Outlook and Predictions
The future of OT security is already taking shape. Our 2025 survey data reveals patterns that will intensify over the next three years, evolving from early indicators into defining characteristics of operational resilience. These trends are not merely distant possibilities; they reflect the current reality and signal future trajectory.
Skip to
Ransomware Evolution in OT Environments
IT-OT Convergence Creating Critical Vulnerabilities
EU Cyber Resilience Act (CRA) Compliance Urgency
Cultural Shift from Compliance to Resilience
Legacy Infrastructure Crisis
Talent Gap and Workforce Challenges
Emerging Attack Vectors
AI Everywhere
Investment Priorities Shifting Dramatically
Human-Centered Security and Skill Augmentation
Ransomware Evolution in OT Environments
Ransomware has emerged as one of the most persistent threats to OT environments, impacting 52% of organizations in the past year. LockBit, Medusa, and Clop have dominated the threat landscape, accounting for the majority of incidents through IT-facing attack vectors that propagate downstream into operational systems.
Figure 5.1: Ransomware Impact on OT Environments
Rather than a surge in ICS-specific malware, most incidents will continue originating from compromised credentials, VPNs, SSO platforms, perimeter devices, or third-party access, with OT disruption occurring as a consequence of enterprise-wide compromise. As digital transformation deepens IT–OT connectivity, ransomware will increasingly manifest as an availability and recovery crisis for operations.
Figure 5.2: Top Ransomware Groups Impacting OT Environments
*Click chart for complete threat actor landscape.
01 IT-Originated Attack Vectors
Most ransomware intrusions will continue to enter through compromised credentials, VPNs, SSO platforms, perimeter devices, or third-party access, with OT disruption occurring downstream rather than through purpose-built ICS malware.
02 Compressed Attack Timelines
The ransomware ecosystem will remain highly specialized, compressing the time from initial access to operational impact and reducing defenders' opportunity for early containment.
03 Identity-Based Exploitation
Identity abuse and trusted access paths will remain the most common points of failure, reflecting the limitations of perimeter-only security models in OT.
04 Multi-Layered Extortion Tactics
Double- and triple-extortion tactics will persist, with heightened pressure on safety-sensitive and regulated industries where downtime and compliance consequences amplify attackers' leverage.
Our recommendation is pragmatic: organizations must address ransomware as both a prevention and recovery challenge. While backup and recovery capabilities remain essential for business continuity, OT environments cannot afford to rely on post-compromise response as a primary strategy. The time between detection and containment, acceptable in IT environments, translates directly into production losses and safety risks in OT. Organizations should prioritize layered prevention that stops ransomware before execution, maintains operational continuity during attacks, and enables rapid recovery when attackers bypass prevention. Defense strategies that prevent disruption inline, without requiring human intervention during active attacks, will be most effective in protecting continuous operations.
IT-OT Convergence Creating Critical Vulnerabilities
As IT and OT environments continue to converge, the attack surface of industrial operations is expanding faster than many organizations can realistically secure. Connectivity that enables efficiency, remote access, and data-driven operations also creates new pathways for threat actors to move laterally from enterprise IT into OT environments. In practice, many OT incidents now originate from weaknesses that fall outside traditional OT security but have direct, often severe operational consequences.
- Increased reliance on shared identity systems, remote access platforms, and centralized management tools has made credential compromise one of the most effective pivot points from IT to OT.
- Legacy OT systems, never designed for persistent connectivity, are increasingly exposed to modern attack techniques without the ability to support timely patching or advanced security controls.
- Misaligned security ownership between IT and OT teams often creates gaps in visibility, accountability, and response during cross-domain incidents.
- Once attackers gain a foothold in converged environments, containment becomes more complex, and defensive actions in IT can unintentionally disrupt OT operations.
Our recommendation: organizations must treat IT-OT convergence as a shared risk domain, not a handoff between teams. Some organizations have moved ahead, while many others are moving slowly. Organizations should design security architectures that assume cross-domain compromise, enforce strong identity and access controls, and enable coordinated response between IT and OT stakeholders. Beyond detection and response, converged environments require inline protections that automatically prevent lateral movement and contain threats, without waiting for cross-team coordination or manual intervention that operational timelines cannot accommodate. Without this shift, convergence will continue to amplify vulnerabilities faster than defenses can adapt.
EU Cyber Resilience Act (CRA) Compliance Urgency
The first CRA obligations will take effect as of September 11, 2026 with full compliance required by December 11, 2027. However, readiness remains alarmingly low. As of the fourth quarter of 2025, our survey shows that only 29% of organizations plan to implement CRA compliance within the next year, revealing a significant gap between organizational preparedness and the actual pace of EU legislation.
1
2
3
Certification Framework Uncertainty
At the time of writing this report, the potential CRA certification authorities have not yet released detailed certification frameworks or specific assessment requirements.
Financial Penalties Driving Compliance
The prospect of substantial fines, up to €15 million or 2.5% of annual turnover, will compel large enterprises to pursue compliance.
Resource Capacity Constraints
As deadlines approach, a surge of organizations will compete simultaneously for the limited capacity of certification bodies and consulting firms to gain an early advantage.
Our recommendation is clear: start early. When compliance carries both punitive consequences and the opportunity to establish competitive barriers, organizations will quickly recognize it as a high-priority issue.
Only early movers will have a brief window to convert liability into a competitive edge, and the resulting business impact could be significant.
1. Certification Framework Uncertainty
At the time of writing this report, the potential CRA certification authorities have not yet released detailed certification frameworks or specific assessment requirements.
2. Financial Penalties Driving Compliance
The prospect of substantial fines, up to €15 million or 2.5% of annual turnover, will compel large enterprises to pursue compliance.
3. Resource Capacity Constraints
As deadlines approach, a surge of organizations will compete simultaneously for the limited capacity of certification bodies and consulting firms to gain an early advantage.
Our recommendation is clear: start early. When compliance carries both punitive consequences and the opportunity to establish competitive barriers, organizations will quickly recognize it as a high-priority issue.
Only early movers will have a brief window to convert liability into a competitive edge, and the resulting business impact could be significant.
Cultural Shift from Compliance to Resilience
Even though cybersecurity compliance remains an ongoing objective for enterprises, all our surveys reveal the same pragmatic reality: organizations define their OT cybersecurity KPIs primarily around maximizing operational efficiency. That means minimizing downtime and maximizing system reliability and availability, and this is the way forward.
In practice, cybersecurity priorities will focus on uptime, recovery speed, and risk reduction rather than checklist completion. Security teams will ultimately be evaluated by how effectively they support operations, not by how many alerts they generate. As a result, collaboration among engineering, safety, and security functions will become the norm. Security strategy will evolve into operational resilience engineering. Resilience can be strengthened by:
Availability and safety are core OT imperatives; resilience goes beyond defense.
- Scenario modeling and simulation of physical/digital impacts from cyber events, linked to real-time ICS/SCADA states.
- Resilience drills powered by digital twins that capture plant logic, network topology, and control interactions.
- Recovery-oriented automation that can roll back harmful changes or isolate segments without a full shutdown.
Legacy Infrastructure Crisis
Including Windows 10, roughly 50% of Windows devices worldwide have already become legacy systems with no access to security updates. We estimate that in many OT environments, legacy systems may account for as much as 75% of deployed assets. There are many objective reasons why organizations cannot update legacy systems.
Our joint survey with Omdia shows that the primary reasons for staying with legacy systems, in descending order, are compliance or regulatory complications (49%), the absence of a perceived need to update from an operational efficiency standpoint (47%), a lack of available downtime to complete updates (37%), resistance from operational teams (34%), and budget constraints (33%).
This growing accumulation of legacy equipment significantly increases the burden on cybersecurity teams and narrows the range of viable security solution options. Beyond adopting layered security defenses, extending the secure operational lifespan of legacy equipment, and protecting systems that no longer receive patches will become both an operational and critical cybersecurity challenge.
of OT environments may consist of legacy systems that cannot be easily updated or replaced.
cite compliance or regulatory complications as the primary reason for maintaining legacy systems.
report no perceived operational need to update legacy systems, prioritizing stability over modernization.
Talent Gap and Workforce Challenges
The greatest challenge in OT cybersecurity is the shortage of skilled personnel, yet the industry is already responding with a fundamental shift in hiring strategy. Our data shows that 46% of OT security personnel now come from operations or engineering backgrounds, compared with 38% from IT security. That figure marks a decisive move away from the traditional IT security staffing model. As cybersecurity tasks and regulatory requirements continue to grow in complexity, this operations-first approach will prevail. Organizations have recognized a fundamental truth: it is far easier to teach operations professionals security fundamentals than to teach security professionals the deep operational expertise required for real-time decision-making in industrial environments.
As a result, we can anticipate that enterprises will increasingly adopt the following measures to address this talent gap:
Figure 5.3: Primary Background of OT Security Personnel*
*Overall composition shown. Click chart for industry-specific breakdown.
OT-Specific Certifications
OT-focused cybersecurity certifications will increasingly differentiate candidates. Key credentials include the GIAC Global Industrial Cyber Security Professional (GICSP), the ISA/IEC 62443 Cybersecurity Certificate Program, the GIAC Response and Industrial Defense (GRID), and the GIAC Critical Infrastructure Protection (GCIP).
Operations-to-Security Training
Investment in cybersecurity education and training will increase, as it is far more difficult for cybersecurity specialists to acquire deep operational expertise than it is for operations professionals to develop foundational cybersecurity skills.
Normalized External Partnership
Reliance on external cybersecurity resources will gradually become the norm. Providers such as MSSPs will extend their reach further into core operational environments.
AI-Compensated Workforce Gaps
AI-driven tools will be widely adopted to compensate for workforce shortages, becoming essential to rebalancing the people–process–technology triad and narrowing the talent gap.
Emerging Attack Vectors
As ransomware and broader OT-focused attacks continue to evolve, several emerging factors are reshaping how threat actors achieve scale and impact. Increasing reliance on shared platforms, identity-based access, and hybrid IT–OT architectures is expanding the effective attack surface, while attackers are becoming more adept at exploiting trust relationships rather than relying solely on technical flaws.
- Trusted identities, including compromised employee, contractor, and vendor credentials, are increasingly used to bypass perimeter defenses and move laterally across IT and OT environments.
- Internet-facing devices and edge infrastructure remain high-value entry points, particularly where operational requirements constrain patching and configuration hardening.
- Shared services, remote management tools, and supply chain integrations are amplifying the downstream impact of single-point compromises.
- Social media amplification and copycat effects are lowering the barrier to entry, encouraging less sophisticated actors to target OT environments without fully understanding operational consequences.
We recommend treating trust as a primary attack surface. Organizations should strengthen identity governance, vendor access controls, and segmentation between enterprise and operational domains. As attack techniques shift from exploiting systems to exploiting relationships, resilience will increasingly depend on how well trust is verified, constrained, and continuously monitored.
Emerging Attack Vectors
As ransomware and broader OT-focused attacks continue to evolve, several emerging factors are reshaping how threat actors achieve scale and impact. Increasing reliance on shared platforms, identity-based access, and hybrid IT–OT architectures is expanding the effective attack surface, while attackers are becoming more adept at exploiting trust relationships rather than relying solely on technical flaws.
- Trusted identities, including compromised employee, contractor, and vendor credentials, are increasingly used to bypass perimeter defenses and move laterally across IT and OT environments.
- Internet-facing devices and edge infrastructure remain high-value entry points, particularly where operational requirements constrain patching and configuration hardening.
- Shared services, remote management tools, and supply chain integrations are amplifying the downstream impact of single-point compromises.
- Social media amplification and copycat effects are lowering the barrier to entry, encouraging less sophisticated actors to target OT environments without fully understanding operational consequences.
We recommend treating trust as a primary attack surface. Organizations should strengthen identity governance, vendor access controls, and segmentation between enterprise and operational domains. As attack techniques shift from exploiting systems to exploiting relationships, resilience will increasingly depend on how well trust is verified, constrained, and continuously monitored.
AI Everywhere
The application of AI in OT cybersecurity is gradually becoming more practical and widespread. However, in OT environments, organizations must approach AI adoption with caution and stability as core principles. Errors or false positives that IT environments may tolerate can have serious consequences when they affect OT operations. Below are the AI-related applications that we believe will see broad adoption in OT environments in the coming years:
AI as a Force Multiplier for Human Capacity
AI will fundamentally reshape both the number of people needed and the nature of their work. AI-assisted investigations significantly reduce the time spent on packet analysis and log correlation. Automated policy recommendations lower the skill barrier for network segmentation and protection, while context-aware explanations translate alerts into operational language that engineers can readily understand. As a result, human effort can shift away from raw detection and toward decision-making and validation.
AI-Augmented Risk and Compliance Automation
AI will move beyond alerts to risk orchestration. Regulatory and customer expectations are rising; automated governance will scale with:
- Policy auto-learning engines that derive risk controls directly from network behavior and asset profiles, aligning with frameworks like NIST CSF 2.0 and sector-specific standards (e.g., IEC 62443).
- Dynamic risk scoring that updates in real time with changes to configuration, network posture, supply-chain exposures, and threat data.
- Automated evidence generation for audits, reducing manual compliance work and improving audit readiness.
AI-Native OT Detection and Response
OT environments generate dense physical-to-digital telemetry. AI native to these cyber-physical systems will reduce noise and improve actionable detection. They can assist with:
- Contextual behavioral baselines for OT assets, enabling detection of minute deviations in physical process signals and control patterns.
- Agentic AI in security operations — autonomous agents that investigate, triage, and respond to threats in OT environments with human-aligned guardrails.
- Digestible insights tailored for OT practitioners, reducing false alerts and accelerating remediation cycles.
Dramatic Shifts in Investment Priorities
Over the past several years, mainstream OT cybersecurity vendors have emphasized visibility into risks and vulnerabilities. "You can't protect what you can't see" is a principle no one disputes. In practice, however, organizations' pursuit of risk visibility has consumed a disproportionate share of cybersecurity budgets and staff time, while leaving a critical question unanswered: once risks are identified, then what?
When the number of identified issues far exceeds an organization's ability to remediate them, whether through permanent fixes or workarounds, cybersecurity governance can become unbalanced. Unresolved risks accumulate in systems, leading not only to numerical fatigue but also to difficulty in defining meaningful KPIs for security teams.
The data suggest that the long-standing debate between "find the problems first" and "protect first, then refine" is shifting as organizational mindsets move toward a new equilibrium. For enterprises, the most immediate and practical need is to find actionable solutions within a controllable budget as soon as risks are identified. This need, in turn, directly shapes product design. Rather than building ever more exhaustive detection engines, the market increasingly favors security platforms that deliver focused detection coupled with immediate, actionable countermeasures, aligning more closely with real-world operational demands.
Human-Centered Security and Skill Augmentation
Over the next three years, human constraints will increasingly shape the effectiveness of OT cybersecurity rather than purely technical ones. Persistent talent shortages, growing system complexity, and expanding regulatory demands will continue to outpace the availability of skilled personnel. As a result, organizations will shift toward security models that are designed around human limitations, emphasizing usability, decision support, and operational alignment rather than expecting continuous increases in headcount or expertise.
The outlook for OT security over the next three years is grounded in patterns evident in our 2025 data, rather than speculation. Ransomware will persist, with a particular focus on critical infrastructure sectors. IT-OT convergence will continue to expand attack surfaces faster than many organizations can secure. Regulatory pressures will intensify as CRA deadlines approach. Legacy infrastructure will expand organizations' security debt.
Yet within these challenges lie competitive opportunities. The organizations that will lead are already distinguishing themselves through measurable actions: shifting from visibility tools to protection-first architectures (as evidenced by 51% prioritizing supply chain security), staffing OT security teams with operations backgrounds (46% and growing), and investing in AI-augmented capabilities to overcome workforce constraints. Success will not come from following industry fads but from executing strategies aligned with operational reality.
"The transition from awareness to action, begun in this era, will define operational resilience in the years ahead."
