OT cybersecurity firm Tosi disclosed that the average U.S. enterprise scores 35.9 out of 50, placing the field at a ‘managed’ Level 4, with 18% reaching the highest ‘optimized’ tier. Strength is concentrated in asset visibility and threat detection, but gaps persist in execution, revealing a divide between organizations that have deployed controls and those that consistently enforce them. Clearly, the benchmark study of 77 U.S. enterprises finds that OT (operational technology) security maturity is improving, but unevenly. The capability profile shows a clear pattern of stronger on asset visibility, weaker on managing vendor remote access.
Titled ‘2026 State of OT Security Report,’ the Tosi study identified vendor remote access as the most critical weakness across industries. It is the lowest-scoring capability overall, with many organizations lacking the ability to revoke access, extending exposure windows if credentials are compromised. In manufacturing, the gap is particularly stark, with an average score of just 31.2 and widespread reliance on unstructured or poorly controlled vendor access. By contrast, sectors such as wastewater lead the field, driven by stronger regulatory pressure and more disciplined implementation of core controls.
Beyond individual controls, the report highlights systemic issues in how OT security is operationalized. Many organizations deploy sites faster than they can secure or monitor them, creating visibility blind spots across distributed environments. Others show strong detection capabilities in isolated areas but lack consistent, network-wide monitoring. The findings underscore a broader pattern: the primary challenge is no longer access to tools, but the ability to enforce policies, standardize processes, and maintain continuous visibility across increasingly complex OT environments.
Tosi reported that manufacturing scores lowest of any industry. “US Manufacturing scores 31.2/50 on average, more than eight points below Wastewater and nearly four points below Financial Services. Only one in three Manufacturing organizations has reached Level 4. The gap is concentrated in one area: how vendors and employees access OT systems remotely. That single question averages 1.67 out of 5 across Manufacturing respondents – the lowest score of any individual question in the entire dataset.”
It added that five of the six manufacturing organizations scored a 1 or 2, meaning most have no structured method in place at all. The ability to remove or revoke vendor access scores only 3.0 out of 5. That means even the organizations that have some form of vendor access in place cannot cleanly control it. Purpose-built OT remote access tools exist to fix this. What is missing is a consistent process for using them.
Tosi reported that the wastewater scores the highest of any industry. These enterprises score 39.4/50 on average, the highest of any industry in this study, with 75% at Level 4 or higher. One respondent scored a perfect 50, the highest individual score in the entire dataset. Wastewater sits more than eight points above manufacturing and four points above the next industry. The scores are strongest in asset visibility and threat detection, both averaging 8.38 out of 10, with network segmentation close behind at 8.25. These are the three capabilities where consistent operational discipline shows most clearly.
Wastewater’s biggest lead over manufacturing is in remote access at 7.25 versus 4.7, a gap of more than two and a half points. The one area where Wastewater does not stand out is multi-site visibility, averaging 3.12 out of 5 on that question. That pattern is consistent with the rest of the dataset: getting a new site running is faster than getting it fully visible. The result likely reflects sustained pressure from the Environmental Protection Agency (EPA) and Cybersecurity and Infrastructure Security Agency (CISA) on U.S. water sector operators. That pressure has produced operational discipline applied consistently over time, which is what separates the top of the maturity scale from the middle.
The Tosi report disclosed that asset visibility scores well overall. For an industry that manages large, distributed physical environments with significant OT infrastructure, that is a meaningful exposure. The risk is not abstract. Every other control in this study depends on the asset inventory being complete. An organization that cannot see all its devices cannot segment them, cannot monitor them, and cannot know whether access to them has been compromised.
Vendor access management remains the most consistent weakness across all five areas, with remote access emerging as the lowest-scoring capability in the dataset, the Tosi report found. Specifically, how quickly vendor access can be granted or revoked is the lowest-scoring individual question across all five capability areas. 10 respondents score high on access method but low on managing it: the tools are in place, but the process is not. That gap between having the right tools and managing them is the defining weakness in the dataset.
Beyond these scores, the Tosi report finds that question-level data exposes three counterintuitive patterns that warrant closer attention from OT and operations practitioners.
Connections within the plant floor are generally better managed than the boundary between office IT and OT environments. On network segmentation, the survey examined two areas: how OT networks are separated from IT, and how east-west traffic is managed within OT. Respondents scored an average of 3.40 out of 5 on IT-OT separation, compared to 4.01 on internal OT traffic management, revealing a clear and meaningful gap at the perimeter.
The findings show that organizations are more effective at controlling traffic within OT environments than at enforcing the boundary between IT and OT networks. In several cases, respondents scored high on one dimension and low on the other, masking weaknesses behind similar overall scores. For operators, the critical test is straightforward: if a device on the corporate IT network attempts to access OT systems, would it be blocked? Where the answer is unclear, the segmentation gap lies at the boundary, not within the plant floor.
The next pattern addressed how many organizations have strong threat detection, but suffer gaps in OT network monitoring. Here, 10 US respondents scored low on broad monitoring deployment but high on identifying unusual device behavior. They have sophisticated detection capability in specific areas, but have not extended monitoring across their full OT environment.
“This is the reverse of the expected pattern, where you would expect broad deployment to come before depth of detection,” Tosi reported. “This suggests these organizations have invested in advanced detection tools, likely at primary sites or for high-priority assets, without first achieving consistent baseline monitoring across all OT infrastructure. The risk is a false sense of coverage: strong detection where monitoring exists, but significant blind spots where it does not.”
The third pattern covers how U.S. enterprises deploy new sites faster than making them visible, which is a risk. Deployment speed consistently outpaces multi-site visibility, with organizations scoring notably higher on how quickly they can stand up secure connectivity at a new site than on how well they maintain visibility and control across all their sites. 13 respondents scored high on deployment speed but low on multi-site control, the highest conflict count of any capability in the U.S. dataset.
Every new site deployed without a corresponding improvement in cross-site visibility adds another blind spot. This is a structural challenge for any enterprise managing a growing multi-site OT estate: deployment processes tend to be optimized for speed, while visibility and monitoring get treated as a follow-on task rather than a go-live requirement.
Recognizing that these patterns point to a consistent theme. For many organizations, the gap in US OT security is not solely a tools gap; it is also a process and enforcement gap. For those still relying on IT-native tools rather than purpose-built OT solutions, the right technology is also part of the answer.
Tosi advises organizations to enforce time-limited, identity-based vendor access with no shared credentials or exposed endpoints; assign OT security ownership to operations and equip them with tools designed specifically for OT; ensure visibility is a prerequisite for deployment rather than a post-deployment task; and align documentation with practice by testing controls before an incident exposes gaps.
In conclusion, the Tosi report recognized that the average U.S. enterprise sits at Level 4 (managed), and 18% have reached Level 5 (optimized). “The organizations at the top have one thing in common: they have turned deployed tools into enforced controls. That distinction, between having something in place and running it consistently, is what separates the top of the maturity scale from the middle.”
The two areas that need attention are vendor remote access management and manufacturing maturity. Both represent a gap between having the right tools and using them well. Where purpose-built OT tools are in place, consistent operational discipline at the site and team level is what’s needed – the kind that facilities managers, automation engineers, and plant leads are positioned to drive directly. For organizations still relying on IT-native tools, moving to purpose-built OT solutions is also part of closing the gap.
