Securing OT telemetry in 2026

If you have been on the shopfloor in 2026 or have visited a substation, you would have seen a significant rise in the volume of OT telemetry. In addition to the augmentation of functionality with pure OT systems, many OT operators have now added IIoT sensors, edge computing and in some cases agents to track some aspects of production and industrial efficiency. All of these have added multiple dimensions to the security challenges that OT operators were already facing. This is one factor that came up in multiple conversations when I was at the Annual Information Security Summit 2025 organized by the Data Security Council of India last week.

The learning is clear. Securing the device is no longer enough. We must also secure the signal.

In today’s blog post, we do a deep dive into why securing OT telemetry has essentially become the new battleground for critical infrastructure in 2026. We also examine how we can better handle the "industrial exhaust" of your machinery, and while we are it, how next-gen Network Detection and Response (NDR) solutions like Shieldworkz can help.

Before we move forward, do not forget to check our previous blog post on Integrating IEC 62443 into OT security governance available here.

Why is it critical? (considering the 2026 context)

In 2026, telemetry cannot be considered as just a log file. Instead it is the lifeblood of automated decision-making.

Threat actors and rogue insider are especially interested in telemetry: Controlling telemetry translates into a control on operations.
Rising agentic AI footprint: We have started moving beyond passive monitoring of operations. AI Agents can now actively adjust valve pressures, grid loads, and assembly line speeds based on real-time telemetry. If an attacker manages to manipulate this telemetry (or carry out a "data poisoning" attack), the AI will just turn out junk data or worse, it could lead to catastrophic decisions with safety and security implications.
The IT/OT blur: With 5G private networks and edge-cloud processing standard in 2026, the line between the plant floor and the cloud is almost non-existent. Telemetry leaves the physical perimeter constantly like a wave of Arctic Terns leaving the North Pole for a 44,000 mile journey.
Safety and kinetic implications: Unlike IT data breaches where data and/or money is lost, corrupted OT telemetry could lead to physical damage. Think of turbines overheating, chemical mixtures becoming unstable, or safety systems failing to trigger.
Value from telemetry: Once the telemetry is secure, various ways of deriving value from the telemetry data beyond efficiency can be investigated. Telemetry security gives OT operators that additional level of confidence.

Characteristics of OT Telemetry Data

To secure it, you must understand what you are looking at. In 2026, OT telemetry is distinct from standard IT traffic:

Deterministic and cyclic: Unlike bursty user traffic (web browsing), OT data is highly periodic and predictable. A PLC for instance polls a sensor every 50ms. Deviations from this rhythm during normal course of operations are immediate red flags.
Legacy protocols gift wrapped in modernity: You will still see Modbus and DNP3, but now they are often encapsulated neatly in MQTT or HTTP/2 wrappers for cloud ingestion.
High velocity, low latency: The data moves at machine speed. Security controls cannot introduce latency, or the production process halts.
The "industrial exhaust": It encompasses metrics (temperature, RPM), Logs (system states, errors), and Traces (command execution paths across distributed systems).

The Challenges: Why is this Hard?

Even with 2026 technology, significant hurdles remain:

The encryption vs. inspection paradox: To protect privacy and integrity, more OT traffic is encrypted (TLS 1.3). However, this blinds traditional passive monitors. You need solutions that can decrypt out-of-band or analyze "encrypted traffic patterns" (JA3/JA4 fingerprinting) without breaking the pipe.
Device fragility: Active scanning still crashes legacy controllers. We are forced to rely on passive telemetry capture, which must be 100% comprehensive.
Signal noise: With millions of IIoT devices, the "noise" is deafening. Finding a single malicious "set_point" change hidden inside terabytes of legitimate vibration data is like finding a needle in a stack of needles.
Traditional approaches are not enough: Traditional solutions such as firewalls and diodes bring forth their own set of challenges and problems still remain

Now lets examine what you should be doing in 2026.

Security control practices for 2026

We have moved beyond simple firewalls. The standard for 2026 involves:

Data notarization at source

We are seeing the rise of "Cryptographic Anchors" on sensors. This ensures that the temperature reading was signed by the actual hardware device, preventing Man-in-the-Middle (MitM) spoofing well before it even hits the network.

The "verify-then-act" principle

AI models consuming telemetry now use a secondary "sanity check" layer—a smaller, deterministic model that validates if the incoming data is physically possible (such as "A tank cannot heat from 20°C to 500°C in 1 second") before allowing the control loop to execute.

Identity-based segmentation

We no longer just segment by VLAN. We segment by process identity. A vibration sensor has permission to talk to the "Predictive Maintenance DB" but absolutely zero rights to talk to the "Turbine Control Module." This adds another layer/source of truth to the verification process.

Managing risk exposure

Risk in 2026 is measured by "Time to Truth." How long does it take to know your telemetry is lying to you?

Spotlight on "living off the land" attacks: Attackers in 2026 don't use malware; they use your own admin tools (PowerShell, engineering workstations) to send valid-looking commands. Risk management requires behavioral baselining of users and protocols, not just virus signatures.
Supply Chain Telemetry: Your risk includes the telemetry streams from your third-party vendors (e.g., remote chiller maintenance). You must treat inbound vendor telemetry as untrusted until validated.

Compliance landscape (2026 Edition)

Regulations are catching up.

The AI Act (EU) and global equivalents: Requires "Data Governance" for any AI used in critical infrastructure. You must prove your training and inference data (telemetry) has not been tampered with.
NIS2 and CIRCIA (USA): Strict reporting timelines (24-72 hours) for incidents. This includes "near misses" where telemetry anomalies were detected but blocked.
SBOM + HBOM: Software and Hardware Bill of Materials are mandatory. You need to know exactly which sensor sent the data.
CISA and NSA guidelines on AI use in OT: NSA and CISA along with others have released a guidance on the many ways that AI can be integrated into OT with four basic principles that critical infrastructure owners and operators need to follow to capitalize on the benefits and to minimize the risks of integrating AI into OT environments.
Many regional regulators are asking OT operators to pay more attention to OT telemetry

Checklist for OT telemetry security in 2026

If you can't check these boxes, you need to do a bit more to secure your infrastructure:

[ ] Inventory visibility: Can you see 100% of devices emitting telemetry, including "Shadow IoT" devices?
[ ] Baseline establishment: Do you have a "Golden Baseline" of normal traffic patterns for every PLC and sensor?
[ ] Protocol dissectors: Does your security tool understand OT-specific protocols (CIP, Profinet, BACnet) deeply, not just as "unknown UDP"?
[ ] Integrity checks: Are you monitoring for "replay attacks" where old (valid) telemetry is re-sent to mask a theft or physical attack?
[ ] Passive architecture: Is your monitoring strictly out-of-band (SPAN/TAP) to ensure zero impact on operations?

I couldn’t resist adding this bit.

How an OT Security NDR like Shieldworkz helps

This is where specialized solutions like Shieldworkz have become the linchpin of a 2026 OT telemetry security strategy. General IT security tools fail in OT because they don't speak the language of machines and do not have the context required. Traffic control tools work partially as they can be manipulated as well.

An OT-native Network Detection and Response (NDR) solution like Shieldworkz addresses the specific gaps mentioned above:

Deep Packet Inspection (DPI) for OT

Shieldworkz doesn't just see "traffic"; it dissects and analyses the payload. It knows the difference between a Read command (safe) and a Write/Firmware Update command (critical). It validates that the values being sent are within the pre-approved engineering limits of the device.

Deterministic anomaly detection

Unlike generic AI that learns "user behavior," Shieldworkz utilizes the cyclic nature of OT. It builds a model where it knows exactly when Device A should talk to Device B. If Device A suddenly speaks 10ms off-schedule or communicates with the internet, Shieldworkz flags it instantly as a deviation. Since Shieldworkz offers unmatched OT visibility, it also enumerates assets comprehensively.

The "Virtual Analyst" for Tier 1 Triage

In 2026, talent is scarce. Shieldworkz acts as a force multiplier by automatically correlating weak signals—a failed login on an HMI followed by a new registry key on a workstation—into a single, narrative attack story. It reduces "alert fatigue" by filtering out the industrial noise.

Forensic Retroactivity

When a breach occurs, you need to know what happened six months ago. Shieldworkz stores full-fidelity telemetry metadata, allowing you to "rewind the tape" and see exactly when the attacker first tested the waters, satisfying the strict 2026 compliance reporting requirements.

Lastly with global OT and IIoT specific cyber threat intelligence, Shieldworkz is uniquely placed to detect and report existing and emerging threats well before they can impact your infrastructure.

Conclusion

In 2026, trust is the most expensive commodity on the plant floor. We can no longer blindly trust the data on the screen. By treating OT telemetry as a contested domain—and securing it with rigorous architecture and specialized NDR partners like Shieldworkz—we ensure that our physical world remains safe, predictable, and resilient against the digital threats of tomorrow.

Experience a demo of our NDR solution and decide for yourself.

I look forward to hearing from you on your OT security priorities for 2026.