- July 14, 2026
- Madre Janus
Artificial intelligence is now the single biggest force reshaping cyber risk for GCC energy boards. AI helps attackers find and exploit vulnerabilities in legacy operational technology (OT) faster than boards and CISOs across Saudi Arabia, the UAE, and Qatar can patch them, while also giving defenders new tools to map dependencies and prioritise protection. Because a disruption to energy operations threatens national output, regulatory standing, and reputation, cyber resilience has moved from an IT conversation to a standing board agenda item across Saudi Arabia, the UAE, Qatar, and the wider Gulf.
What Just Happened
On July 13, 2026, Computer Weekly published comments from Terence Liu, CEO of TXOne Networks, a cyber-physical systems (CPS) security vendor, on how AI adoption is changing cyber risk management for GCC energy operators. Liu’s core point is direct: security teams already spot vulnerabilities faster than operations teams can safely fix them, and AI is set to widen that gap further, since many industrial assets cannot be patched or replaced on ordinary IT timelines.
His comments draw on TXOne Networks’ Energy Operators Challenges 2026 research and a related 2026 MENA/GCC OT Cybersecurity Resilience CXO Priorities survey, which gathered input from more than 60 senior operators across the region. That survey found a structural tension sitting at the centre of every GCC energy boardroom right now: the pressure to keep production running twenty-four hours a day versus the pressure to lock down systems that were never designed with cybersecurity in mind.
The Computer Weekly piece is a useful signal of where the conversation is heading, but on its own it does not give operators, CISOs, or boards the fuller picture, the hard numbers, the regulatory obligations, or the practical next steps. That is what this article adds.
Why AI Is Accelerating the Problem, Not Just the Solution
AI cuts both ways in industrial cybersecurity, and understanding both sides is essential before deciding what to do about it.
On the attacker side: generative AI and autonomous reasoning tools are compressing the time it takes to discover a vulnerability, write an exploit, and adapt it to a specific target. Fortinet’s 2026 Global Threat Landscape Report, built entirely from FortiGuard Labs telemetry across 2025, recorded 122 billion exploitation attempts globally and a 389 percent year-over-year jump in confirmed ransomware victims, rising from roughly 1,600 in the 2025 report to 7,831 in 2026. Fortinet attributes much of that surge to widely available crime kits such as WormGPT, FraudGPT, and BruteForceAI, which let lower-skilled attackers run AI-assisted campaigns that previously required specialist expertise. The same report found a 79 percent rise in stolen data sets available on dark web marketplaces in 2026, with infostealer malware families RedLine, Lumma, and Vidar accounting for the large majority of infections.
On the defender side: the same AI capabilities that speed up attacks can, in principle, help operators map complex operational dependencies, flag abnormal behaviour, and recommend protective actions without shutting production down. TXOne Networks’ 2026 Annual OT/ICS Cybersecurity Report, based on a Frost & Sullivan survey of 200 C-level OT security decision-makers across six industries and five regions, found that 96 percent of OT security incidents originate from an IT-level compromise first, that 60 percent of organisations experienced an OT security incident in 2025, and that 88 percent increased OT security spending by more than 10 percent that year. In short, the money is moving toward OT resilience, but the incidents are not slowing down.
The structural problem underneath both trends is that industrial control systems were built for decades of stable, predictable operation, not for a threat landscape that now changes by the hour. Unlike a laptop or a cloud server, a distributed control system (DCS), SCADA platform, or safety instrumented system on an oil, gas, or power asset often cannot be patched without risking a shutdown, a safety incident, or a warranty violation. That gap between “vulnerability found” and “vulnerability fixed” is exactly what AI-accelerated attackers are learning to exploit.
The GCC-Specific Pressure Points
The Gulf’s energy sector faces a version of this problem that is sharper than the global average, for three reasons.
1. Rapid digitisation of legacy assets. National transformation programmes across Saudi Arabia, the UAE, and Qatar are connecting OT, cloud platforms, enterprise systems, and remote engineering access at a pace few other regions are attempting. This unlocks predictive maintenance and efficiency gains, but every new connection is also a new attack path into infrastructure that was never designed to be networked.
2. A documented tension between uptime and security. The 2026 MENA/GCC OT Cybersecurity Resilience CXO Priorities survey found operators are being asked to guarantee continuous production while simultaneously proving robust digital security, two goals that are often in direct tension when the fix for a vulnerability requires taking a system offline. The survey’s recommended path forward is an OT Zero Trust model built on passive network telemetry (so legacy infrastructure can be mapped without disruptive active scanning) and virtual patching (network-level filtering that blocks malicious traffic reaching a vulnerable device without requiring a system reboot).
3. Elevated threat volume tied to geopolitics. The UAE Cybersecurity Council reported in February 2026 that the country’s digital infrastructure faces between 90,000 and 200,000 breach attempts every single day, and that same month the Council said it had thwarted a coordinated, terrorism-linked cyber campaign aimed at destabilising essential services. Separately, a February 2026 campaign against UAE digital infrastructure combined ransomware deployment with AI-powered phishing, according to a Gallagher risk report, an early example of the “AI versus AI” dynamic Liu describes. Brute-force attacks against network edge devices, including the Fortinet FortiGate appliances widely deployed across the region, also surged in the first quarter of 2026, with nearly 90 percent of that activity geolocated to Middle East IP ranges, per Barracuda research.
The Regulatory Reality: What GCC Energy Operators Are Actually Required to Do
Board-level attention on cyber resilience is not only being driven by threat volume. It is increasingly a compliance obligation with real audit and licensing consequences.
For multinational operators running assets across more than one Gulf state, the practical approach used by GCC oil and gas operators is to map a single OT security architecture, typically anchored in IEC 62443 and NIST 800-82, against each jurisdiction’s specific control set (OTCC in Saudi Arabia, IA in the UAE, NCSS-aligned guidance in Qatar). This produces one technical design that can still generate regulator-ready evidence in every country of operation.
Saudi Arabia’s National Cybersecurity Authority reported that cybersecurity spending in the Kingdom reached SAR 15.2 billion in 2024, with the cybersecurity sector itself contributing SAR 18.5 billion to GDP, a clear signal that regulators view this as economic infrastructure, not just a compliance line item.
The Consequences of Getting This Wrong
The stakes are not abstract. A few reference points from the past eighteen months illustrate what is at risk:
- Financial exposure. Check Point Research data cited in industry analysis found 67 percent of energy, oil, and utilities organisations faced a ransomware attack in 2024, with 80 percent of those resulting in data encryption. The average ransomware recovery cost for an energy sector incident reached USD 3.12 million in 2024, before counting lost production or contractual penalties.
- Global attack volume on energy infrastructure. Cyble recorded 187 confirmed, successful ransomware intrusions against the global energy and utilities sector in 2025, and TXOne Networks separately reported an 87 percent increase in ransomware attacks targeting energy infrastructure, with named threat groups such as VOLTZITE actively targeting electric substations since 2019 and GRAPHITE targeting water and wastewater facilities.
- A real-world OT disruption case study. In late December 2025, attackers compromised operational technology at renewable energy plants, a combined heat and power facility, and a manufacturing site in Poland by exploiting vulnerable internet-facing edge devices, then deployed wiper malware that damaged remote terminal units (RTUs). CISA and CERT Polska issued a joint alert in February 2026 warning that any critical infrastructure operator with similarly exposed edge devices faces the same risk. It is a direct illustration of Liu’s warning that visibility without operational control is not enough.
- Geopolitical and supply chain amplification. Roughly 20 percent of the world’s oil and gas shipments pass through the Strait of Hormuz, and 2026 Middle East conflicts have already caused shipping disruptions there, according to a Gallagher risk report. The same report notes that critical infrastructure disruption climbed four positions, from 26th to 22nd, in the World Economic Forum’s two-year global risk outlook for 2026, reflecting how tightly cyber, physical, and geopolitical risk are now linked for Gulf energy assets specifically.
- Reputational and regulatory fallout. Under frameworks like Saudi Arabia’s OTCC, a material OT incident is not just an operational event, it is a compliance failure with audit, licensing, and public disclosure implications, on top of the customer and investor confidence damage any energy operator would face after a production-halting breach.
What "Visibility Without Control" Actually Means in Practice
Liu’s central argument in the Computer Weekly piece is that comprehensive asset visibility, knowing what exists, where the vulnerabilities are, and where abnormal behaviour is occurring, is necessary but not sufficient. Progress requires operational control: the ability to prioritise the assets that matter most, strengthen their protection, and act on a threat without halting production.
In practice, that gap is closed through a small number of concrete capabilities:
- Passive, not active, asset discovery. Legacy OT devices can crash or misbehave under active network scans. Passive telemetry maps the environment without touching fragile systems.
- Virtual patching. Where a vulnerability cannot be fixed at the source without downtime, network-level compensating controls filter out the malicious traffic that would exploit it, buying time without a shutdown.
- Segmentation between IT and OT. Given that 96 percent of OT incidents originate from an IT-level compromise first, per TXOne’s 2026 report, strong segmentation is the single highest-leverage control available to most operators today.
- Risk-based prioritisation over “fix everything.” With AI shrinking the time between vulnerability discovery and exploitation, chasing every finding equally is no longer realistic. The more effective posture, echoed across both TXOne’s and Fortinet’s 2026 research, is reducing risk on the assets that matter most, faster than an attacker can act on them.
- AI-assisted, human-supervised defence. Liu’s own framing is that the future is not AI against humans, it is trusted operational AI, guided by human expertise, defending against malicious AI. That includes growing regional interest in sovereign AI and locally developed small language models tuned to GCC industrial environments and regulatory language.
What GCC Energy Boards Should Be Asking This Quarter
For CEOs, CISOs, and board risk committees across MIE and Madre Janus client environments, the following questions turn this trend into an actionable review:
- Do we have passive, real-time visibility across our full OT estate, including remote and unmanned sites, or only the assets we actively monitor?
- Where visibility exists but active patching is not possible, do we have virtual patching or equivalent compensating controls in place?
- Can we demonstrate segmentation between IT and OT environments to an NCA OTCC, UAE IA, or Qatar NCSS auditor today, not hypothetically?
- Is our incident response plan built around resilience and recovery time, not just prevention?
- Is operational cyber risk a standing item at board level, with a named executive owner, or is it still routed through IT alone?
- Are we tracking AI-enabled threats such as automated phishing and credential-stealer campaigns specifically, given their documented growth through 2026?
The Bottom Line
The GCC’s energy transformation is not slowing down, and neither is the sophistication of the threats targeting it. What separates resilient operators from exposed ones in 2026 is no longer how much technology they deploy, but whether they combine real-time visibility, operational control, and trusted AI in a way that keeps production running even when an attack succeeds somewhere in the environment. That is the standard regulators, boards, and increasingly insurers are now measuring against.
Madre Janus works with GCC, India, and Australia based organizations as a Fortinet Engage Advocate MSSP, helping energy, utilities, and critical infrastructure operators translate this shift into practical OT security architecture, from segmentation and virtual patching through to NCA OTCC, UAE IA, and Qatar NCSS aligned compliance evidence. If your organization is reviewing its OT security posture this quarter, our team can walk through where your current visibility ends and where operational control needs to begin.
Frequently Asked Questions
Why is AI making cybersecurity harder for GCC energy companies specifically? AI is compressing the time between when a vulnerability is discovered and when it can be exploited, while GCC energy operators run large volumes of legacy operational technology that cannot be patched on ordinary IT timelines. That combination widens the exposure window faster than most organisations can currently close it.
What is the difference between OT cybersecurity and IT cybersecurity? IT cybersecurity protects data, applications, and enterprise networks. OT cybersecurity protects the physical systems, sensors, and control equipment, such as SCADA, DCS, and PLCs, that run industrial processes like power generation, refining, and water treatment. TXOne Networks’ 2026 research found 96 percent of OT incidents actually start as an IT-level compromise, which is why the two can no longer be managed as separate problems.
What cybersecurity regulations apply to energy companies in Saudi Arabia, the UAE, and Qatar? Saudi Arabia applies the NCA’s Essential Cybersecurity Controls (ECC-1:2018) as a baseline and the Operational Technology Cybersecurity Controls (OTCC-1:2022) specifically for OT and ICS environments. The UAE applies the Information Assurance Regulation, now administered by the TDRA. Qatar applies its National Cyber Security Strategy (NCSS) 2024 to 2030, supported by Q-CERT.
Is visibility enough to protect critical infrastructure from AI-driven attacks? No. Visibility shows where assets, vulnerabilities, and abnormal behaviour exist, but it does not, by itself, stop an attack. Operational control, the ability to prioritise critical assets and act on threats without disrupting production, is what actually reduces risk.
Why has cyber resilience become a board-level issue rather than an IT issue in the GCC? Because a cyber incident on energy infrastructure now threatens production continuity, national supply chains, regulatory standing under frameworks like OTCC, and corporate reputation simultaneously. Regional regulators are also increasingly holding executive leadership directly accountable for operational continuity, not just technical teams.