What’s Missing in OT Security Training in 2026

The industrial world is under attack — and the people defending it are still training for a war that ended a decade ago. The events of 2025 made the stakes impossible to ignore. Cyber events that impact business operations are becoming more frequent and difficult to contain once they take hold. Some of the most memorable consequences include:

• Marks & Spencer: Shoppers trying to buy a spring outfit online were met with error pages for weeks — while £300 million in market value quietly disappeared in the background.
• Jaguar Land Rover: Vehicles sitting half-built on the production line because a cyberattack froze the supply chain that feeds it.
• Asahi: Even a company with a security budget most CISOs would envy couldn’t stop attackers from finding a back door into the systems that keep the beer flowing.

And yes, for a period, loyal patrons were deprived of their favorite beverage.

The September 2025 ransomware attack on Asahi Group Holdings, orchestrated by the Qilin group, crippled Japan-based operations, forcing a suspension of shipments, causing national beer shortages, and exposing the personal data of over 1.5 million customers and employees. The attack caused significant, long-lasting logistics disruptions and hit shares by 4%

The average cost of an OT-impacting cyber incident now exceeds $3 million when production downtime, recovery costs, and reputational damage are factored in — and that figure climbs significantly for critical infrastructure and large-scale manufacturers. The question for security leaders is no longer whether their operational environment will be targeted. It is whether their teams are trained to respond when it is.

Operational Technology (OT) security training is in the middle of a quiet but consequential shift. The old model — annual classroom sessions, compliance checkboxes, and theoretical frameworks — is giving way to something more urgent: simulation-based, operationally grounded training designed to prepare teams for the realities of modern converged IT/OT environments.

Industry reports leading into 2026 confirm the direction of travel. But confirming a direction and actually getting there are two very different things.

The uncomfortable truth is that despite genuine progress, significant gaps remain. Critical infrastructure operators, manufacturers, and energy companies are investing in security programs that still leave their teams underprepared for the specific, high-stakes scenarios that define real-world OT incidents. Here is what is largely missing — and what needs to change.

1. Live-Fire Training That Actually Mirrors Reality

Walk into most OT security training programs today and you will find the same thing: slides, case studies, and a tabletop exercise that wraps up before lunch. The problem is not that these formats lack value — it is that they stop well short of preparing teams for the chaos of a real incident.

What is missing is recurring, multi-stage simulation training that forces IT and OT teams to work together under genuine pressure. Think ransomware escalating from the corporate network down into the plant floor. Think a supply-chain compromise that arrives disguised as a legitimate vendor update. Think a scenario where the pressure relief valve on a critical system is behaving abnormally at the same moment the SCADA historian goes dark.

The goal of live-fire training is not to teach people what to do. It is to build the muscle memory to execute when everything is going wrong simultaneously. Moving from “knowing” to “doing” under simulated chaos is a fundamentally different skill, and it requires fundamentally different training infrastructure. Most organizations are not there yet.

2. Context-Aware Operational Risk — Not Just Cyber Risk

One of the most persistent and dangerous mistakes in OT security training is treating OT environments like IT environments with harder hats. The logic of IT security — patch aggressively, isolate compromised systems, prioritize confidentiality — can cause serious harm when applied without modification to operational technology.

Consider a 15-year-old PLC running a continuous chemical process. An IT security instinct says: isolate it, patch it, bring it back online. An OT reality says: taking that system offline may trigger a cascade failure, a safety event, or a production loss that costs millions. The calculus is completely different.

What is missing from most training programs is the explicit teaching of safety-first security. IT staff need to understand how to manage, monitor, and make decisions about OT assets without inadvertently creating the operational outage the attacker was hoping to cause. The goal is not immediate disconnection — it is learning how to fight through an attack while keeping critical operations running.

3. Deep OT Visibility and Network Forensics

Most OT security monitoring stops at the IT/OT boundary — roughly Purdue Model Level 3. The problem is that the most damaging attacks push all the way down to Level 1: the PLCs, RTUs, and field devices that actually control physical processes.

Visibility at that level requires a different skill set entirely. Deep packet inspection of industrial protocols like Modbus, DNP3, EtherNet/IP, and PROFINET is not something most IT security analysts are trained for. Detecting anomalous PLC configuration changes, spotting unauthorized ladder logic modifications, or identifying unusual polling patterns in a control network are specialized capabilities that remain largely absent from standard training curricula.

What is missing is hands-on training that teaches staff to detect anomalies in industrial communication — not just respond to IT-style alerts bubbling up from a SIEM.

4. AI-Driven Threats Require AI-Aware Defenders

The threat landscape is accelerating and OT training is not keeping pace. Most programs still dedicate significant time to phishing awareness and basic malware recognition. What is coming — and in many cases already here — is something faster and more sophisticated.

AI-powered reconnaissance tools can map an OT network, identify vulnerable assets, and generate targeted attack sequences in a fraction of the time a human operator would need. Deepfake social engineering — convincing audio or video impersonating a trusted vendor or plant manager — is now a realistic threat vector for operators on the plant floor. Automated attack frameworks are being designed specifically to evade the detection logic built into traditional OT security tools.

Training programs need to evolve to address these realities. Defenders cannot fight at human speed against adversaries operating at machine speed.

5. Third-Party and Supply Chain Risk Is a Training Problem, Not Just a Policy Problem

The most common entry point for OT attacks is not a sophisticated zero-day exploit. It is a contractor with a VPN connection and more access than they need. Third-party vendors, OEMs, and systems integrators routinely hold privileged remote access to critical OT assets — and in many organizations, no one is specifically trained to manage, audit, or challenge that access.

Procurement teams signing vendor contracts need to understand what secure remote access requirements should look like. Maintenance teams onboarding a new OEM need protocols for verifying security posture before access is granted. What is missing is training that reaches beyond IT and security teams to the operational and procurement staff who are actually making the decisions that create third-party risk.

6. Who Hits the Red Button — and When

During an active OT security incident, confusion about authority kills response time. The question of who has the right to isolate a system, stop production, or switch to manual control is not a technical question — it is an organizational one. And in most organizations, it has not been answered clearly enough to survive the pressure of a real incident.

Tabletop exercises and incident response plans need to explicitly define and repeatedly rehearse the decision rights of every role in the response chain — OT operations manager, IT security lead, plant safety officer, executive leadership. Everyone needs to know their lane before the incident starts, not during it. Building this clarity into recurring exercises, not just policy documentation, is one of the most underinvested areas in OT training today.

7. Building for Anti-Fragility, Not Just Recovery

The dominant frame in OT security training is recovery: how to detect an incident, contain it, eradicate the threat, and restore operations. Recovery is necessary. But it is not sufficient.

The emerging concept of anti-fragility — building systems that continue to operate, or fail gracefully, under attack — represents a more sophisticated and ultimately more valuable training goal. It asks a different question: not “how do we recover?” but “how do we architect and operate so that an attack never fully succeeds in the first place?”

Training for anti-fragility means teaching engineers and operators to think about redundancy, segmentation, and manual fallback procedures not as emergency options but as designed capabilities. This kind of thinking is rare in current training programs, which tend to treat security as something layered on top of operations rather than embedded within it.

The Bottom Line

OT security training in 2026 is better than it was. The industry has recognized that the old model is inadequate, and serious vendors, integrators, and operators are investing in something more capable. But the distance between where training is today and where it needs to be remains significant.

The environments being defended — power grids, water systems, manufacturing plants, pipelines — are too important and too complex to be protected by programs that prioritize compliance over capability. The shift that is needed is not incremental. It is a fundamental rethinking of what it means to prepare people for the realities of converged IT/OT environments in an era of AI-accelerated attacks.

The organizations that close these gaps first will not just be more secure. They will be more resilient, more operationally capable, and better positioned to operate in a threat environment that is not getting simpler anytime soon.

The Training Infrastructure Is Finally Catching Up

For years, the honest critique of OT security training has been that the industry knew what was missing but lacked the infrastructure to fill the gap. That is starting to change.

CyberEd has been one of the more thoughtful responses to the deficiencies outlined above — building curriculum around operational context rather than compliance requirements, and designing for the kind of continuous, scenario-based learning that actually changes behavior under pressure. The recent partnership with CyCube adds a dimension that has been notably absent from most platforms: genuine industrial simulation capability that lets teams train inside environments that behave like the real thing. It is early, and no single platform solves everything. But the direction is right — and for security leaders who have spent years making do with training that was never quite built for their world, that matters.