Why 2026 May Be Too Late to Secure OT Endpoints

As organisations approach the end of 2025, leaders are finalising strategies and budgets for the coming year. This is the moment when critical investments are either approved or postponed. Yet one area that too often slips through the cracks is cybersecurity for OT endpoints. Overlooking this now risks leaving essential infrastructure exposed throughout 2026. 

OT Endpoints Are Under Direct Attack

Recent years have proven that attackers are no longer satisfied with targeting IT perimeters. They are moving deeper into PLCs, HMIs, RTUs, DCS, and SCADA systems that keep critical operations running.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), OT-related incidents have grown by over 30% year on year since 2022, with a sharp rise in endpoint-specific exploits. In Europe alone, more than 60 publicly reported attacks in 2025 involved direct manipulation of industrial control endpoints.

This year we have witnessed:

• Manipulated valves at a hydroelectric dam in Norway.
• A water supply disruption in Poland through unauthorised remote access.
• Persistent ransomware campaigns targeting building automation systems, including Johnson Controls.
• The Costa Rica RECOPE refinery incident, where attackers disrupted operations in early 2025 and recovery is still incomplete months later.

These events highlight a stark reality: once inside, adversaries bypass perimeter tools and aim straight at OT endpoints — the very layer that determines safety, availability, and resilience.

The Danger of Budget Blind Spots

Despite clear evidence, OT endpoint security remains underfunded compared to IT and cloud security. Many PLCs and HMIs are still guarded only by static passwords and outdated access controls. For attackers, this means an extended window of opportunity.

The risk is not theoretical. Operational shutdowns, safety hazards, reputational damage, and financial losses can easily exceed the cost of preventive measures. And once 2026 budgets are locked, overlooked gaps often remain unaddressed for another year.

Compliance Is Not Optional

Beyond the operational risk, regulatory pressure is mounting.

• In the EU, the NIS2 Directive requires critical infrastructure operators to demonstrate clear evidence of robust cybersecurity measures. Failure to comply can lead to fines of up to 2% of annual turnover.
• The IEC 62443 standard emphasises Identification and Authentication Control (FR1) as a baseline requirement for OT environments. Auditors and regulators are increasingly expecting real, enforceable mechanisms rather than policy documents alone.
• Similar frameworks are advancing in Asia and North America, reinforcing a global shift toward accountability in OT security.

Compliance deadlines are not moving, and regulators will not accept excuses tied to delayed budget cycles. Organisations that act now can align endpoint protection with both resilience and regulatory assurance, avoiding last-minute, high-cost remediation later.

A Practical Path Forward

The misconception that protecting OT endpoints requires disruptive system replacement is no longer true. With solutions like OTAC (One-Time Authentication Code), organisations can:

• Remove static passwords and enforce dynamic, one-time access codes.
• Authenticate users and devices securely without relying on network connectivity.
• Integrate with existing OT assets with minimal modification.
• Build resilience into operations even in segmented or air-gapped networks.

This approach directly addresses regulatory requirements while reducing the burden on operators and engineers.

Act Now Before the Window Closes

Attackers are not waiting for the 2026 budget cycle. They are exploiting weak endpoints today. As decision makers set priorities in October and November, OT endpoint security must be at the top of the agenda.

A measured investment now delivers dual benefits: stronger defences against escalating threats and demonstrable compliance with tightening regulations. Ignoring this priority risks leaving critical operations vulnerable for another year — a risk few organisations can afford.

2026 is too late. The time to secure your OT endpoints is now.