For cybersecurity professionals safeguarding the intersection of digital and industrial systems, Fortinet's newly released 2025 State of Operational Technology and Cybersecurity Report offers a rare blend of optimism and realism. Based on a global survey of more than 550 OT professionals, the findings reveal both a maturing OT security landscape and the persistent threats it continues to face.
One of the most striking revelations in the report: 52% of organizations now report that the CISO/CSO is responsible for OT cybersecurity, up from just 16% in 2022. "This trend reflects increasing awareness of OT cyber risk and the need for executive-level accountability," Fortinet notes.
Even more encouraging, 80% of respondents plan to put OT cybersecurity under the CISO's purview within the next 12 months, a major milestone for aligning IT and OT security strategies.
The report draws a clear line between security maturity and breach frequency. Organizations with Level 4 cybersecurity maturity—defined by continuous process improvement and threat intelligence integration—reported zero intrusions at a rate of 65%, compared to just 46% at Levels 0–2.
"Organizations investing in segmentation, visibility, and OT-specific threat intelligence are seeing tangible reductions in intrusions," the report states.
Despite the gains, the threat landscape is escalating. Fortinet warns that nation-state and ransomware actors remain highly active, with manufacturing once again the most targeted sector. Alarmingly, AI-powered cybercrime is accelerating, with adversaries using it to scale phishing and evade detection.
In a promising shift, 78% of organizations now use just one to four OT device vendors, down from more fragmented stacks in prior years. The push toward platform-based security is helping organizations "enhance visibility and reduce cyber risks, leading to a 93% reduction in cyber incidents versus a flat network," according to Fortinet.
"Securing remote access remains one of the top priorities for many organizations especially in high-risk OT and ICS environments, which need to be kept well away from the public internet. Organizations need to think about how to securely manage privileged access into their critical environments," said James Maude, Field CTO at BeyondTrust. "Ensuring that employees, vendors, and third parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real-time monitoring and controls to audit and terminate access in the event of identity compromise. Relying on VPNs or Remote Desktop alone is not enough and risks introducing additional attack vectors."
Maude added, "Beyond remote access, an important defense is to reduce standing privileges in the environment so that in the event an identity is compromised the 'blast radius' is limited. This is especially important in the age of identity attacks and hybrid environments where one compromised identity can open up paths to privileged access on dozens of systems on-prem and in the cloud that organizations weren't aware of."
CISOs and OT security leaders are still encouraged to prioritize segmentation as a foundation for OT security architecture; expand asset visibility and use virtual patching for legacy systems; integrate OT into SecOps and incident response planning; and leverage OT-specific threat intelligence and SOAR tools.
"One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices. Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle," said Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck. "In effect, legacy best practices may not be up to the task of mitigating current threats, or worse, those that might be deployed in the coming years. Since attackers know that critical infrastructure providers are measured in their up-time or service availability, once a device is compromised, attackers know that they have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic."
"OT is particularly scary because it is known as vulnerable and has immediate public impact when compromised. Failures can destabilize countries (loss of power, water, etc.)," said Trey Ford, CISO at Bugcrowd. "OT owners and operators need to require vulnerability disclosure programs or public bug bounty programs, in an effort to drive increasingly resilient OT ecosystem. Continuing the posture of 'protect the vulnerable environment' will see these trends persist. The long-term answer to the ICS/SCADA/OT soft-target pattern is the buyers forcing technology providers to build increasingly resilient, self-defending technologies. Every OT vendor should have test networks with their devices connected to the internet for continual testing—and to demonstrate that they can be operated safely when exposed to any interested adversary."
Ford continued, "Network isolation, known as an air gap, is the principal protection relied upon by these OT networks, and one mistake or protective deficiency is all it takes to allow miscreants access to vulnerable attack surface. So many critical infrastructure sectors operate relatively soft targets powering ICS/SCADA and OT networks that rely heavily on network isolation for protection. While ICS/SCADA and OT solution providers need to deliver more heavily tested and self-defending products, vendors offering that critical network segmentation and remote access protection face extremely high accountability for failure. The findings of this report underscore the importance of carefully testing and validating your critical suppliers and technologies—and prioritizing partnership in vulnerability disclosures."
"Maintaining accurate, real-time visibility is one of the core challenges organizations face when trying to secure legacy OT systems," said Jeff Macre, Industrial Security Solutions Architect at Darktrace. "Many existing tactics, such as traditional rule-based methods, create a host of false positives and fail to detect subtle changes in OT environments such as unusual device behavior or network traffic, which can help identify early indications of an attack. The good news is that AI is already making a positive security impact across OT systems."
"AI can revolutionize cybersecurity across legacy OT systems with minimal disruption. AI can learn the network communication patterns of legacy OT environments, helping to detect threats or anomalies in real-time," Macre added. "OT device communications are often highly predictable and routine, with devices following consistent schedules and fixed command sets. Unlike in IT environments, where behavior can vary widely, OT systems tend to repeat the same operations in the same order, day after day. This makes it easy for AI to understand their normal behavior and be able to detect deviations that may indicate cyber threats or operational anomalies. This approach makes monitoring more accurate and reduces the volume of false positives."
"OT is no longer the blind spot in enterprise security," Fortinet concludes. "It's becoming a strategic pillar—finally."
The full Fortinet press release also breaks down the report.