Research from Fortinet delves into the state of operational technology (OT) cybersecurity, finding that OT security responsibility is continuously rising within executive ranks. Among responding organizations, 52% report the CSO or CISO is responsible for OT security. This is shows an increase from 2022, in which only 16% of CSOs or CISOs were in charge of OT security. 

Proper OT security is essential, as attacks against OT systems can affect critical infrastructure. The report found that implementing effective cybersecurity practices (including cyber hygiene and security awareness training) has positive impacts, such as a notable decrease in business email compromise (BEC) attacks. 

OT security appears to be maturing, which has mitigated the affects of intrusions. At the basic level, Level 1, 26% of organizations have established visibility and segmentation. Level 2, the access and profiling phase, is where a majority of responding organizations are. Organizations above Level 4 maturity report greater ease in handling low-level cyber threats, such as phishing. As a result, operational outages impacting revenue decreased from 52% to 42% in 2025.

Below, security leaders discuss the shift in OT security responsibility, the importance of defending critical infrastructure, and more. 

Security Leaders Weigh In

Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck:

One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices. Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle. In effect, legacy best practices may not be up to the task of mitigating current threats, or worse those that might be deployed in the coming years. Since attackers know that critical infrastructure providers are measured in their up-time or service availability, once a device is compromised, attackers know that they have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic. 

James Maude, Field CTO at BeyondTrust:

Securing remote access remains one of the top priorities for many organizations especially in high risk, OT and ICS environments which need to be kept well away from the public internet. Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors and third parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise. Relying on VPNs or Remote Desktop alone is not enough and risks introducing additional attack vectors.

Beyond remote access an important defense is to reduce standing privileges in the environment so that in the event an identity is compromised the ‘blast radius’ is limited. This is especially important in the age of identity attacks and hybrid environments where one compromised identity can open up paths to privileged access on dozens of systems on-prem and in the cloud that organizations weren’t aware of.

The C-Suite, CISOs and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevation privilege, move laterally and inflict damage. The identity security debt accumulated by many organizations represents a far great risk than any other area as it only takes the attacker to login using the right identity and all is lost because of the paths to privilege that abound in their environment.

Understanding and reducing your identity attack surface should be at to forefront of every organization thinking when it comes to cyber defense moving forward.

Trey Ford, Chief Information Security Officer at Bugcrowd:

OT is particularly scary because it is known as vulnerable and has immediate public impact when compromised. Failures can destabilize countries (loss of power, water, etc.).

OT owners and operators need to require vulnerability disclosure programs or public bug bounty programs, in an effort to drive increasingly resilient OT ecosystem. Continuing the posture of “protect the vulnerable environment” will see these trends persist. The long-term answer to the ICS/SCADA/OT soft-target pattern is the buyers forcing technology providers to build increasingly resilient, self-defending technologies. Every OT vendor should have test networks with their devices connected to the internet for continual testing — and to demonstrate that they can be operated safely when exposed to any interested adversary.

Network isolation, known as an air-gap, is the principal protection relied upon by these OT networks, and one mistake or protective deficiency is all it takes to allow miscreants access to vulnerable attack surface. So many critical infrastructure sectors operate relatively soft targets powering ICS/SCADA and OT networks that rely heavily on network isolation for protection. While ICS/SCADA and OT solution providers need to deliver more heavily tested and self-defending products, vendors offering that critical network segmentation and remote access protection face extremely high accountability for failure. The findings of this report underscore the importance of carefully testing and validating your critical suppliers and technologies — and prioritizing partnership in vulnerability disclosures.

Jeff Macre, Industrial Security Solutions Architect at Darktrace:

Maintaining accurate, real-time visibility is one of the core challenges organizations face when trying to secure legacy OT systems. Many existing tactics, such as traditional rule-based methods, create a host of false positives and fail to detect subtle changes in OT environments such as unusual device behavior or network traffic, which can help identify early indications of an attack. The good news is that AI is already making a positive security impact across OT systems.

OT device communications are often highly predictable and routine, with devices following consistent schedules and fixed command sets. Unlike in IT environments, where behavior can vary widely, OT systems tend to repeat the same operations in the same order, day after day. This makes it easy for AI to understand their normal behavior and be able to detect deviations that may indicate cyber threats or operational anomalies. AI can revolutionize cybersecurity across legacy OT systems with minimal disruption. AI can learn the network communication patterns of legacy OT environments, helping to detect threats or anomalies in real-time. OT device communications are often highly predictable and routine, with devices following consistent schedules and fixed command sets. Unlike in IT environments, where behavior can vary widely, OT systems tend to repeat the same operations in the same order, day after day. This makes it easy for AI to understand their normal behavior and be able to detect deviations that may indicate cyber threats or operational anomalies. This approach makes monitoring more accurate and reduces the volume of false positives.

OT security is strongest when supported by robust IT security. This requires extensive coordination and collaboration between IT and OT teams to defend entire ecosystems.

Additionally, OT security teams must embrace machine-driven response. Organizations with legacy OT devices have historically been hesitant to adopt machine-driven response due to concerns around possible critical failures and/or significant safety issues. However, AI can be used to execute highly targeted and precise incident response mechanisms. Organizations should assess their environments and perform risk calculations to see where it is appropriate to integrate machine-driven response to accelerate security team response and protect against attacks. AI will provide a more efficient and effective approach to both OT threat detection and incident response. These techniques can drastically improve the understanding and patterning of ICS device communications, helping to establish a pattern of normal activity. This deep understanding allows for highly accurate anomaly detection, enabling organizations to take proactive measures to stop anomalous network traffic. 

The greatest impact AI will have in the next five years for OT security, is in threat response and remediation. AI can take precise, targeted response actions to stop threats in real time, preventing escalation. Historically, targeted response actions were challenging to implement safely in OT networks, however, with advancements in AI, critical infrastructure organizations can now quickly identify threats and respond confidently. These innovations are crucial for the operational processes of industrial environments. Historically, industrial systems have been equipped with emergency shut-off valves and various physical safety controls. With AI, we now have similar safety capabilities from a cybersecurity perspective, ensuring robust protection for ICS. 

For organizations to stay ahead of rising threats to OT, breaking down silos, integrating AI-powered response, and shifting to proactive strategies is the key to creating modern, resilient OT environments. Many organizations today use a siloed approach, where IT and OT networks use separate monitoring tools. A method that has proved ineffective time and time again. By adopting a unified platform that supports both IT and OT, organizations will streamline their detection and response processes, leading to more organized and efficient handling of cyber threats within OT environments. This unified approach for IT and OT networks must also be coupled with the adoption of AI-powered tools to detect and respond to threats more quickly and accurately within OT environments. AI can be used to conduct surgical and precise response actions, stopping only anomalous activity without disrupting operations. This approach must become common practice as opposed to traditional quarantine and assess approaches to build a resilient OT security strategy.