Thought Leadership
Operational resilience in OT environments requires concrete technical and organizational levers: access controls, robust test environments, and compensating measures for legacy systems. At the same time, the supply chain is moving to the center of attention as both an attack vector and a compliance factor.
Managing access and the principle of Least Privilege
One of the central pillars of modern OT resilience in 2026 is the enforcement of least privilege access. As we secure supply chains and operational networks, access management must be dynamic, auditable, and context sensitive. Every person, machine, vendor tool, and firmware update should be treated as an identity that receives only the rights it needs, for only the time it needs them, and only on the systems it requires.
This means enforcing role and attribute based access controls (RBAC and ABAC) within control environments, using just in time (JIT) elevation for maintenance tasks, short lived credentials for vendor sessions, and hardware based identities for devices. Firmware updates should always be digitally signed and verified before deployment, and vendor access must occur via brokered, monitored jump hosts with session recording and automatic credential revocation upon job completion.
When this access validation feeds into CTEM (Continuous Threat Exposure Management), risk assessments become significantly more precise, linking risk not only to asset vulnerabilities but also to who or what can actually interact with those assets. In other words, identity becomes an active risk variable. This shift helps organizations detect over provisioned accounts, unprotected vendor credentials, and insecure maintenance processes before attackers can exploit them. The supply chain also benefits: vendor contracts increasingly require access transparency, session logging, and least privilege attestations. In OT, trust is earned and continuously validated.
Digital Twins: The new cyber training grounds
One of the most exciting developments in 2026 is the widespread adoption of digital twins, virtual replicas of industrial environments used for testing, simulation, and resilience training. These twins are no longer confined to R&D. They are now being used to rehearse real world cyber incidents in safe sandbox environments. They are also proving invaluable for testing access policies and permission models. Before a new access policy or vendor segmentation rule is introduced, organizations can validate it in their digital twin to ensure operational stability. These simulations help security and engineering teams safely apply least privilege principles without disrupting production.
With digital twins, teams can simulate ransomware outbreaks, lateral movement, or misconfigurations without putting live production at risk. They also provide an ideal environment to validate firmware updates, test segmentation policies, and run through adversarial attack scenarios. I have seen organizations discover through their twins that a seemingly minor firmware update would have destabilized a critical control loop. But beyond security validation, digital twins are also changing how we train people. In many facilities, IT and OT incident responders now conduct joint tabletop exercises simulating attacks modeled on real world adversaries. The results are measurable: faster decision making, better communication, and fewer surprises when a real incident occurs.
Protecting Legacy OT
Despite the progress made, one thing has not changed: OT environments are still full of legacy systems that cannot be patched, cannot be replaced, and often cannot even be securely monitored. Many run firmware older than modern cryptographic standards or no longer supported by the manufacturer. In 2026, this remains the case, and the prevailing defense strategy is protection rather than replacement. Virtual patching, deep device fingerprinting, and application aware micro segmentation are now standard practice. Exposure management tools finally make it possible to securely inventory, track, and quantify unpatchable assets, automatically assigning business impact scores and recommending compensating controls. Instead of chasing an unrealistic modernization agenda, organizations are deploying application aware firewalls and, where appropriate, adopting secure active queries, treating OT as an environment that is a hacking target regardless of whether it is air gapped or not.
Securing the supply chain
If 2024 and 2025 were the years of AI driven attacks, then 2026 is the year of supply chain security. We have learned painful lessons from incidents in which compromised firmware updates or tampered vendor tools found their way into production environments. In OT, organizations are not just risking data. They are risking kinetic impact.
This year, we can expect stricter procurement and compliance requirements for critical infrastructure. Secure by design mandates, SBOM transparency, signed firmware, and manufacturer attestations are quickly becoming the norm. Organizations are integrating these controls into their CTEM workflows, for example by verifying firmware signatures, maintaining registers of vendor certificates, and automatically flagging devices originating from high risk supply chains. These same workflows now extend to access validation, ensuring that vendors comply with least privilege controls, session auditability, and credential revocation schedules as part of their certification process. The hard truth is that no organization can fully secure its OT environment without securing its suppliers. Transparency, provenance, and rapid response times must become part of every vendor contract.
Outlook
In 2026, the boundaries between IT, OT, and cyber physical systems have practically disappeared. The environments that security teams defend are living, interconnected ecosystems that shape our daily lives and face constant attack. The convergence of AI driven threats, growing regulatory pressure, and rising security expectations means that visibility, context, and continuous cyber exposure management form the operational foundation of modern OT security.
But visibility alone is not enough. Minimal access, dynamic authorization, and supply chain accountability now determine whether an organization can withstand the next generation of AI powered threats. The shared mission of protecting uptime, people, and trust has not changed, but the way we achieve it has evolved. Organizations must automate faster than attackers, measure risk in the language of business, and treat every device, vendor, and process as part of a unified risk landscape.
By Carlos Buenano CTO for OT, Armis
