Attacks on operational technology (OT) systems can compromise industrial processes, equipment, and critical infrastructure. As bad actors increasingly target critical infrastructure, governments worldwide are working to strengthen cybersecurity regulations for OT and industrial control systems (ICS). These changes include stricter security directives, incident reporting requirements, and a focus on building resilience against cyber incidents.
Fortinet’s 2025 State of Operational Technology and Cybersecurity Report found that OT cybersecurity is gaining significant attention at the executive level, with corporate leaders increasingly taking responsibility for OT security strategies. More than half (52 percent) of organizations now report that the CISO/CSO is responsible for OT, up from 16 percent in 2022.
For four consecutive years, OT risk and assignment of the risk to C-suite continues to grow with the intention to move OT cybersecurity under CISO in the next 12 months, increasing from 60 percent to 80 percent in 2025.
The research also identified a number of positive developments across OT security, including:
- OT security maturation, with 26 percent of organizations establishing visibility and implementing segmentation, up from 20 percent the previous year.
- The impact of intrusions is declining: There was a noteworthy reduction in operational outages that impacted revenue, which dropped from 52 to 42 percent in 2025.
- Adopting best practices is having a positive impact: The report reveals that implementing basic cyber hygiene and better training and awareness is having a real impact, including a significant drop in business email compromise. Other best practices include incorporating threat intelligence - which spiked (49 percent) since 2024.
These findings led a number of industry stakeholders to share their thoughts:
James Maude, Field CTO at BeyondTrust:
"Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and 3rd parties have just the access and permissions needed to do their job without additional risk exposure.
"This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise. Relying on VPNs or Remote Desktop alone is not enough and risks introducing additional attack vectors.
"Beyond remote access, an important defense is to reduce standing privileges in the environment so that in the event an identity is compromised the ‘blast radius’ is limited. This is especially important in the age of identity attacks and hybrid environments where one compromised identity can open up paths to privileged access on dozens of systems on-prem and in the cloud.
"The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage. The identity security debt accumulated by many organizations represents a far great risk than any other area as it only takes the attacker to login using the right identity and all is lost."
Jeff Macre, Industrial Security Solutions Architect at Darktrace:
"Maintaining accurate, real-time visibility is one of the core challenges organizations face when trying to secure legacy OT systems. Many existing tactics, such as traditional rule-based methods, create a host of false positives and fail to detect subtle changes in OT environments, such as unusual device behavior or network traffic, which can help identify early indications of an attack. The good news is that AI is already making a positive security impact across OT systems.
"OT device communications are often highly predictable and routine, with devices following consistent schedules and fixed command sets. Unlike in IT environments, where behavior can vary widely, OT systems tend to repeat the same operations in the same order, day after day. This makes it easy for AI to understand their normal behavior and be able to detect deviations that may indicate cyber threats or operational anomalies.
"AI can learn the network communication patterns of legacy OT environments, helping to detect threats or anomalies in real-time. This makes monitoring more accurate and reduces the volume of false positives.
"Additionally, OT security teams must embrace machine-driven response. Organizations with legacy OT devices have historically been hesitant to adopt machine-driven response due to concerns around possible critical failures and/or significant safety issues.
"However, AI can be used to execute highly targeted and precise incident response mechanisms. Organizations should assess their environments and perform risk calculations to see where it is appropriate to integrate machine-driven response to accelerate security team response and protect against attacks.
AI will provide a more efficient and effective approach to both OT threat detection and incident response. These techniques can drastically improve the understanding and patterning of ICS device communications, helping to establish a pattern of normal activity. This deep understanding allows for highly accurate anomaly detection, enabling organizations to take proactive measures to stop anomalous network traffic.
"The greatest impact AI will have in the next five years for OT security, is in threat response and remediation. AI can take precise, targeted response actions to stop threats in real time, preventing escalation. Historically, targeted response actions were challenging to implement safely in OT networks, however, with advancements in AI, critical infrastructure organizations can now quickly identify threats and respond confidently.
"These innovations are crucial for the operational processes of industrial environments. Historically, industrial systems have been equipped with emergency shut-off valves and various physical safety controls. With AI, we now have similar safety capabilities from a cybersecurity perspective."
Trey Ford, Chief Information Security Officer at Bugcrowd:
"OT owners and operators need to require vulnerability disclosure programs or public bug bounty programs, in an effort to drive increasingly resilient OT ecosystem. Continuing the posture of 'protect the vulnerable environment' will see these trends persist.
"The long-term answer to the ICS/SCADA/OT soft-target pattern is the buyers forcing technology providers to build increasingly resilient, self-defending technologies. Every OT vendor should have test networks with their devices connected to the internet for continual testing - and to demonstrate that they can be operated safely when exposed to any interested adversary.
"Network isolation, known as an air-gap, is the principal protection relied upon by these OT networks, and one mistake or protective deficiency is all it takes to allow miscreants access to a vulnerable attack surface. So many critical infrastructure sectors operate relatively soft targets powering ICS/SCADA and OT networks that rely heavily on network isolation for protection.
"While ICS/SCADA and OT solution providers need to deliver more heavily-tested and self-defending products, vendors offering that critical network segmentation and remote access protection face extremely high accountability for failure. The findings of this report underscore the importance of carefully testing and validating your critical suppliers and technologies - and prioritizing partnership in vulnerability disclosures."
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck:
"One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices. Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle.
"In effect, legacy best practices may not be up to the task of mitigating current threats, or worse those that might be deployed in the coming years. Since attackers know that critical infrastructure providers are measured in their up-time or service availability, once a device is compromised, attackers know that they have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic."
Agnidipta Sarkar, Chief Evangelist at ColorTokens
"Attack sophistication is on the rise and OT/ICS organizations shut down when faced with a cyberattack. Unfortunately, cyber OT leadership are focusing on stopping attacks instead of stopping the proliferation of attacks.
"There are two types of vulnerabilities within Digital Industrial Systems that arise when attempting to connect them to IT infrastructure, cloud services, or authorized third parties. The first pertains to vulnerabilities present in the connected digital devices, which may or may not have associated Common Vulnerabilities and Exposures (CVE) alerts. These vulnerabilities can be exploited by malicious actors, however, they can be mitigated through the implementation of a well-structured and disciplined security framework. However, many enterprises lack this capability or are not empowered to address it.
"The second, and more dangerous, stems from knowledge gaps between security teams and operational teams engaged in integrating Industrial Digital Systems with IT, cloud environments, or third parties. Enterprises typically feel helpless and unprepared when such attacks are successful. This includes most widely known OT attacks.
"We now know that it is not if, but when, the cyberattacks should happen. Therefore, it’s time to invest in foundational cyber defense capabilities to dynamically change attack paths to limit the impact of any attack."
To view the report in its entirety, click here.
