On June 1, the heads of six national cyber agencies — CISA, NSA, the UK NCSC, Canada’s CCCS, Australia’s ASD, and New Zealand’s GCSB — published a joint statement on AI and cyber risk [1]. That kind of alignment across all Five Eyes countries is rare. What they said is worth reading. Some of it applies directly to industrial operators in ways that the coverage so far has largely missed.
Two sentences stood out to me:
“Delays in patching increase risk, especially for operational systems with long update cycles.”
“Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities.”
Neither of those sentences belongs in a guidance document about enterprise IT. They were written for people running power plants, refineries, factories, and grid infrastructure — environments where systems run for 10 to 30 years, where patching requires scheduled outage windows, and where “just update it” is not an option.
Six sovereign governments just put OT on the board agenda. The question now is what industrial leaders do with it.
What Changed — and What Didn’t
AI has been part of the OT threat conversation for a while, but mostly in the abstract. What the Five Eyes statement makes concrete is the timeline: “The timeline is not years, it is months.” That’s a significant shift in language from a group of agencies that usually tend toward understatement.
A few weeks before the statement published, my colleague Rosa Kariger attended the World Economic Forum’s annual cybersecurity meeting in Geneva, where participants in Anthropic’s Project Glasswing — the restricted-access program for frontier AI testing — presented their findings first-hand. Her analysis, published June 2, identified a structural gap in the coalition: OT and industrial technology were last in line, while cloud, endpoint, and network security vendors had center-stage seats.
The picture has moved since Rosa wrote. On June 2, Anthropic expanded Glasswing from its original 12 founding partners to roughly 200 organizations across 15+ countries, explicitly naming power, utilities, water, and hardware as priority sectors [2]. On June 5, Dragos joined to apply Mythos to its own products. The same day, Hitachi joined as the first major industrial conglomerate in the coalition, with its Cyber Center of Excellence using Mythos Preview across its energy and social infrastructure software portfolio.
That is meaningful. But as our Director of OT Cybersecurity Donovan Tindill noted in his June analysis [3], sector framing is not the same as remediation scope. Critical infrastructure is not a software category. You do not patch “the water sector” or “the power sector.” You patch specific products, from specific suppliers, deployed in specific architectures, running specific versions, under specific operational constraints. The important question for asset owners is not whether Glasswing has expanded to critical infrastructure in the abstract — it is which product suppliers, hardware providers, remote-access vendors, and industrial automation OEMs are now seeing AI-discovered vulnerabilities in code already deployed inside plants.
The PLC, DCS, and SCADA OEM community — Siemens, Schneider Electric, Rockwell Automation, GE Vernova, Honeywell, ABB — are not yet publicly named participants. That silence may be necessary. As Donovan wrote, if a supplier is identified before patches exist, asset owners will reasonably ask where the fixes are and how long the vulnerability has been known. Suppliers need time to confirm, validate, fix, test, write advisories, and support customers through safe deployment. But that operational waterfall — from AI-accelerated discovery to confirmed risk reduction in a live plant — is exactly where the bottleneck lives.
Dragos is hardening Dragos’s platform. Hitachi is hardening Hitachi’s software. Neither is patching the control systems most industrial operators actually run.
The Honest Picture on Legacy Systems
This is where the Five Eyes statement’s “strategic liabilities” framing becomes precise rather than rhetorical.
OT environments will always contain end-of-life equipment. That is not a temporary condition — it is a structural feature of infrastructure built for decade-long operational lifecycles. TXOne Networks surveyed 550 OT decision-makers across six European countries earlier this year and found that 50% run environments where at least half the OT systems are legacy, with 20% reporting more than 75% legacy [4]. Six in ten report that legacy Windows makes up at least half of their OT estate. Windows 10 reached end-of-support in October 2025, adding another unsupported platform layer to an already constrained environment. The list goes on and on.
What frontier AI models like Mythos change is not the fundamental condition — these environments already carry vulnerabilities with patches more than 2,000 days old still outstanding [3]. What changes is the rate of discovery. Anthropic reported that Project Glasswing partners have identified more than 10,000 high- or critical-severity flaws, with 90.6% confirmed as valid true positives [5]. More discovery does not automatically create more outage windows, more control engineers, or more executive appetite for operational disruption. It adds more work to a system that was already saturated.
The real near-term risk is the perimeter. Perimeter systems — firewalls, remote-access platforms, VPN gateways, engineering workstations, jump hosts — are where AI-assisted reconnaissance compounds existing exposure. Forescout reported 508 CISA ICS advisories covering 2,155 CVEs in 2025 [6]. Once inside that perimeter, as the Five Eyes statement confirms, the interior is soft. Very soft. The combination is the story: legacy infrastructure designed when the threat model was physical intrusion is now facing adversaries who can enumerate its attack surface in hours.
That is a board-level conversation. It requires a number.
What AI Actually Does to the Attack Pattern
This matters because of what AI actually changes about OT threat dynamics — and what it doesn’t. In May, Dragos documented a confirmed case [7] where an adversary used large language models to identify OT-relevant assets, recognize an industrial gateway without any prior ICS knowledge, and generate a multi-module reconnaissance framework within 48 hours. The OT network was not breached. But, according to Dragos, AI “make OT more visible to adversaries already operating inside IT environments.” It compresses the timeline. It lowers the skill barrier. It does not create new attack capabilities so much as it accelerates the ones that were already there.
The near-term concern is not only what Anthropic or OpenAI do with controlled access and vetted participants. The real fast-follower concern is that other actors will develop or obtain similar cyber-capable models without the same restrictions — hostile states, military cyber units, criminal ecosystems, or loosely governed models outside western regulatory reach. If defenders get a temporary head start, they should use it. The window may be short.
AI for Defenders
The Five Eyes statement is not only a threat assessment. It says: “Organizations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behavior, and respond faster to incidents.”
The same capability that compresses discovery-to-exploit on the attacker side can compress discovery-to-remediation on the defender side — if deployed with the right inputs and a clear-eyed view of operational constraints. For OT, that means three things.
Proactive exposure mapping. AI-assisted vulnerability discovery can surface attack chains that low-CVSS scoring would have buried. One of Project Glasswing’s most consequential findings is that individually minor vulnerabilities can be chained into exploitation paths with severe operational consequences. The right response is not to patch everything faster (operationally impossible in most OT environments) but to understand which combinations create the worst feasible outcomes for a specific architecture, and address those first: consequence-based prioritization, not severity scoring.
Faster intelligence-to-action translation. AI-assisted threat intelligence can translate threat actor tactics, techniques and procedures into specific control gaps at the facility level — moving programs from reporting to risk reduction.
Better evidence for risk transfer. Industrial operators who can show a continuously updated, financially bounded picture of their OT exposure are in a fundamentally different position with boards, risk committees, and insurers than those presenting a qualitative questionnaire.
Most organizations, however, are treating risk quantification as a periodic event rather than an operating discipline. Yearly assessments were never the answer. Even less so now, when the exposure picture is always stale relative to a threat environment that is moving faster than ever.
What This Means in Practice
“Those that do not will face growing operational and strategic disadvantage.” — Five Eyes statement, June 2026
That is a business risk statement, not a security warning.
For industrial operators, the practical implication has three parts:
- First, the legacy system exposure needs to be quantified in financial terms — not as a heat map color, but as an expected annual loss and a tail exposure that a board can weigh against the cost and feasibility of remediation options.
- Second, the controls that actually move the loss curve under real operational constraints need to be identified and sequenced — which is a different exercise from scoring vulnerabilities by CVSS and working down the list.
- Third, the evidence package that enables disciplined risk transfer needs to be maintained on a governance cadence, not assembled at renewal.
The DeRISK Platform is built to run all three continuously — quantifying OT exposure in financial terms; translating threat intelligence into facility-specific action points; and generating the traceable outputs that markets can act on.
That work was important before June 1. After six sovereign governments confirmed that the timeline for AI-amplified OT attacks is months, not years, it is urgent.
Going Deeper
We are currently developing a research report on edge AI models and industrial cyber risk — the next wave of capability after frontier models, and one with direct implications for OT attack surface. It publishes in September. If you want to be notified when it’s available, sign up at denexus.io/derisk-platform.
In the meantime, the DeNexus Learning Hub has the foundational material for anyone working through these questions with their team:
- OT Cyber Risk Knowledge Center — the starting point for understanding OT cyber risk in financial terms
- OT Cyber Risk Articles & Guides — practitioner-level analysis across quantification, controls, and risk transfer
- OT Cyber Risk FAQs — direct answers to the questions boards and CISOs ask most often
- Reference Tools & Assets — frameworks, templates, and checklists for operationalizing OT risk programs
Educational content only. Not legal, coverage, or underwriting advice.
References
[1] Five Eyes cyber security agencies statement on the AI shift in cyber risk: why leaders must act now. Canadian Centre for Cyber Security / CISA / NCSC. June 2026. Link
[2] Anthropic. “Expanding Project Glasswing.” Anthropic, June 2, 2026. Link
[3] Tindill, Donovan. “The Final Mile Problem: AI Can Find ICS/OT Vulnerabilities Faster Than We Can Safely Fix Them.” LinkedIn, June 5, 2026. Link
[4] “Legacy OT Dilemma 2026 Update.” TXOne Networks, 2026. Link
[5] Anthropic. “Project Glasswing: An Initial Update.” Anthropic, May 22, 2026. Link
[6] Forescout. “ICS Cybersecurity in 2026: Vulnerabilities and the Path Forward.” Forescout, 2026. Link
[7] “AI in the Breach: How an Adversary Leveraged AI to Target a Water Utility’s OT.” Dragos, May 6, 2026. Link
[8] “OT Security Financial Risk Report.” Dragos / Marsh McLennan, August 2025. Link
[9] Tindill, Donovan. “We’re All Going to Drown in Tech Debt. Some of Us Just Got Here Sooner.” LinkedIn, May 22, 2026. Link