New data from Fortinet‘s 2025 State of Operational Technology and Cybersecurity Report found that industrial organizations are steadily maturing their OT security programs, with responsibility increasingly shifting to executive leadership. More than half of surveyed organizations now place OT cybersecurity under the CISO or CSO, up from 16% in 2022, while 80% plan to move OT security under CISO oversight within the next year. The report suggests that OT risk is becoming a board-level concern as organizations seek stronger governance over increasingly connected cyber-physical environments.
The study identified a correlation between higher OT security maturity and reduced operational impact from cyber incidents. Organizations reporting more advanced security practices, including segmentation, threat intelligence integration, and automation, experienced fewer attacks and lower business disruption.
While nearly half of respondents still reported cyber incidents affecting operations, the percentage of intrusions leading to revenue-impacting outages fell from 52% to 42%. At the same time, 46% of organizations reported reaching the highest level of OT security maturity, reflecting broader industry efforts to strengthen resilience across critical infrastructure and industrial operations.
“Industrial organizations now rely on interconnected systems, remote access, cloud-based analytics, and unified IT and OT environments to maintain production,” Richard Springer, senior director for marketing OT solutions at Fortinet, wrote in a Tuesday blog post. “While this advanced connectivity offers increased efficiency and resilience, it has also enlarged the attack surface for cybercriminals, ransomware groups, and nation-state actors.”
He added that the 2026 Fortinet State of Operational Technology and Cybersecurity Report shows that organizations are becoming more diligent in addressing these risks. “The report highlights a market that is increasingly realistic about OT cybersecurity maturity, more alert to intrusions, and more dedicated to meeting upcoming regulatory requirements.”
Springer mentioned that the good news is that many organizations are making progress. The challenge, however, is that maturity levels vary, with many OT environments still facing major issues with visibility, segmentation, secure remote access, incident response, and standardized security architecture.
Responsibility for OT cybersecurity remained largely concentrated with CISOs and CIOs, though the proportion of organizations reporting such oversight declined from 69% in 2025 to 60% in 2026. “Signaling an increase in maturity, the C-suite has mitigated OT risk to the point of delegating OT cybersecurity responsibility back down to senior leadership roles. Those respondents who do not have elevated OT risk yet still need specialized knowledge and leadership to address the increasing number of sophisticated threats.”
The report revealed that for the fifth consecutive year, the number of respondents who intend to move OT cybersecurity under the CISO in the next 12 months increased from 80% in 2025 to 81% in 2026. These changes indicate a solidifying of the importance of OT risk ownership in the C-suite.
Fortinet identified that organizations have reassessed their OT cybersecurity maturity as greater executive oversight, increased funding, and advanced security tools exposed previously unseen gaps. While earlier self-assessments often placed programs at maturity levels 3 and 4, many now recognize lower actual maturity and are focusing on foundational controls such as asset visibility, access management, and network segmentation.
Process maturity data shows that many organizations remain in reactive mode. The share of respondents at level 0 increased from 1% to 5%, while levels 1 and 2 rose from 5% to 17% and 13% to 27%, respectively. Level 3 organizations grew modestly, while level 4 respondents dropped sharply from 49% to 17%. The report views this decline as a positive recalibration, reflecting more realistic assessments driven by improved expertise, broader teams, and better visibility into security weaknesses.
“A positive indicator of increasing cybersecurity maturity is that teams are now reporting greater visibility of intrusions as opposed to reporting none,” according to the report. “In this year’s report, the declining numbers of respondents saying they had detected zero intrusions may point to a greater ability to detect intrusions rather than a real decline in the volume of successful attacks. At the top end, organizations that have had more than 10 intrusions in the year stayed steady at just 2%.”
However, the report observed that the number of respondents reporting multiple attacks (one to nine incidents) has increased from previous years, totaling 71%, up from 47%.
Moving on to laws, regulations, and compliance mandates, Fortinet identified that it continues to be a challenge for IT and OT leaders. “Increasingly, these leaders want to get ahead of governance cycles and learn about potential pending rule changes that may impact data protection, cybersecurity, health, safety, and other factors.”
Last year, some respondents expected new regulations in a few years, but now the vast majority of respondents predict new regulations will be coming soon. These new regulations will increase cybersecurity demands, but also will improve network reliability and resilience. In 2026, almost nine out of 10 respondents (89%) expect increased regulation in five years or less. This number is up sharply from 66% in 2025.
Regarding timing, there was a 20-point shift in respondents now anticipating new regulations in two to five years as opposed to over five years, suggesting that respondents want to prepare for IT and OT regulatory compliance challenges as they relate to cybersecurity.
The report highlights that while cybersecurity has become a board-level priority across industries, OT security is increasingly receiving the same level of executive attention. Although the CISO remains a central figure, responsibility for cybersecurity in 2026 is more broadly distributed across non-technical vice presidents and C-suite leaders, reflecting its growing business impact.
At the same time, organizations are placing greater emphasis on cost efficiency amid tighter budgets. Cost reduction and avoidance became the top cybersecurity performance metric in 2026, rising from second place the previous year. Despite increased pressure to demonstrate value, organizations continue to prioritize operational resilience and security in the face of elevated cyber risk. The report also found growing expectations of new regulatory requirements, driving an increase in compliance and regulatory reporting as a key cybersecurity objective.
“Attacker dwell time measures how long attackers spend undetected. This critical key performance indicator (KPI) also often reflects how much damage attackers can inflict because it’s easier for attackers to perform malicious tasks before they’re detected,” Fortinet reported. “Our survey suggests that although there is some flattening of dwell times of minutes, hours or days, attacks with longer dwell times of weeks, or even months, have increased. These long dwell times leave enterprises open to surveillance, loss of IP, and increase the risk of a ransom event or physical disruption.”
Fortinet found that respondents appear to be refreshing their ICS systems, with 40% reporting that their systems are under five years old, a sharp increase from 2025 (20%) and previous years. This rise points to a healthy attitude toward the benefits of modernization and transformation. Those organizations with aging 11-year-old or older systems should upgrade soon, or if refreshing the systems isn’t feasible, they should adhere to a strict patching and monitoring schedule.
The report identifies network segmentation and microsegmentation as foundational elements of an effective OT cybersecurity strategy. Organizations that separate IT and OT environments and enforce granular communication controls are better positioned to limit lateral movement, improve asset visibility, and reduce the impact of cyber incidents.
The company also recommends adopting secure remote access technologies that apply zero-trust principles, enabling third-party maintenance while minimizing the risks associated with traditional VPN-based connectivity. Together, these measures help industrial organizations strengthen security, improve compliance, and reduce operational risk in environments where legacy systems and limited patching options remain common.
Fortinet also emphasizes the importance of integrating OT into broader security operations and incident response planning. As cybersecurity responsibility increasingly shifts to CISOs and executive leadership, organizations are encouraged to develop incident response playbooks that account for production systems, plant operations, and OT-specific risks.
The report further recommends investing in OT-focused threat intelligence to improve visibility into emerging threats and industrial attack techniques. To simplify increasingly complex security environments, Fortinet advocates a platform-based approach that consolidates security capabilities across IT and OT, providing centralized management, improved visibility, automated response capabilities, and the potential to leverage AI-driven insights for faster threat detection and remediation.
In conclusion, Fortinet reported that only by defining and defending key operational assets and ensuring their performance can businesses compete in the global marketplace and governments protect their citizens. “Although the convergence of IT and OT can be a powerful driver of innovation, it requires a strong commitment to implementing cybersecurity defenses, hiring, and strategic thinking. Because many OT devices are more than 20 years old and unsecure by design, creating a secure OT environment is extremely challenging for many organizations.”
However, Fortinet said it sees signs that more organizations are making progress and better assessing their OT security posture. “These efforts are paying off in greater awareness of intrusions and a lower overall volume of intrusions. As the 2026 State of Operational Technology and Cybersecurity Report shows, companies with higher OT maturity security levels are improving their numbers substantially. To continue this positive trend, everyone from the C-suite on down must commit to protecting sensitive OT systems and allocate the necessary resources to secure critical operations.”
