Source: WEF Global Cybersecurity Outlook 2026 (Insight Report, January 2026)
Operational technology (OT) cybersecurity has moved from a plant-floor specialty to an enterprise and national resilience concern. The report notes that recent disruptions in retail and manufacturing chains, aviation slowdowns, intrusions into public-sector systems, and hyperscale cloud outages demonstrate how a single local fault or targeted attack can rapidly cascade into global-scale consequences. 9
OT risk is increasingly cyber-physical because the industrial operating environment is changing. In the report’s framing, we are in a “digital-industrial era” where the boundary between IT and OT “has all but disappeared.” As a result, “strict air-gapped segregation” is becoming untenable, and organizations must manage converged environments with rigorous segmentation, monitoring, and governance. 1,2
This trend is particularly evident across manufacturing, energy, transportation, and other critical infrastructure systems, where IT/OT convergence is delivering efficiency and innovation while increasing exposure and the need for advanced segmentation to control risk. 3
OT Cyber Risk Is a Measurable Governance Gap
The report’s survey results statistically quantifies a persistent OT governance maturity gap. Survey respondents report that only a minority of organizations with industrial environments monitor OT security with dedicated tooling, maintain dedicated OT security teams, or escalate OT security issues to the board—suggesting a disconnect between OT risk ownership and executive oversight. 4
The report also links governance weakness to systemic consequence: limited board visibility can delay investment and constrain enterprise-wide understanding of exposure, while industrial disruptions can cascade beyond a single operator to suppliers, partners, and national economies. 5
Power Systems, Energy, and Transportation: Cyber-Physical Stakes
For power systems and critical national infrastructure, the report underscores how resilience planning must treat disruption scenarios as national-level risks. It cites the large-scale power outage in the Iberian Peninsula (Spain, Portugal, et al.) as a reminder that, even when an incident is not caused by a cyberattack, it can illustrate the potential impact of a cyberattack on critical infrastructure. 10
It further notes that sectors such as energy, water, and transportation are increasingly targeted in cyber warfare campaigns, where interconnected systems amplify operational disruption. A referenced 2025 incident involving a Norwegian hydropower dam—where attackers opened a floodgate in what officials described as sabotage—illustrates how cyber operations can create physical consequences. 11
Financially Quantifying Cyber Risk in OT Infrastructures
A central operational message is to financially quantify cyber risk in OT infrastructures rather than relying on qualitative threat narratives. The report emphasizes “quantifying cyber risk and scenario-building” to model potential impact and drive adequate investment toward resilience. 13
The Jaguar Land Rover case illustrates why cyber risk quantification matters in industrial sectors: the incident halted production across global operations for weeks, disrupted thousands of suppliers, and created both direct cyber-related costs and wider economic losses. The report explicitly ties this to supply-chain propagation risk, where a disruption in one actor can amplify risk across industries—reinforcing the need to quantify OT cyber risk using business and operational metrics such as downtime, recovery time, safety exposure, and cascading supplier disruption. 12,14
In that context, the report’s conclusion is direct: cybersecurity is not merely an IT function; it is a strategic business imperative and a cornerstone of national economic resilience. For OT-intensive sectors, cyber risk quantification should therefore be treated as a governance and capital allocation discipline, not just a technical control discussion. 15
Quantify OT cyber risk in financial terms with DeRISK CRQ today!
Industry Trends Reshaping OT Cybersecurity
Two industry trends in the report are particularly material for OT environments. First, “AI is supercharging the cyber arms race,” and the survey signals broad expectation that AI will be the most significant driver of change in cybersecurity in 2026. 6,7
Second, the increasing use of IoT devices and cloud-based services expands the attack surface and introduces new vulnerabilities, especially when embedded in supply chains or vendor ecosystems without adequate controls. Survey data identifies cloud technologies as the second most impactful technology for cybersecurity in 2026, after AI—an important indicator for OT programs that rely on cloud-connected monitoring, analytics, remote access, and the data-center backbone that supports these services. 8
New Cyber-Physical Risk: Climate Volatility and Digital Dependency
Looking forward, the report frames an emerging cyber-physical risk: by 2030, the convergence of climate volatility and digital dependency may transform natural disasters into “complex cyber-physical crises.” Extreme weather can disrupt power, data, and logistics networks, while AI-driven coordination systems for energy grids and emergency response introduce new attack surfaces; expanding renewable energy and storage infrastructure increases cyber exposure through dense networks of sensors and cloud-linked controllers. 16
Implications for Executives and Operators
Based on the report’s findings, leaders in OT-intensive sector (e.g., power systems, manufacturing, energy, transportation, and cloud-dependent operations), they may consider: elevate OT cybersecurity reporting to executive and board governance, engineer segmentation and monitoring for converged IT/OT environments, and operationalize cyber risk quantification and scenario testing that explicitly models cyber-physical impact and ecosystem dependencies.
Operationalize OT exposure + vulnerability risk with DeRISK QVM
Quoted Source Excerpts and Page Numbers
Note: Page numbers refer to the PDF pagination of Global Cybersecurity Outlook 2026 (Insight Report, January 2026).
[1] “In today’s digital-industrial era, the boundary between IT and OT has all but disappeared.” (PDF p. 36).
[2] “While strict air-gapped segregation of IT and OT systems used to be the norm in OT governance frameworks for years, contemporary advances in technology and expectations of connectivity between systems is making such practices untenable.” (PDF p. 36).
[3] “Sectors such as manufacturing, energy, transportation and critical infrastructure systems now see IT and OT systems increasingly converge, driving efficiencies and innovation but also needing to apply more advanced segmentation to control risk exposure.” (PDF p. 36).
[4] “Only 16% of organizations with industrial environments report OT security issues to their boards, and just 20% maintain dedicated security teams. Meanwhile, 32% of organizations actively monitor OT systems with specific security tooling, yet in only 36% of the cases is the CISO directly responsible for OT security.” (PDF p. 36).
[5] “The lack of board-level oversight not only delays investment but also limits enterprise-wide understanding of risk exposure. This governance gap poses systemic implications: as is the case with IT, when disruptions in industrial systems similarly occur their effects cascade far beyond a single organization – to suppliers, partners and even national economies.” (PDF p. 36).
[6] “AI is supercharging the cyber arms race.” (PDF p. 4).
[7] “AI is anticipated to be the most significant driver of change in cybersecurity in the year ahead, according to 94% of survey respondents.” (PDF p. 4).
[8] “The increasing use of internet of things (IoT) devices and cloud-based services is expanding the attack surface and introducing new vulnerabilities, especially when these technologies are integrated into supply chains or vendor ecosystems without adequate security controls. Survey data highlights this risk: cloud technologies are identified as the second most impactful technology for cybersecurity in 2026, after AI.” (PDF p. 47).
[9] “A new generation of cyber incidents has exposed the fragility of these connections: disruptions in retail and manufacturing chains, aviation slowdowns, intrusions into public-sector systems and hyperscale cloud outages. Each event underscored how tightly interlinked the digital ecosystem has become – where a single local fault or targeted attack can rapidly cascade into global-scale consequences.” (PDF p. 9).
[10] “The large-scale power outage experienced in the Iberian Peninsula, while not in itself the result of a cyberattack, highlighted the impact a cyberattack could have on such critical national infrastructure.” (PDF p. 27).
[11] “Sectors such as energy, water and transportation are increasingly targeted in cyber warfare campaigns, where the interconnected nature of systems amplifies the impact of disruptions. A striking illustration came in April 2025 when a Norwegian hydropower dam was hacked, opening a floodgate and releasing 500 litres of water per second for four hours, in what officials described as a deliberate act of sabotage.” (PDF p. 27).
[12] “In August 2025, Jaguar Land Rover – the United Kingdom’s largest automotive manufacturer – suffered a devastating cyberattack that brought production across its global operations to a halt for five weeks and affected more than 5,000 suppliers. The company faced direct financial repercussions, including £196 million ($260 million) in cyber-related costs and a nearly 25% drop in revenues to £4.9 billion ($6.5 billion). However, the wider UK economy absorbed an even greater shock, with an estimated £1.9 billion ($2.5 billion) in losses resulting from the disruption.” (PDF p. 44).
[13] “First, it highlights the importance of quantifying cyber risk and scenario-building to model the potential impact of cyberthreats, to drive adequate investments towards resilience.” (PDF p. 44).
[14] “Second, it demonstrates the interdependence of supply chains, where disruptions in one actor can propagate across industries, amplifying risk and underscoring the need for sector-wide resilience strategies.” (PDF p. 44).
[15] “Cybersecurity is not merely an IT function – it is a strategic business imperative and a cornerstone of national economic resilience.” (PDF p. 44).
[16] “By 2030, the convergence of climate volatility and digital dependency will have transformed natural disasters into complex cyber-physical crises. Extreme weather, prolonged droughts and heatwaves routinely disrupt power, data and logistics networks, while AI-driven coordination systems for energy grids, water and emergency response introduce new attack surfaces. As renewable energy and storage infrastructures expand, their dense networks of inverters, sensors and cloud-linked controllers multiply points of cyber exposure.” (PDF p. 55).