A new survey commissioned by Tosi, an OT security monitoring vendor, released following Operation Epic Fury reveals that U.S. oil and gas operators may be dangerously overestimating their ability to detect cyberattacks against operational technology (OT) systems—and security experts say the problem runs deeper than monitoring tools can fix.
The Tosi survey—fielded in April 2026 across 100 OT decision-makers at U.S. upstream and midstream operators—found that 87% of respondents were confident they could identify an OT breach within 24 hours. But the confidence may not be warranted: more than half of those same operators said they rely primarily on traditional IT security tools, which provide limited visibility into OT environments. Only 16% reported using continuous OT monitoring as their primary detection method. (Readers should note that Tosi sells OT monitoring solutions, which gives the company a commercial interest in the findings.)
The disconnect has a name. Damon Small, a board member at Xcape, Inc., calls it a "confidence gap"—and says it stems directly from the mismatch between tool capability and environment.
"The fallout from Operation Epic Fury has exposed a massive 'confidence gap' in the oil and gas sector: 87% of operators believe they can detect a breach in 24 hours, yet only 16% have the OT-native monitoring required to actually do it," Small said. "This overconfidence stems from a reliance on IT-centric tools that are blind to the industrial protocols and physical process anomalies of a sophisticated attack."
Operation Epic Fury, which began on February 28, appears to have been a significant forcing function for the sector. Nearly all surveyed operators said they had approved or were reviewing unplanned OT security investments, and 95% expect cybersecurity budgets to grow over the next year.
Operators cited three main drivers behind the urgency: increased threats from state-sponsored actors, deeper IT/OT integration creating larger attack surfaces, and growing dependence on remote access technologies.
Small framed the IT/OT convergence shift in stark terms: "Prior to this convergence, an adversary would have to jump over a fence and be met by a guard with a gun and a dog. Now, our enemies don't even have to be in the same time zone."
Despite the budget surge, Tosi's research found that structural and organizational challenges are slowing progress. Respondents pointed to the divide between IT and OT teams as the single biggest barrier to improving security posture—a split that attackers have learned to exploit.
"Operation Epic Fury proved that an attacker doesn't need to break your encryption if they can just walk through the cultural gap between your IT and OT teams," Small said.
But Dahvid Schloss, COO of Suzu Labs, argues the industry is still treating a symptom rather than the disease. Continuous monitoring, he says, only alerts operators after exposure has already occurred—and the real vulnerability lies in the OT device ecosystem itself.
"The 87% confidence level isn't surprising, but it is a bit concerning and showcases dangerous thinking," Schloss said. "Not because being paranoid is good, but because of what I believe to be a massive visibility gap, where organizations think they're safe because they have bolted traditional IT monitoring tools onto OT environments that weren't ever built to handle that in the first place."
Schloss pointed to a compounding issue: many OT and ICS devices were manufactured without modern resilience standards, making them brittle under abnormal traffic conditions. Security teams are frequently reluctant to test these networks aggressively because a single malformed packet can trigger real-world physical failure.
"Because of this, often these devices are fragile," Schloss said. "Security testing teams are often extremely restricted or afraid to even test these networks. Because one malformed packet could cause true real-world kinetic failure." That caution, he noted, leads to watered-down security audits that miss the most critical gaps.
His bottom line: monitoring is insufficient if the underlying devices are indefensible.
"It's like putting a Do Not Trespass sign in an open field," Schloss said. "It's only good after you catch someone breaking it, but it doesn't prevent the action. Before monitoring becomes the answer, we need to do the basics and at least put up the fence."
Tosi's findings point to a sector that is spending more without necessarily spending smarter. True OT resilience, according to both experts, requires a different approach than what most operators currently have in place:
Continuous, non-intrusive OT-native monitoring that can detect threats before they cross from network anomaly to physical disruption
Bridging the cultural and operational divide between IT and OT security teams
Pushing OT and ICS device manufacturers to embed modern security and resilience standards into hardware and software—not just bolt-on detection after the fact
As critical infrastructure operators absorb the lessons of Operation Epic Fury, Tosi's data suggest the hardest work isn't budgetary—it's architectural, and organizational.
Follow SecureWorld News for more cybersecurity news.