In 2025, cybercriminals leaned heavily on artificial intelligence (AI) to automate attacks at a scale few companies were ready for — and incidents like the Jaguar Land Rover breach exposed just how vulnerable modern factories have become as information technology (IT) and operational technology (OT) increasingly intersect.
But manufacturers were fighting back. Many began deploying AI-driven intrusion detection and other advanced tools to stay a step ahead of attackers. The U.S. Department of Defense (DoD) also wasn’t standing still, fully implementing its Cybersecurity Maturity Model Certification (CMMC) requirements, standards that defense contractors must meet to win or keep DoD contracts.
What will 2026 bring? We put that question to Michael Tanji, director of cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by DoD. Here’s what he sees coming (answers have been edited for space):
What’s on the 2026 cybersecurity landscape?
MT: I expect that a lot of the things that made a lot of noise last year to mature. We’ll start to see real benefits to adopting things like AI because we’ll have made progress against both utility and safety issues. Improvements in productivity, predictive maintenance, and quality control should all start to rise thanks to AI and related technologies. On the attack front, ransomware is a perennial favorite, so to speak. A sound backup scheme and regular business continuity/disaster recovery testing are worth their weight in gold. That we’re still seeing firms falling victim to ransomware tells me this message isn’t resonating.
At this moment, who’s ahead — the bad actors or the companies defending themselves?
MT: The advantage that attackers have had since the start of the Information Age is unlikely to go away, barring some dramatic shift in thinking by both governmental and commercial decision-makers.
Nobody makes “secure things,” they make “functional things” because that’s what the market wants. If you value production over all, and a security mechanism hinders that, you’re going to remove that hindrance, because you’re not paid to run a secure plant, you’re paid to run a productive one. This doesn’t make you a bad person, just a realist. We need to appreciate this when we’re considering the good/bad guy divide. Until corporate culture aligns against the threat, the good guys will always be at a disadvantage.
CMMC became final late last year. Has it been rolling out as expected? Any words of advice for companies now embarking on their journey?
MT: We at MxD hope to have a clearer view of the state of the CMMC roll-out early this year. But anecdotally late last year it seemed there was still a level of resistance to participating — even though it is now required. Getting compliant costs money and takes time. And it’s not one-and-done, it’s something that needs to be maintained over time.
Also, in a way, greater participation poses a problem because there is a finite number of CMMC third-party assessment organizations (C3PAOs) to do the necessary assessment work. Even if you were to get on someone’s calendar today, you wouldn’t get assessed for at least six and more like nine months. There is a sense of urgency because you might run out of time before you can be evaluated against the rule, taking yourself out of the running for DoD work because of procrastination.
Anything manufacturers must have on their radar?
MT: I think the next few years will really see OT security start to come to the fore. Our adversaries place a great deal of importance on being able to outproduce us, which is why targeting of manufacturers is only getting worse. It’s not about intellectual property theft so much anymore but “can we ensure America can’t make things?”
Hardening ourselves against attacks, and ensuring we can rapidly recover from successful attacks, has never been more important.
