Emerging Trends in OT: Staying Ahead of Cyber Threats in 2026

Operational Technology environments are sitting on a shifting fault line.

As IT and OT systems become tightly interconnected, defenders are facing a perfect storm of legacy infrastructure, converged networks, evolving attacker tradecraft, and a supply chain whose growing connectivity and complexity have expanded the attack surface in ways that many organisations didn’t anticipate.

Cyber incidents can no longer be treated as IT-only events. They routinely affect OT by influencing safety-critical systems, interfering with automation, and forcing unplanned shutdowns. Beyond operational disruption, such incidents introduce safety liabilities and can generate significant financial losses through downtime, recovery costs, and production delays.

Following our recent partnership announcement, NCC Group and Dragos hosted a joint webinar on Emerging Trends in OT to help cyber security leaders understand the latest threat trends and plan proactively in 2026.

The panel featured Matt Hull (VP, Cyber Intelligence and Response at NCC Group), Magpie Graham (Technical Director of Operational Empowerment at Dragos), and David Brown (Principal Security Consultant, DFIR at NCC Group). Together, they delivered an unfiltered look at threat trends, lessons learned, and what organisations must prioritise to stay resilient.

We often hear that OT is air-gapped and safe. The reality is that shared identities and flattened networks have exposed physical processes to the Internet. The adversary is no longer just looking. State actors, operating under a strict chain of command, are pre-positioning for effects. This is distinct from the chaotic smash-and-grab of ransomware groups. They are using footholds in IT, exposed shared services, and supply chain paths to reach engineering workstations, Human-Machine Interfaces (HMIs), and devices that control real‑world processes. 

The OT ecosystem

Magpie Graham described the OT ecosystem as a layered stack where enterprise IT sits at the top, control centers and Demilitarized Zones (DMZ) in the middle, and Programmable Logic Controllers (PLC), Remote Terminal Units (RTU) and field devices at the bottom. In practice, these layers bleed into one another creating an expanded attack surface for threat actors to exploit.  

• Enterprise IT (top): business apps, email, cloud services.
• Control centers & DMZs (middle): historians, SCADA/ICS assets, engineering workstations.
• Physical process (bottom): PLCs, RTUs, field devices - the "physics.”

OT/IT convergence challenges

IT and OT have grown increasingly intertwined over many years, but this longstanding coupling now exposes a different problem. Shared identities, shared infrastructure, and shared monitoring have become major sources of vulnerability — legacy arrangements were never designed for today’s threat landscape.

The real modern issue is shared identity: accounts, authentication paths, and service credentials span both environments to create readily exploitable pathways for attackers can readily exploit.

“Environments are flatter than we’d like, as networks are not segregated or resilient enough. An IT incident can move into OT almost by default, as shared services make lateral movement easier than it should be. Classic IT controls do not understand Modbus, or S7, and they often miss the signal that matters in OT. What looks like legitimate traffic can be used in illegitimate ways.”

Magpie Graham | Dragos 

Safety constraints also often live in a completely different world from IT, so incident response plans must bring them into the conversation and ensure alignment from the start. Magpie highlighted the importance of returning to the SANS five critical controls to provide a valuable framework for fixing these issues and help to bridge the gap between IT and OT security.

When actors go beyond IT to touch physical processes, Dragos has observed three typical scenarios:

• PLC logic modification (e.g., malicious ladder logic on Unitronics PLCs → loss of view/control)
• Wiping/knocking out control components (e.g., wiping storage on firewall/edge devices)
• Abuse of ICS protocols and engineering tools (Modbus, S7) to push changes that look legitimate at packet level

These attacks can cause loss of view, loss of control, denial of service, and in severe cases, even force physical device replacement. Loss of view is particularly dangerous, because from the operator’s perspective, nothing appears broken. The HMI still responds normally, but the values it displays are wrong — and the operator has no immediate way of knowing.

Since these manipulations are carried out over trusted industrial protocols behaving exactly as designed, traditional IT security tools don’t generate alerts. Firewalls see legitimate traffic; EDR sees clean endpoints. As Magpie suggested in the session, “Pure malware detection isn’t really going to be enough anymore. Detection requires understanding the nuances of protocol use.”

This is why protocol‑aware baselining and behavioural monitoring are essential in OT. Much of the malicious activity resembles routine engineering or admin work, so only OT‑specific visibility can distinguish legitimate operations from subtle, physics‑impacting manipulation.

OT cyber attack trends

State-aligned actors are quietly establishing long-term footholds across critical infrastructure, and VOLTZITE, linked publicly to Volt Typhoon, is a clear example of this intent. Their goal is to secure persistent access, gather operational intelligence, and keep the option of disruption available whenever required. These groups typically avoid high-profile zero-day exploits, instead favouring ‘living off the land’ techniques, valid credentials, and activity that mimics legitimate administration, all to support sustained long-term prepositioning.

Alongside nation‑state actors, criminal groups continue to make significant impact. Ransomware remains the most disruptive force across manufacturing, transport, telecoms, and government. While much of this malware has no understanding of PLCs or industrial processes, the consequences of IT disruption inevitably spill into OT.

Crucially, OT is not passive in this situation; operators intentionally shut down systems to prevent unsafe states when they lose visibility or control. Adversaries increasingly exploit this predictable need for rapid, defensive shutdowns knowing that forced downtime is extremely costly and creates leverage.

Two cases were highlighted showing how small technical changes can create large physical effects:

FrostyGoop was assessed as the ninth known ICS malware family and the first seen explicitly using Modbus to change device behavior rather than just recon. A simple utility speaking Modbus TCP on port 502 interacted with heating controllers in Ukraine. More than 600 apartment buildings lost central heating during subzero temperatures. This was technically simple but operationally severe.    

A similar pattern emerged in Sweden, where the Infrastructure Destruction Squad targeted heating systems by changing just one HMI field – the backup heat threshold to 666. That disabled the safety backup heat and introduced a real risk of hypothermia. No zero day required. The HMI was accessible from the Internet.

“One field change in an HMI can become a safety hazard if that HMI is exposed.”

Magpie Graham | Dragos

When OT assets are internet-exposed or loosely segmented, attackers do not need advanced industrial payloads. They can manipulate legitimate engineering tools or protocol functions to create a real physical impact.

The panel also highlighted the role of the OT supply chain. Compromising vendors or support providers can give threat actors access to source code, research and development documentation, known issues, and customer lists. That intelligence accelerates both exploit development and target selection. It is a pattern that is unfortunately increasing year on year.

At the same time, the threat surface has also expanded into unexpected areas. Hardware supply chain risks are accelerating as solar inverters, batteries, and even industrial components now ship with embedded cellular radios or out-of-band access paths that cannot be patched. As Magpie highlighted, these pre-installed connectivity routes create readymade opportunities for abuse.

When asked to look ahead to 2026, Matt Hull made one point clear: There will be no slowdown. Disruption is the norm, not the exception.

Ransomware is expected to rise further, and not because attackers have developed new techniques, but because the economics still work. Downtime equals leverage and industrial downtime is expensive.

AI will influence both sides of the equation. It has already elevated attackers’ capabilities in areas like social engineering and voice cloning, while simultaneously giving defenders more advanced tools for detection and triage. Rather than creating an entirely new class of threats, AI is expected to amplify existing ones. In practice, it lowers the barrier to entry for threat actors by enabling more convincing social engineering, tailored phishing, rapid reconnaissance, and high-quality content generation. Most attacks are becoming AI-assisted rather than fully automated “Skynet”-style operations; therefore, the biggest shifts will be in scale and speed, not in fundamentally new attack categories.

“Threat is a measure of the threat actor capability, their motivation, and the opportunity that they have. Manufacturing is a prime target because downtime creates leverage.”

Matt Hull | NCC Group

Adversaries operate under a strict chain of command. They pre-position disruptive and destructive tools within our infrastructure to lie in wait for future kinetic effects. Resilience requires assuming this foothold already exists and ensuring we have the visibility to disconnect the physical processes form the digital network before that leverage is exercised.

This shift from intelligence gathering to active pre-positioning will almost certainly increase, and we won't simply see more intrusions, but deeper ones. As the perimeter defences harden, the adversary will move upstream and weaponize supply chains with dormant footholds that are significantly harder to detect and impossible to patch.

OT cyber security has moved into a period of constant disruption.

Attackers have more paths into operational environments than ever before. From state-aligned intrusion campaigns to criminal ransomware groups and supply chain backdoors, the threat landscape is dynamic and unforgiving.

The actions that truly move the needle in OT security are not theoretical. They are practical, measurable, and immediately applicable. The NCC Group x Dragos webinar panel offered practical advice for industrial organisations to improve their OT resilience:

1. Start with visibility and asset inventory

The first crucial step is clarity. Asset inventory and protocol‑aware visibility must be non-negotiable. Collectively, we monitor less than 5% of the OT network globally – you could never imagine that statistic in Enterprise IT. Until we fix that visibility gap, we are hunting in the dark. You cannot defend what you do not know exists. Shadow IT, internet-facing assets and remote access tools inadvertently left on vendor equipment can all become instant ingress paths.

2. Run threat‑led tabletop exercises with clear decision chains

Scenario-driven incident response is equally critical. Playbooks are meaningless if no one knows where they are or if they have never been tested. Organisations should rehearse realistic, threat-led scenarios based on actual risks to their sector, geography, and technology stack. Clear decision chains, communication plans, and offline copies of documentation are essential.

“Have a small set of well-rehearsed scenarios based on your threat landscape and sector. Then drill them.”

David Brown | NCC Group

3. Strengthen vendor due diligence and supply chain control 

Risk should be stopped before it ever connects to the network. This includes scanning vendor equipment before onboarding, assessing supply chain exposure, and tracking orphan devices that appear unexpectedly on the network.

4. Prioritise segmentation and protocol‑aware monitoring

Tune detections to your hardware and processes. Shift from indicators of compromise to behaviors and TTPs. Hashes and IP addresses change fast but behaviors endure. If you do not run a device family, deprioritise those signatures. If your plant uses platforms known to be targeted, elevate those detections and baselines now.

5. Track mean time to disconnect OT as a resilience metric

Rapidly separating OT from IT during an incident is one of the strongest indicators of operational preparedness. 

As Magpie Graham explains: “If mean time to disconnect trends down from hours to tens of minutes, your resilience is improving.”

6. Patch the vulnerabilities that matter

Finally, patching must become risk-led rather than compliance-led. Do not try to patch every CVE in OT. Focus on the small slice that constitutes an urgent problem. We need to adopt a “Now, Next, Never” approach. If a vulnerability isn’t on the perimeter or being exploited “Now”, it can wait. Chasing 100% patch compliance in OT is a misunderstanding of the domain.