Manufacturing cyber threats in 2026: what we are seeing on the ground

Across the OT cybersecurity engagements we have run in the last twelve months, six trends keep surfacing. None of them are surprising in isolation. The combination is what is changing the threat picture for manufacturers in 2026.

1. Ransomware is re-targeting OT directly

Through 2024 and most of 2025, ransomware operators primarily attacked IT — and OT damage was collateral. We are now seeing operators with explicit OT pivot capabilities: PLC enumeration, HMI credential extraction, and ICS protocol awareness. The dwell-time-to-impact has shortened.

2. Insurance is now an active gatekeeper

Cyber insurance underwriters are demanding evidence of segmentation, asset inventory, and incident response readiness — not just affirming policies. We have customers who would not get cover renewed without IEC 62443 zone documentation we now produce as standard.

3. Vendor-access auditing is finally being taken seriously

For years 'we audit vendor access' was an aspiration. Boards now ask for log evidence by quarter. The technical work is straightforward; the cultural shift is the real change.

4. The OT-IT convergence cuts both ways

Good for visibility, bad for blast radius. Modernised plants now have the worst of both worlds unless segmentation is genuine, not nominal.

5. Supply-chain attacks have moved to firmware

Not common yet, but we have seen two confirmed cases this year of compromised firmware updates from third-party device vendors. Software bills of materials are becoming non-optional.

6. Talent gap is the real bottleneck

Tools are not the problem. The shortage of engineers who genuinely understand both OT and IT security — who can read a PLC ladder diagram and a Suricata rule — is acute and getting worse.