2026年运营技术（OT）与网络安全现状报告

Table of Contents Key Takeaways People Over the past eight years, cybersecurity maturity has increased globally as organizations have integratedoperational technology (OT) security under the chief information security officer (CISO) or other information Signaling an increase in maturity, the C-suite has mitigated OT risk to the point of delegating OT cybersecurity responsibilityback down to senior leadership roles. Those respondents who do not have elevated OT risk yet still need specializedknowledge and leadership to address the increasing number of sophisticated threats. For the fifth consecutive year, the OT cybersecurity program, process, and solution maturity In recent years, self-assessed program and process maturity was high with respondents reporting maturity levelsof 3 and 4. Over time, as more resources and security solutions were introduced and IT teams and C-suite gainedmore oversight, it became apparent that the true maturity levels were actually much lower. Now the self-assessedprocess and security solution maturity levels have recalibrated as joint IT and OT security teams have receivedadditional funding and deployed more solutions. Because of advanced OT security solutions, additional security Regarding Process Maturity, many respondents in levels 1 and 2 report they are still in firefighting mode. Only a minorityof respondents are at level 4 and truly mature in their security approaches. Respondents at level 0 struggle with a lack ofdocumentation and core processes, increasing from 1% in 2025 to 5% in 2026. The level 1 and level 2 figures also increased Level 3 respondents are relatively sophisticated, increasing modestly year-over-year (YoY). Advanced enterprises at level 4declined sharply from 49% to 17%. This reassessment is a positive sign, signaling that OT security teams are more diverse, Solution maturity presents a similar picture. Level 4 respondents decreased YoY (19% to 14%), although level 3 was up slightlyat 24% versus 22% in 2025. Level 0 and level 1 categories were up notably from 1 to 5% and 26 to 30%, respectively. These Cybersecurity incidents A positive indicator of increasing cybersecurity maturity is that teams are now reporting greater visibility ofintrusions as opposed to reporting none. In this year’s report, the declining numbers of respondents saying theyhad detected zero intrusions may point to a greater ability to detect intrusions rather than a real decline in the More regulations are expected sooner Laws, regulations, and compliance mandates continue to be challenges for IT and OT leaders. Increasingly, theseleaders want to get ahead of governance cycles and learn about potential pending rule changes that may impact Last year, some respondents expected new regulations in a few years, but now the vast majority of respondents predict newregulations will be coming soon. These new regulations will increase cybersecurity demands but also will improve network In 2026, almost nine out of 10 respondents (89%) expect increased regulation in five years or less. This number is up sharplyfrom 66% in 2025. Regarding timing, there was a 20-point shift in respondents now anticipating new regulations in two to fiveyears as opposed to five+ years, suggesting that respondents want to prepare for IT and OT regulatory compliance challenges Executive Summary This year marks our eighth edition of theFortinet State of Operational Technology and Cybersecurity Report. The 2026 study isbased on comprehensive data from a global survey of more than 700 OT-related professionals conducted by a respected third- This year’s report indicates that in 2026, organizations are taking OT security seriously, but they still have work to do. A minorityof survey respondents have ensured they have the processes and tools in place to address the wave of cybersecurity attacks, Many other respondents are taking sensible steps to meet regulations and repel attackers. They are responsibly documentingand reporting their actions and have senior people involved in strategic decisions to defend their operations. But security gaps Organizations with the highest security maturity have implemented the best practices, suggested at the end of this report andconsolidated vendors to manage complexity and costs. Many of these organizations have taken an integrated platform approach These organizations often turn to the C-suite for leadership rather than relying on specialists alone. This year, responsibilitycontinues to move to the CISO and other executives as risk is better understood, funded, and redistributed. We’ve also seen a Those OT organizations with higher security maturity also are likely to experience fewer incidents in 2026. Enterprises areincreasingly taking the opportunity to modernize their industrial control systems (ICS), which will improve their defenses. The always-on nature of many OT organizations has created a rapid increase in connected devices, applications, and usersthat n