Trend watch: Critical infrastructure cybersecurity in 2026 — signals, winners, and red flags

The convergence of digitized operational technology (OT) and escalating geopolitical tensions has made critical infrastructure cybersecurity one of the defining risk vectors of 2026. Ransomware attacks on energy grids, water treatment facilities, and transportation networks increased 67% year-over-year in 2025, according to the Cybersecurity and Infrastructure Security Agency (CISA), with the average cost of a successful critical infrastructure breach reaching $5.8 million. For sustainability professionals, this is no longer a siloed IT concern. Cyberattacks on energy systems disrupt decarbonization timelines, compromise emissions monitoring integrity, and threaten the operational continuity of renewable installations that underpin climate commitments. Understanding the cybersecurity landscape for critical infrastructure is now inseparable from responsible infrastructure management.

Why It Matters

The global critical infrastructure cybersecurity market reached $21.4 billion in 2025, with projections indicating growth to $34 billion by 2028, driven by regulatory mandates, threat escalation, and the rapid expansion of internet-connected operational technology. The stakes are not abstract. In January 2025, a coordinated cyberattack on Ukrainian energy distribution systems left 1.2 million residents without power for 72 hours during sub-zero temperatures. In the United States, the 2024 breach of a water treatment facility in Aliquippa, Pennsylvania, exploited a programmable logic controller manufactured by Unitronics, highlighting how aging industrial control systems with default credentials remain exposed to relatively unsophisticated threat actors.

The regulatory landscape has intensified substantially. The EU's NIS2 Directive, which took full effect in October 2024, expanded the scope of critical infrastructure cybersecurity obligations to cover energy, transport, water, health, digital infrastructure, and space sectors across all 27 member states. Non-compliant organizations face fines of up to 2% of global annual turnover. In the United States, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires covered entities to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours, with final rules taking effect in 2026. These regulatory developments create compliance obligations that demand material investment in cybersecurity capabilities.

For sustainability leaders, the intersection is direct. Smart grids, building automation systems, industrial IoT networks, and carbon monitoring platforms all depend on OT systems that were designed for reliability, not security. A 2025 Dragos assessment found that 87% of industrial control system environments they evaluated had at least one external connectivity path that could be exploited, and 34% had direct internet-facing assets with known vulnerabilities. Securing these systems is a prerequisite for trustworthy sustainability data and reliable clean energy operations.

Key Signals to Watch

Operational Technology and IT Convergence Accelerates

The historical separation between information technology (IT) and operational technology (OT) networks continues to dissolve. Industrial environments that once relied on air-gapped systems now integrate cloud-based analytics, remote monitoring, and automated control functions that create new attack surfaces. Gartner estimates that by 2027, 75% of OT environments will have adopted at least partial IT/OT convergence, up from 45% in 2024. This convergence delivers genuine operational benefits, including predictive maintenance, energy optimization, and real-time emissions tracking, but it also means that compromising an enterprise IT network increasingly provides pathways into physical control systems.

The implication for cybersecurity strategy is fundamental. Organizations can no longer maintain separate IT and OT security teams with distinct tools and processes. Integrated security operations centers (SOCs) that monitor both domains simultaneously are becoming the standard for mature operators. Fortinet, Claroty, and Dragos have each released unified IT/OT security platforms in 2025-2026 that correlate events across enterprise and industrial networks, enabling detection of lateral movement between domains.

AI-Powered Threat Detection Becomes Essential

The volume and sophistication of attacks targeting critical infrastructure have outpaced human analysts' capacity to respond. AI and machine learning for threat detection in OT environments represent the fastest-growing segment of the cybersecurity market, with investment increasing 83% in 2025. Unlike traditional signature-based detection, AI systems learn normal operational patterns for industrial control systems and flag anomalies that may indicate compromise. Darktrace's industrial module, for example, monitors network traffic patterns across SCADA, DCS, and PLC communications, identifying deviations from established baselines without requiring predefined attack signatures.

The effectiveness of AI detection varies significantly by implementation maturity. Organizations deploying AI-powered monitoring for the first time should expect 4 to 8 weeks of tuning to reduce false positives to acceptable levels. Early deployments at utility companies in the US Midwest reported false positive rates exceeding 40% during the first month, dropping to 5 to 8% after 90 days of supervised learning. The technology works best in environments with stable, predictable operations, which makes energy infrastructure and water treatment facilities ideal candidates.

Ransomware Targeting Shifts to Renewable Energy Infrastructure

A concerning trend in 2025-2026 is the increasing targeting of renewable energy assets by ransomware groups. Wind farm operators, solar installation companies, and battery storage facilities have reported a 140% increase in attempted intrusions compared to 2023-2024, according to the European Network and Information Security Agency (ENISA). The attack logic is straightforward: renewable assets are typically managed remotely through cloud-based platforms, often by smaller operators with limited cybersecurity budgets, and their disruption creates immediate economic pressure to pay ransoms.

In September 2025, the Lockbit 3.0 ransomware group encrypted operational data for a 450 MW wind portfolio in Northern Europe, disrupting monitoring and control systems for 11 days and causing estimated production losses of $3.2 million. The attack exploited a VPN vulnerability in the operator's remote access infrastructure. This incident and others like it have prompted the European Commission to issue specific cybersecurity guidance for renewable energy operators, and several major insurance underwriters now require documented OT cybersecurity assessments as a condition of coverage for renewable assets.

Emerging Winners

Integrated OT Security Platforms

Companies offering comprehensive OT security solutions are capturing significant market share as organizations move beyond point solutions. Claroty, which raised $400 million in 2024, provides asset discovery, vulnerability management, and threat detection across industrial environments. Their xDome platform supports over 450 industrial protocols and integrates with major SIEM and SOAR platforms. Dragos, focused exclusively on OT cybersecurity, serves over 35% of the Fortune 500 industrial companies and has emerged as the de facto standard for OT threat intelligence.

Nozomi Networks has differentiated through its scalable architecture for distributed infrastructure, particularly relevant for utilities managing thousands of substations and generation assets across wide geographic areas. Their Vantage platform processes telemetry from distributed sensors without requiring centralized data aggregation, addressing bandwidth and latency constraints in remote installations.

Zero Trust Architecture for Industrial Environments

The zero trust security model, which assumes no user, device, or network segment is inherently trustworthy, is being adapted for OT environments. Traditional perimeter-based security is inadequate when devices, vendors, and cloud services all require access to industrial networks. Zscaler and Palo Alto Networks have released OT-specific zero trust solutions in 2025-2026 that enforce granular access policies for industrial protocols including Modbus, DNP3, and OPC UA.

Early adopters report measurable improvements. A major North American electric utility implemented zero trust segmentation across 200 substations in 2025, reducing the mean time to detect unauthorized access from 72 hours to under 4 hours and eliminating three categories of legacy remote access vulnerabilities. The implementation required 14 months and approximately $8 million in total investment, yielding an estimated risk reduction valued at $25 to $40 million annually based on actuarial models.

Managed Security Services for Mid-Market Infrastructure Operators

Smaller utilities, water districts, and regional energy companies lack the budgets and expertise to build internal OT security capabilities. Managed security service providers (MSSPs) specializing in critical infrastructure are filling this gap. Companies like Accenture's OT Security practice, Deloitte's Cyber OT team, and specialized firms such as 1898 & Co. (a subsidiary of Burns & McDonnell) offer outsourced monitoring, incident response, and compliance management at price points accessible to organizations with $500 million to $5 billion in revenue.

Red Flags and Risks

Supply Chain Vulnerabilities in Industrial Control Systems

The SolarWinds and MOVEit breaches demonstrated that supply chain attacks can compromise thousands of organizations simultaneously. Critical infrastructure faces analogous risks through compromised firmware updates, embedded backdoors in industrial components, and vulnerabilities in widely deployed SCADA platforms. The concentration of industrial control system vendors (Siemens, ABB, Rockwell Automation, Schneider Electric, and Honeywell collectively control over 70% of the market) means that a vulnerability in a single vendor's product can propagate across entire sectors.

Workforce Shortages Constrain Response Capacity

The global cybersecurity workforce gap reached 4 million unfilled positions in 2025 according to ISC2, with OT security specialists among the scarcest profiles. Organizations report that hiring qualified OT security engineers requires 6 to 9 months on average, with compensation packages 30 to 40% above general IT security roles. This shortage constrains incident response capacity and creates dependency on external consultants during critical events.

Regulatory Fragmentation Creates Compliance Complexity

While NIS2 and CIRCIA represent significant advances, the lack of global harmonization in critical infrastructure cybersecurity requirements creates compliance burdens for multinational operators. A global energy company may face distinct reporting timelines, risk assessment methodologies, and certification requirements across the EU, US, UK, Australia, Japan, and Singapore. The compliance cost for navigating these overlapping regimes can exceed the cost of the underlying security measures themselves.

KPIs and Benchmarks

Metric	Below Average	Average	Above Average	Top Quartile
Mean Time to Detect OT Intrusion	>72 hours	24-72 hours	6-24 hours	<6 hours
OT Asset Visibility Coverage	<50%	50-70%	70-90%	>90%
Patch Compliance (Critical OT Vulnerabilities)	<30% within 30 days	30-60%	60-80%	>80%
Incident Response Plan Testing Frequency	Annual or less	Semi-annual	Quarterly	Monthly tabletop + annual full exercise
Cybersecurity Spend as % of OT Capital Budget	<2%	2-4%	4-7%	>7%
Employee Security Awareness Training Completion	<60%	60-80%	80-95%	>95% with verified comprehension

Action Checklist

• Conduct comprehensive OT asset inventory covering all connected industrial control systems, IoT devices, and remote access pathways
• Implement network segmentation between IT and OT environments with monitored demilitarized zones
• Deploy OT-specific threat detection that understands industrial protocols rather than repurposing IT security tools
• Establish incident response plans specific to OT environments, including manual override procedures for safety-critical systems
• Assess supply chain cybersecurity for all industrial control system vendors and managed service providers
• Align compliance programs with applicable regulations including NIS2, CIRCIA, and sector-specific requirements
• Evaluate cyber insurance coverage for OT-specific incidents and ransomware scenarios affecting physical operations
• Train operations staff on cybersecurity awareness specific to industrial environments, beyond generic phishing awareness

FAQ

Q: How should sustainability teams engage with cybersecurity for operational technology? A: Sustainability teams should participate in OT cybersecurity governance because compromised monitoring systems produce unreliable emissions data, and cyberattacks on clean energy assets directly impair decarbonization progress. Request inclusion in OT risk assessments, ensure carbon monitoring and reporting platforms are covered by security controls, and verify that cybersecurity incident response plans address continuity of sustainability reporting obligations.

Q: What is the typical cost of implementing OT cybersecurity for a mid-sized utility? A: For a utility serving 100,000 to 500,000 customers, expect $2 to $8 million for initial OT security program deployment, including asset discovery, network segmentation, monitoring tools, and staff training. Ongoing annual costs typically run $800,000 to $2 million for monitoring, maintenance, and managed security services. These figures exclude major infrastructure upgrades such as replacing end-of-life PLCs that cannot be patched.

Q: Are renewable energy installations at higher cybersecurity risk than conventional generation? A: Renewable installations face distinct risks rather than categorically higher risk. They are typically managed remotely with cloud-based platforms, operated by organizations with smaller cybersecurity budgets, and distributed across many sites that are difficult to physically secure. However, individual renewable assets generally have simpler control systems than thermal power plants, reducing the complexity of the attack surface. The primary risk lies in portfolio-level attacks that compromise centralized management platforms controlling hundreds or thousands of distributed assets.

Q: How do NIS2 requirements differ from pre-existing cybersecurity obligations? A: NIS2 expands scope to cover additional sectors (including space, wastewater, and digital infrastructure), introduces personal liability for senior management, mandates 24-hour early warning notifications for significant incidents, requires supply chain risk assessments, and harmonizes penalties across EU member states at up to 2% of global turnover. Organizations previously not classified as operators of essential services may now fall within scope and should conduct gap assessments against NIS2 requirements immediately.

Sources

• Cybersecurity and Infrastructure Security Agency. (2025). Critical Infrastructure Cyber Incident Trends: Annual Report 2025. Washington, DC: CISA.
• Dragos, Inc. (2025). OT Cybersecurity Year in Review 2025. Hanover, MD: Dragos.
• European Union Agency for Cybersecurity. (2025). Threat Landscape for the Energy Sector. Athens: ENISA.
• Gartner. (2025). Market Guide for OT Security. Stamford, CT: Gartner Research.
• ISC2. (2025). Cybersecurity Workforce Study 2025. Clearwater, FL: ISC2.
• International Energy Agency. (2025). Cybersecurity of Power Systems. Paris: IEA Publications.
• National Institute of Standards and Technology. (2025). Cybersecurity Framework for Critical Infrastructure Protection, Version 2.1. Gaithersburg, MD: NIST.