Tosi’s independent survey of 100 OT decision-makers across U.S. upstream and midstream oil and gas operators shows a sector reacting to the post-Operation Epic Fury threat environment with unusual speed and a surge in spending. But it also exposes a critical gap at the core of that response. Most operators say they can detect a cyberattack within 24 hours, yet the tools they rely on were not designed for that task.
Eighty-seven % of respondents rate their ability to detect an active OT breach within 24 hours as high, scoring themselves 4 or 5 on a five-point scale. That confidence looks increasingly fragile under scrutiny. Fifty-one % point to IT security tools they acknowledge have limited visibility into OT-specific traffic. Another 27 % say detection would depend on a field operator or technician noticing something wrong. Only 16 % identify continuous OT monitoring as the foundation of their detection capability.
“This is the most consequential blind spot in U.S. energy infrastructure right now,” said Sakari Suhonen, CEO of Tosi U.S. “The sector has the budget, the executive attention, and the will to act. What it does not yet have is detection that actually sees OT. After Operation Epic Fury, that distinction is the difference between catching an intrusion in hours and finding out about it from a production outage.”
Fielded in April 2026, six weeks after the February 28 launch of Operation Epic Fury, the survey documents a sector moving with unusual urgency. Tosi’s survey shows cyber risk has been fundamentally repriced. Sixty-three % of operators report higher cyber risk today than before February 28, with 13 % describing the increase as significant. The shift is being driven by deeper IT and OT convergence, sustained state-sponsored targeting of energy infrastructure, and growing reliance on third-party remote access.
Spending is already moving. Ninety-four % of operators have either approved 59 % or are actively reviewing 35 % unplanned OT security funding tied to the post-Operation Epic Fury environment. Looking ahead, 95 % expect OT security budgets to grow over the next 12 months, with one in four anticipating increases above 20 %.
Operational impact is nearly universal. Ninety-nine out of 100 operators report experiencing at least one category of cyber incident since February 28. Ransomware affecting OT-connected systems and precautionary OT shutdowns triggered by IT-side incidents each impacted 48 % of operators.
Detection is emerging as the central priority. When asked to identify the single most important OT security capability to strengthen over the next year, 22 % pointed to continuous monitoring and anomaly detection, while 20 % cited OT-specific incident detection and response. Alongside asset discovery at 15 % and OT-specific secure remote access at 14 %, these areas collectively account for 71 % of stated priorities, underscoring a clear shift toward visibility, detection, and controlled access.
The primary barrier is no longer financial. Forty-five % of operators identify the IT and OT culture gap, where IT security teams lack OT expertise, as the biggest obstacle to progress. Operational risk aversion follows at 28 %. Only 11 % cite budget constraints, marking a notable departure from earlier industry findings where funding limitations typically dominated.
Operation Epic Fury refers to the U.S. and Israeli campaign against Iran, which has been followed by sustained Iranian-aligned cyber activity targeting Western critical infrastructure. On April 7, six federal agencies, including CISA, the FBI, and the Department of Energy, issued a joint advisory (AA26-097A) confirming that Iranian-affiliated actors are actively disrupting programmable logic controllers across US energy, water, and government sectors, with confirmed operational disruption and financial loss. The Railroad Commission of Texas issued a parallel notice to operators on April 10. The Tosi research is the first independent dataset to quantify how the sector itself is responding.
“The next twelve months will see oil and gas spend more on OT security than in the previous several years combined,” Suhonen added. “That spend will land in one of two places. It will close the detection gap with OT-native monitoring, asset visibility, and purpose-built secure remote access. Or it will deepen the IT-tool stack that operators have already told us cannot see what they need it to see. The data is unambiguous about which path the market needs to take.”
