Critical infrastructure will be
a top cyber battleground in 2026 as ransomware, OT intrusions and geopolitically driven campaigns converge, according to security professionals who reached out to SC Media.
Experts warned attackers will move beyond sectors such as utilities and finance to manufacturing, healthcare, water, food, logistics and other supply chain choke points. Legacy industrial control systems — built for reliability, not security — remain hard to patch, poorly segmented and difficult to monitor.
AI-assisted adversaries are expected to scale reconnaissance, blend cyberattacks with misinformation, and coordinate multi-country operations timed to global events, complicating attribution and response.
What follows is a roundup of forecasts and predictions for the year ahead.
Related reading
Industrial control system security will remain one of the most pressing challenges, says Jeff Macre, principal OT security solutions architect at Darktrace:
Industrial control systems were built for reliability and safety, not cybersecurity, which means legacy weaknesses will remain for some time. Many devices still rely on outdated protocols without authentication, flat network architectures, and long hardware lifecycles that make patching or replacement difficult. These challenges are compounded by limited visibility into assets and the operational risks of downtime. The fundamental security problems in ICS environments will persist well into the future. We are already seeing more OT-focused malware and ransomware linked to geopolitical conflict. For example, VoltRuptor is a sophisticated ICS/SCADA malware developed by the Infrastructure Destruction Squad, featuring multi-protocol support, persistence, and anti-forensics capabilities. It has been deployed in attacks against critical infrastructure and is sold on dark web forums. Analysts believe it is aligned with state-sponsored campaigns targeting countries that are not pro-Russia or China, making it a significant geopolitical cyber threat. This is just one of many examples, and such attacks are expected to increase in the year ahead.
The next battleground is digital, says Michael Freeman, head of threat intelligence at Armis:
By 2026, more than a third of global energy and utilities infrastructure will have experienced cyber pre-positioning activity — quiet access, data collection, and operational mapping by both human and AI-assisted adversaries. To secure critical infrastructure against sophisticated, AI-assisted adversaries, a multi-faceted defense is essential, requiring organizations to implement strict network monitoring and segmentation across all operational zones; simultaneously, they must mandate Software Bills of Materials (SBOMs) and integrity checks for every piece of third-party code; and finally, deploy AI-assisted anomaly detection specifically tuned to recognize and alert on deviations from the unique, often static, traffic patterns of Operational Technology (OT) and industrial control systems.
Critical infrastructure targeting will expand into sectors supporting logistics and manufacturing, says Jeanette Miller-Osborn, field cyber intelligence officer at Dataminr:
Critical infrastructure targeting will expand beyond typical sectors like electricity and finance to include food, agriculture, and other logistics components. We’ve seen this happen already with the summer cyberattack on United Natural Foods, which left Whole Foods' shelves bare. We will see an increase in disruptive attacks on the agricultural industry as adversaries prod new pain points that inflict equal, if not more, disruption on society. We’ll also see similar types of attacks increase across the supply chain, including shipping ports, railways, and manufacturers, which are among the least secure points.
This year will see directed hybrid warfare, says Nadir Izrael, co-founder and CTO of Armis:
The industry will need to prepare for when hyper-scaled state and non-state actors deploy autonomous AI agents to conduct hybrid warfare, blending cyberattacks, misinformation, and kinetic effects. It is relatively easy, does not require vast resources while at the same time inflicting maximum damage and disruption. For example, AI could remotely disable transport logistics, simultaneously trigger energy grid failures, and release coordinated disinformation campaigns to sow chaos among populations. Civilian systems, government agencies, and military logistics would all face synchronized pressure from virtually any entity with a little technical knowledge and an internet connection.
Nation-state coordination and geopolitical alignment in cyberattacks, says Gary Barlet, public sector CTO at Illumio:
Nation states will deepen their collaboration in the cyberspace, shifting from isolated operations to coordinated, multi-country campaigns. Nation-state actors will increasingly work with each other to support intelligence collection, strategic disruption, and operations timed around global events. This growing cooperation will blur the lines between criminal and state-directed activity, making attribution even more difficult. Agencies and critical infrastructure operators must prepare for these coordinated campaigns by implementing post breach containment strategies.
Critical infrastructure in the crosshair, says Derek Manky, chief security strategist and global VP of threat intelligence at Fortinet:
Attackers are expected to increasingly focus on high-impact sectors, such as manufacturing, healthcare, and utilities. The ransomware-as-a-service (RaaS) model is already expanding into OT environments, where data theft, extortion, and service disruption now converge in a single playbook, and this trend will continue.
Critical infrastructure remains a prime target, says Dave Gerry, CEO of Bugcrowd:
Attacks against critical infrastructure will remain a top concern. Hardware security, including IoT devices, pipelines, and water systems, will continue to be key risk areas, requiring organizations to prioritize protective measures across the evolving attack surface.
