Operational technology (OT) security has become a boardroom issue, according to recent Fortinet research. The report reveals that 52% of organizations now assign OT cybersecurity to the CISO or CSO, up from just 16% in 2022. That number is expected to climb to 80% within the next year.
This growing executive accountability reflects heightened concerns about OT security. Industrial systems, often decades old, are increasingly connected to wider IT networks, exposing them to cybersecurity threats. The shift in ownership suggests organizations finally recognize the strategic and operational risks posed by vulnerable OT systems.
Security Maturity Reduces Incidents and Impact
The report draws a clear link between OT security maturity and reduced cyber risk. Organizatins operating at the highest maturity level (Level 4) were far more likely to avoid intrusions altogether – 65% reported zero incidents in the past year, compared to just 46% at lower maturity levels. Business email compromise (BEC) attacks also dropped significantly year-on-year, indicating that basic cyber hygiene and training are beginning to pay off.
These findings also translate to business impacts. Outages that disrupted revenue dropped from 52% to 42% year on year, and brand damage and productivity losses also declined compared to 2024.
Remote Access and Privilege Mismanagement Remain Weak Points
Despite encouraging progress, remot access continues to be a weak spot, particularly for high-risk industrial control systems. “Relying on VPNs or Remote Desktop alone is not enough,” warned James Maude, Field CTO at BeyondTrust. “It introduces unnecessary attack paths.”
Maude emphasized the need to reduce standing privileges and take a holistic view of identity access. “Attackers don’t care about job titles, they care about privilege paths. One compromied identity can unlock dozens of systems across on-prem and cloud environments.”
AI Helps Detect What Rules Miss
As OT security matures, many organizations are looking to AI to enhance detection and response, particularly in environments where legacy systems make traditional defenses impractical. Unlike dynamic IT environments, OT systems tend to run fixed commands in predictable sequences, making them ideal candidates for machine learning-based anomaly detection,
“AI is uniquely suited to OT environments because of their stability,” said Jeff Macre, Industrial Security Solutions Architect at Darktrace. “Once AI learns what normal looks like, it can spot even subtle deviations that might indicate compromise.”
More importantly, AI enables faster, safer incident response in environments where downtime can be catastrophic. “The greatest impact AI will have in the next five years is in threat remediation,” Macre added. “It gives you the ability to act precisely, without triggering safety failures.”
Legacy Devices Still Pose Long-Term Risks
For all the talk of innovation, aging infrastructure remains a stubborn problem. Many industrial control systems are more than 10 years old and can’t be easily patched or upgraded.
“One of the biggest challenges with critical infrastructure is its lifespan,” said Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck. “What was secure at the time of deployment may no longer hold up – and attackers know they have time to plan carefully once they’re inside.”
That persistence is showing up in the data. OT intrusions are increasingly tied to compromises in connected IT systems, and sectors like manufacturing remain top targets due to their reliance on legacy systems and the high cost of downtime.
Vendor Consolidation Signals Maturity
Simplification is another sign of progress. Fortinet found that 78% of organizations now use one to four OT device vendors, down sharply from previous years. The move toward unified platforms and consolidated tooling is helping reduce complexity, improve visibility, and free up resources for more strategic security operations.
Threat intelligence usage has also spiked (up 49% year on year) as more firms integrate it into OT SOCs and incident response plans. These trends suggest that while challenges remain, many organizations are getting smarter about how they manage OT risk.
Progress with Caveats
Fortinet’s report paints a cautiously optimistic picture. Executive leadership is stepping up, maturity is delivering real results, and advanced technologies like AI are helping to close the gap between IT and OT security. But the risks haven’t gone away, particularly for organizations still reliant on outdated infrastructure or siloed security strategies.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.