“23% of respondents have visibility into only half of their OT environment.”
2026 Fortinet State of Operational Technology and Cybersecurity Report: maturity rising, visibility lagging
The 2026 Fortinet State of Operational Technology and Cybersecurity Report finds OT security is becoming a board-level priority as industrial organizations bind IT and OT to sustain production. The convergence “bolsters efficiency and resilience,” the report notes, but it also “expands the attack surface.” Respondents say they are more alert to risks from ransomware groups, nation-state actors and other cybercriminals, and are “realistic about OT cybersecurity maturity” while preparing for regulatory requirements. Yet visibility remains a persistent problem: the report found that 23% of respondents see only half of their OT estate.
Human Machine Interfaces, false telemetry, and the limits of prevention
Louis Eichenbaum, Federal CTO at ColorTokens, described a core operational risk: many OT systems rely on Human Machine Interfaces (HMIs) and monitoring systems to provide situational awareness, and an adversary that compromises those systems can “present false data” that tricks operators into dangerous decisions. He warned that in sectors such as water treatment, pipelines, manufacturing, or energy infrastructure, “false telemetry could have even more severe consequences ranging from environmental damage to safety incidents and operational outages.”
Eichenbaum argued that many OT systems “were never designed with cybersecurity in mind,” emphasizing that they were built for reliability and availability rather than to withstand modern nation-state cyber threats. He added that many systems remain “internet-facing, poorly segmented, and inadequately monitored,” and concluded bluntly: “We are never going to patch fast enough or prevent every intrusion.” Because of that reality, he called for a shift from prevention-only strategies toward resilience measures that assume an adversary may gain access.
Microsegmentation, zero trust, and containment as operational priorities
Echoing the resilience emphasis, Eichenbaum recommended “granular microsegmentation and zero trust principles” for OT: those controls, he said, “help contain breaches, restrict unauthorized communications, and reduce the blast radius when a compromise occurs.” The aim is “not simply to stop every attack, but to ensure that a localized intrusion does not become a catastrophic operational event.”
Several other leaders highlighted similar architectural approaches. Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace, said OT security is “strongest when supported by robust IT security,” requiring coordination between IT and OT teams and adoption of good cyber hygiene to address vulnerabilities before they can be exploited.
Mythos, LLMs, and the widening OT/IoT attack surface
John Gallagher, Vice President at Viakoo, focused on the accelerating threat from tools and techniques that lower the skill floor for attackers. He noted the recent “hype cycle around Mythos,” saying its autonomous hacking capabilities are “impressive” in theory but that “the reality of securing OT and the Internet of Things (IoT) is the real cause for concern and urgent action because of Mythos.” Gallagher warned that Mythos “renders [OT/IoT] into the most easily hacked part of infrastructure” because it can overcome non-standard operating systems and network topology differences, accelerating trends such as the shift of ransomware from data to OT systems and the use of OT/IoT devices for initial infection and lateral movement.
Vincenzo Iozzo, CEO and Co-founder at SlashID, made a related point about large language models (LLMs): “most Operational Technology (OT) systems were designed without security in mind,” and LLMs “are likely going to make attacks against OT systems more frequent as they further reduce the skill level required to launch these attacks.” Iozzo argued that in the short term segmentation is the most effective approach, while longer-term architectural changes driven by LLMs may be possible.
Agentic physical security, AI detection, and the human factor
Vikesh Khanna, CTO & Co-Founder at Ambient.ai, pointed to legacy issues — compromised air-gapped systems, weak authentication, and unpatched vulnerabilities — and to physical attack vectors, noting that “unauthorized physical access to ICS assets — such as control panels or field devices — remains a major vector for breaches.” He singled out “agentic physical security” as a key innovation, pairing AI-driven anomaly detection and “adaptive protections using ML for real-time encryption and threat response” with physical barriers and AI-verified access.
John Gallagher also underscored operational realities: in many OT/IoT environments organizations still “manage device passwords on spreadsheets and manually roll trucks to patch 10,000 cameras.” That gap between attacker speed and defender patch cycles — “if AI can discover and exploit a vulnerability in hours, yet it takes an organization six months of manual labor to patch their physical security systems, the math heavily favors the attacker” — is a recurring theme across contributors.
What this means for technologists, procurement leaders, and regulators
- Technologists and security teams: prioritize segmentation, zero trust controls, and coordinated IT–OT incident response; invest in visibility tools because almost one-quarter of organizations report severely limited sightlines.
- Procurement and operations leaders: expect higher costs and staffing shifts as employers “will pay a premium” for people who can secure non-IT devices and manage physical patch logistics.
- Regulators and compliance teams: anticipate tighter requirements; the report shows organizations are “increasingly diligent about impending regulatory requirements,” underscoring the need to measure and enforce visibility and resilience standards.
The record in the Fortinet report is clear and circumscribed: OT cybersecurity is maturing in awareness and architectural intent, but concrete visibility and operational practices lag. The experts converge on a practical thesis — assume compromise, contain it through microsegmentation and zero trust, and harden both digital and physical access — while warning that accelerating tools like Mythos and LLMs tip the balance toward attackers unless organizations accelerate modernization. Will boards, procurement teams and operators close the visibility gap before attackers exploit it? The report leaves that as the next operational test.
