Operational technology networks — the systems controlling physical infrastructure, manufacturing, and industrial processes — are experiencing an unprecedented surge in documented vulnerabilities in 2026. The convergence of IT and OT has created attack surfaces that security programs are struggling to address.

The Convergence Problem

For decades, operational technology networks operated in isolation. SCADA systems, PLCs, building automation, and industrial control systems ran on proprietary protocols on air-gapped networks — secure by obscurity and separation. That era is over. The relentless push for operational efficiency, remote monitoring, and data integration has connected OT networks to IT infrastructure, cloud platforms, and in many cases, the public internet.

The security implications are severe. OT systems were designed for reliability and longevity, not security. Devices with 15-to-20-year operational lifespans run firmware that hasn't been updated in years — in some cases, firmware that cannot be updated without replacing hardware. Default credentials are common. Encryption is rare. And the organizations responsible for these systems are often facilities management teams, not cybersecurity professionals.

■ CISA Advisory — Q1 2026

"Threat actors are actively targeting OT environments with increasing sophistication. The physical consequences of successful OT attacks — including facility shutdowns, safety system compromise, and physical damage — represent a category of risk that demands immediate attention from facility security programs."

Current Threat Landscape

The 2026 threat landscape for OT environments is characterized by three primary attack vectors, each with distinct physical security implications:

Critical

Ransomware Targeting OT

Nation-state and criminal groups are now specifically targeting OT networks with ransomware designed to encrypt control system configurations, rendering facilities operationally blind.

High

IT/OT Pivot Attacks

Attackers compromise IT infrastructure first, then pivot laterally into OT segments via inadequately segmented network architectures.

Medium

Remote Access Exploitation

VPN and remote access solutions provisioned during COVID-era remote operations remain in place, often with default credentials and without MFA.

Physical Security Implications

What makes OT vulnerabilities uniquely consequential for physical security programs is the direct link between cyber compromise and physical outcomes. Unlike a data breach that affects information, an OT compromise can:

  • Disable electronic access control systems, either locking occupants out or allowing unrestricted access
  • Compromise CCTV recording and monitoring systems, creating surveillance blind spots
  • Override alarm systems, preventing detection of physical intrusion
  • Manipulate HVAC and environmental controls, creating unsafe conditions
  • Disable fire suppression or safety interlocks in industrial environments
  • Provide adversaries with real-time intelligence on facility operations and personnel locations

The Access Control Vulnerability

Of particular concern to physical security practitioners is the growing prevalence of IP-connected access control systems that share network infrastructure with OT environments. Modern electronic access control platforms — door controllers, panel networks, credential management servers — are increasingly deployed on the same network segments as building automation, HVAC control, and in some cases, industrial process control systems.

When an attacker gains a foothold in the OT environment through an industrial control system vulnerability, the path to the access control network is often a single, insufficiently segmented hop. The result: an adversary who entered through a SCADA vulnerability can unlock doors, disable cameras, and silence alarms.

Recommended Countermeasures

Addressing OT vulnerability exposure requires a coordinated effort between IT, OT, and physical security teams — disciplines that historically operate in silos. The following countermeasures represent the highest-priority actions for most industrial and commercial facility operators:

  • Network segmentation — physical security systems, building automation, and industrial OT must be on isolated network segments with controlled, monitored interconnects
  • OT asset inventory — you cannot protect what you cannot see; a complete inventory of all networked OT devices is the essential starting point
  • Default credential elimination — systematically identify and change all default credentials on OT-connected devices
  • Remote access hardening — implement MFA on all remote access solutions; eliminate any direct internet-facing OT connectivity
  • Patch and firmware management — establish a formal process for OT device patching, including vendor engagement on devices that cannot be updated
  • Incident response planning — develop and test OT-specific incident response procedures, including manual override capabilities for critical physical systems
■ Consultant's Assessment

The organizations most exposed to OT cyber risk are those that have modernized their physical security systems — IP cameras, networked access control — without implementing the network security controls appropriate for those systems. Physical security modernization and cybersecurity must advance together.