any interruptions.

Cost Analysis by the IBM X-Force OT Threat Landscape study, released in November 2025, captured the direct costs incurred from cyber attacks. In the study conducted on 6,485+ businesses, 15% had been victims of an incident that compromised their OT network. In turn, 23% of such affected businesses revealed that the attacks had resulted in actual damage to the OT systems. 

On average, such attacks cost $4.56 million compared to the global average cost of data breaches at $4.44 million. IBM X-Force’s vulnerability management database recorded 670 vulnerabilities disclosed during H1 2025 that could threaten OTs, 49% of which had CVSS ratings of either Critical or High, while 21% of critical vulnerabilities had exploit code. ²

2.2 The Nation-State Dimension: Pre-Positioning, Not Just Disruption

The most consequential shift in the OT/ICS threat landscape is not attack volume. It is intent. Nation-state actors are no longer primarily focused on opportunistic disruption. Microsoft Threat Intelligence, as mentioned in its critical infrastructure analysis released in March 2026, found that nation-state operators are currently establishing persistent low-visibility access in critical infrastructure, residing in environments where visibility for IT/OT is lacking. ³

The activity of actors associated with China reached up to 38% increase in 2025, as highlighted in the CrowdStrike Global Threat Report 2026. 67% of the vulnerabilities exploited by China-nexus hackers provided instant access to systems, while 40% attacked edge internet-facing devices. Russia-nexus FANCY BEAR deployed LLM-enabled malware (LAMEHUG) to automate reconnaissance, while DPRK-nexus incidents rose more than 130% in 2025 as FAMOUS CHOLLIMA activity more than doubled. ⁴ 

The blurring line between nation-state and financially motivated actors, explicitly noted in both the IBM X-Force and CrowdStrike 2026 reports, means techniques developed for strategic purposes are increasingly available to criminal groups. ¹

2.3 Criminal Groups Emulating Techniques of the Nation-State

According to IBM X-Force, there were 109 different extortion groups operating in 2025, compared to 73 in 2024 – an increase of 49%. ⁵ 

The ransomware ecosystem that goes after OT environments has splintered into smaller and more opportunistic players who conduct low-volume attacks and deliberately go after OT environments. Manufacturing organizations experience the highest ransomware case volume within X-Force’s observed data, reflecting the sector’s low tolerance for downtime and the strong ROI for attackers threatening production disruption. ⁶

FIGURE 1: The OT/ICS Threat Landscape – Key Statistics (2025-2026)

Sources: As per references shown above, Cyber Tech Intelligence Analysis

3. THE THREE ATTACK SURFACES DRIVING OT/ICS EXPOSURE

3.1 Internet-Facing Edge Devices

The most consistent finding across IBM X-Force, CrowdStrike, and CISA data for 2025 is that internet-facing edge devices represent the primary initial access pathway into OT environments. IBM X-Force documented a 44% increase in attacks beginning with the exploitation of public-facing applications in 2025, driven by missing authentication controls and AI-enabled vulnerability discovery. ⁵ 

A 40% rise in internet-exposed ICS devices was documented between 2024 and 2025. CISA’s ICS advisory program published more than 500 ICS advisories for the first time in a single year in 2025, with 82% rated High or Critical severity. ⁷

Microsoft’s critical infrastructure analysis, published in March 2026, confirmed the access pathway breakdown: 18% of intrusions originate from web-facing assets, 12% from exposed remote services, and 3% from supply chain pathways. For OT environments where patching cycles are measured in months, and device uptime requirements prevent immediate remediation, this exposure is structural. ³

3.2 IT/OT Convergence and the Identity Bridge

The convergence of IT and OT environments has created an attack pathway that did not exist when most industrial control systems were designed. Microsoft Threat Intelligence documented cloud and hybrid incidents increasing 26% in early 2025 as identity, automation, and remote management converged within cloud control planes. More than 97% of identity-based attacks in critical infrastructure environments target password-based authentication through password spray or brute force. ³ 

A single compromised account in a hybrid environment can provide privileged reach into operationally relevant systems that were never designed to be accessible through an identity layer. IBM X-Force OT analysis documented how adversaries exploit trusted IT/OT bridges, unsecured field devices, and maintenance laptops to gain direct access to process control networks and safety systems. ²

3.3 Default Credentials and Configuration Failures

CISA’s February 2026 alert on the Poland energy sector incident documented one of the most consistently identified and persistently unaddressed weaknesses in OT environments: default credentials. Threat actors leveraged default credentials to pivot from internet-facing edge devices onto HMIs and RTUs, destroying data on HMIs, corrupting system firmware, and causing loss of view and control between facilities and distribution system operators. ⁷ 

IBM X-Force Red penetration testing engagements in 2025 identified misconfigured access controls as the most common entry point across all engagements. ⁵ 

Microsoft’s CI analysis confirms that most intrusions begin with preventable exposure: internet-facing VPNs left enabled too long, contractor identities outliving project timelines, and dormant privileged accounts creating low-effort entry points before persistence is even required. ³

FIGURE 2: The Three Primary OT/ICS Attack Surfaces (2025-2026)

Sources: As per references shown above, Cyber Tech Intelligence Analysis

4. REAL-WORLD INCIDENTS: WHAT THE YEAR 2025 TAUGHT US

4.1 The Polish Energy Sector Cyber Attack in December 2025

In December 2025, specifically on December 29, threat actors attacked OT and ICS infrastructure at multiple facilities within the energy industry of Poland. The attack targeted renewable energy generation facilities, the Combined Heat & Power plant, and a manufacturing sector facility. 

CISA officially released an advisory on February 10, 2026, outlining the attack methodology, which involved initial compromise of the vulnerable internet-facing edge devices with default passwords, lateral movement to HMI/RTU systems, execution of wiper malware, wiping of data stored in the human machine interface, corrupting the OT device firmware, and finally loss of view and control. CERT Polska attributed the attack to Berserk Bear. ESET and Dragos attributed it to Sandworm with medium confidence. ⁷

This particular incident proves that the attack vector identified through vulnerabilities, internet-exposed devices, default passwords, and IT/OT lateral spread is being employed against operational energy infrastructure, which has actual physical implications.

4.2 Nucor Steel Production Cease, May 2025

Nucor ceased its production processes due to a cyberattack, which resulted in unauthorized access to internal IT environments in May 2025. The incident was recorded by IBM X-Force in such a way that it proved how well-integrated the IT domain and the OT domain are, since IT-layer violations result in operational problems irrespective of whether the OT system was under threat or not. 

In manufacturing environments where IT and OT are operationally dependent, a compromise contained to IT infrastructure can force OT shutdowns through precautionary response alone, producing the same business disruption outcome as a direct OT attack. ²

5. THE DEFENSE FRAMEWORK: FIVE PILLARS FOR OT/ICS RESILIENCE IN 2026

IBM X-Force and Microsoft identify five defense priorities that collectively address the attack surfaces documented above. ² ³

Pillar 1: Hyper-Prioritized Patch Management. Patch management in OT environments is constrained by uptime requirements and vendor patch cycles. CISA’s Known Exploited Vulnerabilities catalog, combined with X-Force threat intelligence on which CVEs are actively exploited in OT-relevant forums, provides a risk-ranked remediation queue. Where patching is delayed, network segmentation, application allowlisting, and anomaly monitoring provide compensating controls. ²

Pillar 2: Sector-Specific Threat Mapping. Generic security frameworks do not reflect the adversary groups, techniques, and vulnerabilities most relevant to energy, water, or manufacturing environments. 

MITRE ATT&CK for ICS provides sector-specific technique mapping. Sector ISACs, including E-ISAC for energy, Water-ISAC for utilities, and MFG-ISAC for manufacturing, distribute threat intelligence specific to each sector’s adversary profile. Microsoft CI analysis recommends identifying the most likely attack paths to critical assets and continuously mitigating them. ³

Pillar 3: Identity Hardening Across IT and OT. Microsoft’s continuous readiness framework places identity hardening first: phishing-resistant MFA deployment, reduction of standing privilege, elimination of legacy authentication, and governance for contractor and service identities. ³ 

For OT environments, this includes immediate remediation of default credentials on HMIs, RTUs, and all internet-facing edge devices, the exact vector exploited in the Poland grid attack of December 2025. ⁷

Pillar 4: Layered Network Defense with IT/OT Segmentation. IT and OT network segregation using firewalls, DMZs, and unidirectional gateways prevents lateral movement from IT into process control environments. 

Passive deep packet inspection for OT protocols enables anomaly detection without disrupting operational processes. Behavioral anomaly detection on process control networks identifies deviations that signature-based detection cannot catch. ²

Pillar 5: Adversary-Emulation Testing and Board-Level Governance. Tabletop exercises modeled on real adversary scenarios prepare operational teams for Sandworm-style grid manipulation, Volt Typhoon-style LOTL persistence, and ransomware double extortion specific to manufacturing. 

IBM X-Force and Microsoft both identify OT security as a C-level imperative requiring board sponsorship. ² ³.

FIGURE 3: Five-Pillar OT/ICS Defense Framework (2026)

Sources: As per references shown above, Cyber Tech Intelligence Analysis

6. THE CYBERSECURITY LEGAL ENVIRONMENT

OT and critical infrastructure cybersecurity laws have increasingly shifted from being only advisory guidance to becoming mandatory in various jurisdictions around the globe. 

Cybersecurity of critical infrastructure is seen as an element of national security in the National Cybersecurity Strategy of the United States. Under the Critical Infrastructure Reporting and Cyber Incident Awareness Act, there must be notification from the stakeholders in critical infrastructure whenever any cyber incident occurs. 

In Europe, the NIS2 Directive mandates the enforcement of critical standards. Canada is advancing prescriptive requirements through Bill C8.

Microsoft’s CI threat analysis documents that the regulatory trajectory across jurisdictions points consistently toward mandatory continuous posture monitoring, documented incident response capabilities, and enforceable minimum security standards for OT environments. ³ 

Organizations building OT security programs in 2026 that align with NIST CSF 2.0, IEC 62443, and NERC CIP simultaneously address regulatory obligations and operational security requirements, reducing the overhead of managing these as separate workstreams.

7. THE FINANCIAL CASE FOR OT/ICS INVESTMENT

OT-affecting breaches cost an average of $4.56 million per incident during the March 2024 to February 2025 study period, compared to the global average of $4.44 million for all breaches. ² 

For manufacturing and energy organizations where production downtime carries immediate revenue consequences, the financial exposure from a single OT-disrupting incident typically exceeds the annual cost of the security program that would have prevented it.

The speed dimension compounds the cost calculus. The CrowdStrike 2026 Global Threat Report documented the average eCrime breakout time falling to 29 minutes in 2025, with the fastest observed breakout at 27 seconds. 

In one intrusion observed by CrowdStrike, data exfiltration began within four minutes of initial access. OT environments relying on manual detection and response processes cannot contain lateral movement within that window. ⁴ 

FIGURE 4: The Financial Case for OT/ICS Security Investment (2024-2026)

Sources: As per references shown above, Cyber Tech Intelligence Analysis

8. CONCLUSION: OPERATIONAL RESILIENCE AS AN IMPERATIVE

The OT/ICS threat landscape in 2026 will be characterized by the confluence of three different trends: the strategic positioning of nation-states within critical infrastructures; sophisticated criminal organizations leveraging their tradecraft in industrial targets; and an attack surface consisting of internet-connectable devices, IT/OT convergence, and years of underinvestment in security measures.

The Poland power grid hack in December 2025 and the Nucor production shutdown in May 2025 are just two of many such examples. They are representative of a documented, active threat campaign against the energy, water, and manufacturing sectors that IBM, CrowdStrike, Microsoft, and CISA have independently confirmed is intensifying in 2026. 

Compliance-based controls, annual audits, and perimeter security designed for a pre-convergence architecture are insufficient against adversaries already inside some of these environments, waiting for the moment of maximum disruption. The five-pillar framework in this whitepaper provides the sequence for security and operations leaders to move from awareness to verified readiness.

The organizations best positioned in 2026 are those that have moved from treating OT security as a compliance requirement to treating it as an operational discipline, one where the threat is specific, the investment is proportionate, and readiness is continuously validated rather than periodically assumed.

9. KEY DATA SUMMARY

Sources: As per references shown above, Cyber Tech Intelligence Analysis

10. REFERENCES 

1. IBM Think (2026): Why Manufacturing Companies Are Most Vulnerable to Hacking. Published April 2026. 
2. IBM X-Force (2025) The Operational Technology Threat Landscape: Insights from IBM X-Force. Published November 2025. 
3. Microsoft Security Insider (2026) The Threat to Critical Infrastructure Has Changed. Has Your Readiness? Published 31 March 2026. 
4. CrowdStrike (2026) 2026 CrowdStrike Global Threat Report: AI Accelerates Adversaries and Reshapes the Attack Surface. Published 24 February 2026.
5. IBM X-Force (2026) 2026 X-Force Threat Intelligence Index: Making the Case for Securing Identities, AI-Enhanced Detection and Proactive Risk Management. Published 25 February 2026. 
6. IBM X-Force (2025) X-Force Threat Intelligence Index 2025: Attackers Steal and Sell User Identities at Scale. 
7. Infosecurity Magazine (2026) Industrial Control System Vulnerabilities Hit Record Highs. Published 19 February 2026.