While operational technology security is maturing, risk is not slowing down
11 min read
Over the last several years, operational technology (OT) security has shifted from a specialised concern to a board-level business priority. Industrial organisations now rely on interconnected systems, remote access, cloud-based analytics and unified IT and OT environments to maintain production.
While this advanced connectivity offers increased efficiency and resilience, it has also enlarged the attack surface for cybercriminals, ransomware groups and nation-state actors.
The 2026 Fortinet State of Operational Technology and Cybersecurity Report shows that organisations are becoming more diligent in addressing these risks. Based on a worldwide survey of more than 700 OT professionals, the report highlights a market that is increasingly realistic about OT cybersecurity maturity, more alert to intrusions and more dedicated to meeting upcoming regulatory requirements.
The good news is that many organisations are making progress. The challenge, however, is that maturity levels vary, with many OT environments still facing major issues with visibility, segmentation, secure remote access, incident response and standardised security architecture.
OT security responsibility remains a C-suite issue
One of the clearest signs of OT security maturity over the past several years has been the elevation of OT cybersecurity responsibility to senior leadership. Sixty percent of respondents reported that the chief information security officer (CISO) has ultimate responsibility for OT cybersecurity. That is down from 69% in 2025, but the shift does not necessarily indicate a decline in executive attention.
What the report suggests is that some organisations have matured sufficiently to transfer OT risk ownership to other senior leaders, following C-suite involvement in formalising strategy, funding and governance. Where already not elevated, 81% of respondents plan to assign OT cybersecurity to the CISO within the next year – an increase from 80% in 2025.
The takeaway is clear: OT risk is no longer the sole responsibility of plant operations or engineering teams. Instead, it now demands co-ordinated management involving security, operations, risk management, compliance and executive leadership.
Maturity ratings are becoming more realistic
The 2026 report reveals a significant shift in how organisations assess their OT cybersecurity maturity. In previous years, respondents frequently rated their programs more highly. However, as IT and OT teams have acquired additional funding, implemented more tools and enhanced visibility, many organisations now better understand where their defences still need improvement.
This change is reflected in the data. Respondents at Level 0, indicating disorganised or undocumented cybersecurity processes, increased from 1% in 2025 to 5% in 2026. Level 1 grew from 5% to 17%, while Level 2 went up from 13% to 27%. Conversely, Level 4, which signifies the most advanced cybersecurity programs, saw a significant drop from 49% to 17%.
Initially, this may appear to be regression, but it is better understood as a correction. As teams gain more experience, access better tools and foster more diverse collaboration between IT and OT security, previously hidden gaps become evident. For many organisations, maturity starts with a more honest evaluation of risk.
The same pattern appears in the maturity of OT security solutions. Level 4 declined from 19% to 14%, while Levels 0 and 1 increased. This highlights a common challenge: Many organisations are still establishing the fundamentals of OT security, such as asset visibility, network segmentation, secure remote access, monitoring and response.
Intrusions are being detected more often
The report also highlights a major shift in intrusion reporting. The share of respondents reporting multiple intrusions rose, with 71% reporting between one and nine intrusions, up from 47% the previous year. Meanwhile, the share of organisations reporting more than 10 intrusions remained constant at 2%.
This does not necessarily imply that all organisations are experiencing more frequent attacks. Instead, it likely indicates more organisations are now more aware of what is occurring within their environments. In OT security, the phrase ‘no detected intrusions’ can be misleading when visibility is limited. Improved detection capabilities often initially result in higher reported incident numbers, even as they ultimately reduce risk.
The report also shows encouraging signs. Only 24% of respondents said both IT and OT systems experienced intrusions, a sharp decrease from 60% in 2025, and the lowest since 2022. This likely indicates better segmentation between IT and OT environments, which is helping limit the spread of attacks.
Still, the threat landscape remains serious. Phishing is still the most reported intrusion at 76%, and ransomware remains a major concern at 50%. Although ransomware dropped slightly from 54% in 2025, its potential impact on production, safety, revenue and critical infrastructure keeps it a central focus in OT risk planning.
Dwell time remains a warning sign
Attacker dwell time is crucial in cybersecurity, since it indicates how long an intruder remains undetected. The extended presence of attackers inside a system increases their ability to conduct surveillance, exfiltrate intellectual property, plan ransomware assaults, disrupt operations or prepare for future actions.
The 2026 report indicates that while some shorter dwell-time categories have stabilised, longer dwell times spanning weeks or months have increased. This is particularly concerning for OT environments. Industrial systems often include legacy devices, specialised protocols and uptime requirements, which can complicate rapid responses compared with typical IT environments.
Reducing dwell time calls for more than simple monitoring. Organisations must have OT-aware visibility, threat intelligence, network segmentation, secure remote access and incident response plans that consider operational impact, safety and continuity of production and critical infrastructure.
Regulatory pressure is accelerating
OT leaders anticipate a more demanding regulatory environment. Eighty-nine percent of respondents expect increased regulation within five years or less, a significant rise from 66% in 2025. The report also highlights a 20-point increase in respondents expecting new regulations within two to five years, rather than beyond five years.
This is important because OT cybersecurity is increasingly tied to critical infrastructure, incident reporting, data security, public safety and business continuity. Regulatory requirements are no longer future considerations. They are immediate operational realities.
Organisations that delay action until final mandates are issued risk falling behind. Those that start now can leverage compliance efforts to enhance network resilience, improve reporting, lower risk and modernise security operations.
Visibility is improving, but gaps remain
Visibility remains a cornerstone of OT security. Without a clear understanding of assets, communication flows, users, applications and dependencies, organisations cannot effectively segment networks, identify abnormal activity or establish response priorities.
The 2026 report indicates progress, with the percentage of respondents having full visibility into OT systems increasing from 5% in 2025 to 14% in 2026. This represents a significant improvement.
But the report also reveals that many organisations still lack complete visibility. Approximately 23% of respondents only have visibility into about half of their OT environment. This means many security teams are defending environments without complete insight.
Modernisation is changing the OT landscape
The report shows that organisations are updating their industrial control systems. Forty percent of respondents reported that their incident command systems are less than five years old, up from 20% in 2025. This reflects a trend of modernisation aimed at enhancing reliability, performance and security.
While modernisation can help reduce risk, it requires careful management. New systems often increase connectivity, data transfers, remote access and integration with IT and cloud platforms. As a result, security should be integrated into modernisation strategies from the start, rather than added later.
For organisations still running legacy systems, the report underscores the need for strict patching discipline, compensating controls, continuous monitoring and segmentation.
Cost pressure is shaping security decisions
Finally, the report highlights a change in how organisations assess cybersecurity success. By 2026, cost reduction and avoidance had become the primary metrics tracked and reported. Productivity gains also remain a key focus.
This is understandable. OT leaders face pressure to justify security investments. But cost savings should not compromise resilience. In OT settings, insufficient investment can lead to downtime, safety hazards, compliance issues, revenue loss and physical disruptions.
The strongest business case for OT security isn’t just lowering cyber risk. It’s ensuring operational continuity.
5 practices to help organisations mature faster
The report closes with practical recommendations for improving OT cybersecurity:
- Segment and micro-segment IT and OT networks to minimise lateral movement and limit the impact of attacks.
- Use secure remote access to support vendors and third parties without relying on broad, persistent access methods.
- Integrate OT into security operations and incident response planning so teams can respond to cyber incidents without neglecting production and safety realities.
- Invest in OT-specific threat intelligence that encompasses industrial protocols, sector-specific threats and OT asset behaviours.
- Consider a platform approach to simplify operations, enhance visibility, centralise control and facilitate quicker, more co-ordinated responses.
These practices all point to the same overarching principle: OT cybersecurity can’t be solved with standalone tools or isolated teams. Instead, it demands a unified approach that brings together people, processes and technology across both IT and OT environments.
Conclusion
The 2026 State of Operational Technology and Cybersecurity Report highlights a market in transition. As OT security matures, the threat landscape is also becoming more complex. Issues such as ransomware, phishing, extended dwell times, limited visibility and fragmented security architectures continue to pose significant challenges.
Fortunately, organisations are rapidly improving visibility, reassessing their maturity more honestly, preparing for regulation and investing in more advanced security capabilities.
Get your copy of the full report to explore the survey results, evaluate your organisation’s OT security maturity and discover practices that can help mitigate risks across today’s increasingly interconnected industrial environments.
Richard Springer
Senior Director: OT Solutions Marketing
