Topics:
As 2025 comes to a close, some of our Nexus contributors and experts have provided us with a look back on the year in cybersecurity, and their predictions for the next year within their industries and specialty areas. Today, Pedro Umbelino, Principal Research Scientist at Bitsight Technologies reflects on the fragility of industrial ecosystems, and anticipates what will happen as Industry 4.0 and 5.0 collide.
This year I thought a lot about the state of industrial control systems (ICS) and operational technology (OT) security in general, looked at major protocols exposed on the Internet and, well, tried to blow up a gas station. Achieving physical damage on an industrial controller (ATGs) was the culmination of one of my research pieces.
But what troubled me throughout the year was the confirmation of how fragile our industrial ecosystems still are. Quite frankly, I'm surprised we don't hear more about serious incidents on the ICS/OT side. As I think about why that doesn't happen, I started to speculate that criminals may have yet to find a proper and profitable business model that justifies the dedicated attacks into ICS/OT infrastructure. If current business models work and are profitable, why bother? So probably ICS/OT targets remain in the crosshairs of state-sponsored attackers (with disruption goals), hacktivists, and the occasional curious kid, who have a much lower rate of execution than, let's say, ransomware groups.
The last part of the year I focused heavily on Y2K38 (or Epochalypse) awareness. From the White House to the United Nations, I had the honor to talk about this issue that hangs over our heads at many different venues, conferences and briefings. People initially tend to reduce this challenge to something similar to the Y2K bug, failing to realize the amount of systems we have right now deployed is more than 600 times greater. Maybe closer to 2038 it will be 1000 times more; that is three orders of magnitude higher. We are 12 years away and we do not have 600 times more money, more time, or more human resources to throw at this problem.
I know society, in general, is getting less proactive in making medium- and long-term plans and four-year election cycles definitely do not reward strategic spending, but we really need to get going on fixing Y2K38 on as many systems as we still can.
I really like to quote Niels Bohr on this: "Predictions are hard, especially about the future."
It was hard to look back at 2025 without mentioning artificial intelligence (AI) and it seems pretty likely that 2026 will be a year filled with AI discussion and research. Will that be overall good or bad? We shall see.
Take the internet for example, it has become ubiquitous. Almost everything is connected today, with 6G coming and IPv6 everywhere (well, wishful thinking, I know we are still trying to get past 50% worldwide), things such as televisions, refrigerators, ovens, and toasters are commonly found across cyberspace. But, just because we can connect our toilet to the tubes—the internet tubes—doesn't really mean we should. And I think we will get a lot of that regarding AI in the next couple of years; discussions on what makes sense. And, like toasters and toilets, we will probably (not) choose wisely.
Unlike other industrial revolutions, where most of the world had time to adopt and adapt, Industry 5.0 seems to be already running in parallel with 4.0, presenting additional cybersecurity and safety challenges like new HMIs, humans in the loop, expanding supply chains, and accelerating the IT/OT convergence. And with a great attack surface comes a great responsibility to protect all of it. But likely the increase of attacks we will see on industry/manufacturing sectors will still be on expanding IT—the low hanging fruit—and probably not on ICS/OT.
Pedro Umbelino is Principal Research Scientist at Bitsight Technologies. His eclectic curiosity has led to the uncovering of vulnerabilities spanning a gamut of technologies, highlighting critical issues in multiple devices and software, ranging from your everyday smartphone to household smart vacuums, from the intricacies of HTTP servers to the nuances of NFC radio frequencies, from vehicle GPS trackers to protocol-level denial of service attacks.
Pedro is committed to advancing cybersecurity knowledge and has shared his findings at prominent conferences, including Bsides Lisbon, DEF CON, Hack.lu and RSA.
