Industrial organizations may be getting a clearer view of their cybersecurity risk, and the picture is not as reassuring as many previously believed.
Fortinet’s 2026 State of Operational Technology and Cybersecurity Report found a sharp drop in the share of organizations rating their operational technology cybersecurity programs at the highest maturity level. In 2025, 49% of respondents rated their programs at Level 4, the most advanced tier. In 2026, that figure fell to 17%.
Lower maturity ratings rose over the same period. Level 0 programs increased from 1% to 5%, Level 1 rose from 5% to 17%, and Level 2 climbed from 13% to 27%.
A Maturity Reset
The findings are based on Fortinet’s global survey of more than 700 OT professionals and reflect self-reported assessments, not independent audits of industrial cyber defenses. Still, Fortinet argues the decline should not be read simply as evidence that OT security programs deteriorated over the past year.
Instead, the company frames the shift as a correction. As organizations add tools, funding, and IT-OT collaboration, they are gaining a clearer view of industrial environments that have historically been difficult to map and monitor.
That improved visibility can make maturity look worse before it improves. An organization that discovers undocumented assets, weak segmentation, broad vendor access, or inconsistent monitoring may not have become less secure over the past year. It may simply have a better view of risks that were already present.
More Intrusions, or Better Detection?
Fortinet’s intrusion data points to a similar dynamic. In 2026, 71% of respondents reported between one and nine intrusions in the past year, up from 47% in 2025. The share reporting more than 10 intrusions remained flat at 2%.
Fortinet said the increase does not necessarily mean every organization is facing more attacks. It may also indicate that more organizations are detecting activity they previously missed.
For OT teams, “no detected intrusions” isn’t the same as “no intrusions.” Limited monitoring, incomplete asset inventories, and gaps between IT and OT security teams can leave industrial environments exposed without producing clear warning signs.
The threats showing up in Fortinet’s survey are familiar. Phishing remained the most reported intrusion type at 76%, while ransomware was reported by 50% of respondents, down slightly from 54% in 2025.
Louis Eichenbaum, federal CTO at ColorTokens, said OT systems create particular risks because operators depend on accurate information from monitoring tools and human-machine interfaces.
“If an adversary can compromise those systems and present false data, operators can be tricked into making dangerous decisions based on inaccurate information,” he said.
Segmentation Improves, but Dwell Time Lingers
Fortinet’s report also identified one clear improvement: fewer incidents are crossing between IT and OT systems.
In 2025, 60% of respondents said intrusions affected both IT and OT systems. In 2026, that figure fell to 24%, the lowest level Fortinet has reported since 2022. The decline suggests organizations may be making progress in separating business networks from industrial environments or limiting the ability of attacks to move between them.
But the report also found that longer attacker dwell times, measured in weeks or months, are increasing. Shorter dwell-time categories have stabilized, according to Fortinet, but the rise in longer intrusions suggests some attackers are still finding ways to remain inside industrial environments.
That is a significant concern for OT security teams. Industrial networks often include aging devices, specialized protocols and systems that cannot be quickly patched, rebooted, or isolated without affecting production. Longer dwell times can give attackers more time to study systems, identify remote access paths, and prepare ransomware or disruption campaigns.
Nathaniel Jones, vice president of security and AI strategy and field CISO at Darktrace, said the growing integration of OT and IT systems is expanding the attack surface and requiring closer coordination between security teams.
“As Operational Technology becomes more integrated with IT systems, it presents more opportunities for attackers,” Jones said. “OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network.”
OT Risk Moves Up the Chain
Fortinet’s survey also suggests OT cybersecurity is becoming harder to contain within a single role.
The company found that 60% of respondents now place ultimate responsibility for OT cybersecurity with the CISO, down from 69% in 2025. Fortinet said the decline does not necessarily indicate reduced executive attention. In some organizations, it may reflect a broader distribution of OT risk ownership across senior leadership.
The direction still points toward more executive involvement. Among organizations that have not elevated OT cybersecurity ownership, 81% said they plan to assign responsibility to the CISO within the next year.
Regulatory expectations are also rising. Fortinet found that 89% of OT leaders expect increased regulation within five years, up from 66% in 2025. The report also found a 20-point increase in respondents expecting new regulations within two to five years rather than farther out.
From Visibility to Resilience
The practical challenge is not simply to achieve a higher maturity score. It is to turn improved visibility into stronger defenses.
That starts with knowing what is connected. OT teams need current inventories of assets, including legacy devices, vendor-managed systems, engineering workstations, remote access paths, and connections that may fall outside normal IT inventories.
Remote access also requires closer control. Broad or persistent vendor access can create unnecessary exposure. Security teams need to know who is connecting to OT systems, what they can reach, and when that access should be removed.
Incident response plans must also account for OT conditions. A plan designed for laptops, cloud accounts, and business applications may not work in an industrial setting, where shutting down the wrong system can halt production or create safety issues.
Fortinet’s findings point to a sector in transition. OT security programs may be improving, but better visibility is revealing risks that were previously undercounted or misunderstood.
For industrial organizations, that makes the drop in maturity ratings less a sign of failure than a warning. Seeing more of the problem is useful only if organizations can act before attackers, outages, or regulators force the issue.