The State of OT Cyber Maturity: Progress but Gaps Persist
When placed side-by-side, three reports, FERC 'Lessons Learned Audit Report' regarding the implementation of NERC CIP in the US energy sector, SANS 'State of ICS/OT Security Survey' (2025), and Fortinet's 'State of Operational Technology and Cybersecurity Report' (2025), tell the story of large asset owners gradually improving their OT cybersecurity posture, but still struggling with structural issues around governance, visibility, access control, and resilience. In summary, OT cybersecurity posture is improving and heading in the right direction, but progress is slow and defence in depth is still concentrated among regulated, well-resourced organisations.
1. Strongly regulated sectors are more OT Security aware and mature
FERC provides the clearest evidence of this reality. Its audit findings show that organisations operating under mandatory CIP requirements, despite recurring violations, tend to have stronger governance structures, clearer documentation, and more defined security responsibilities than unregulated peers. Even when non-compliant, these entities at least operate within a repeatable compliance framework, which pushes them toward greater discipline. SANS reinforces this. Organisations in regulated industries report fewer severe impacts from incidents and demonstrate higher maturity in process definition, risk ownership, and cross-functional engagement. Regulated entities are also more likely to conduct scenario exercises, integrate engineering teams into incident preparation, and invest in structured OT governance. Fortinet’s 2025 research reports that regulated sectors such as energy, utilities, and chemicals dominate the upper maturity tiers. Nearly 49% of organisations self-assess at maturity Level 4 in process capability, largely driven by sectors already accustomed to regulatory oversight.
2. Despite years of focus, visibility continues to be a challenge
The industry continues to struggle with visibility. Despite the US energy sector’s relative maturity, FERC cites asset identification and categorisation failures as a root cause of non-compliance. Misclassification of BES Cyber Systems, incomplete inventories of DER and boundary devices, and poor documentation of network segments feature heavily in violations. These visibility failures undermine both compliance and operational security. SANS similarly identifies visibility as one of the weakest capabilities across industrial organisations. Only a small minority report full ICS/OT visibility across networks and assets. Limited monitoring, incomplete inventories, and poor understanding of cross-domain dependencies all hinder detection and response. Fortinet suggests only 5% of organisations report 100% visibility into OT systems, a decline from prior years. The report notes that as organisations mature, they “discover more blind spots,” highlighting that visibility gaps become more obvious as digitalisation expands.
3. Remote Access remains the primary attack vector - strengthen authentication, logging, and oversight
FERC identifies remote access governance failures as one of the most common compliance gaps. Issues with EACMS oversight, incomplete access logs, inadequate connection controls, and poorly managed vendor access all contribute to elevated risk and recurring violations. These weaknesses directly correlate with known intrusion pathways. SANS confirms that unauthorised remote access remains the leading vector for ICS compromise. Many organisations still rely on inadequate authentication, insufficient monitoring, and legacy remote connectivity solutions. Remote access is also the most cited initial access technique for OT incidents.
4. Third-Party Access introduces critical OT risk - enforce strong oversight and monitoring
FERC consistently finds deficiencies in the oversight of vendors performing CIP-related tasks. Issues include insufficient validation of contractor work, weak supervision of firewall rule audits, incomplete testing of PACS and EACMS, and poor evidence retention. FERC’s findings highlight that outsourcing is not the problem, it is a lack of governance. SANS identifies external parties and OEMs as major contributors to system exposure. Many asset owners rely heavily on vendor connections for maintenance, monitoring, and updates, yet do not enforce strong controls around authentication, session recording, or change management.
5. Resilience fails without proven recovery - validate playbooks and restoration procedures
FERC’s findings reinforce that resilience, defined as the ability to continue operations under cyber stress, is still underdeveloped. Many entities lack formalised response playbooks, restoration evidence, or cross-team coordination. Weaknesses in backup validation, recovery procedures, and incident documentation all reduce the ability to withstand or rapidly recover from attacks. SANS shows a strong correlation between resilience and organisations that conduct practical exercises involving engineers and operators. These organisations detect incidents faster, contain them more effectively, and incur fewer operational impacts. Resilience is improved through training and exercising, not paperwork alone. Given recent high profile cyber incidents across the manufacturing sector, perhaps it should come as no surprise that the single most important metric that OT security leaders are now judged on is “incident response time/return to service time” according to the Fortinet research.
A final note relates to the SME community. FERC regulates the energy sector, and the SANS and Fortinet reports tend to focus on larger asset owners and therefore does not reflect that real lack of OT cybersecurity amongst the SME/B community. Westlands Advisory noted this as a growing issue in our last report. As more of these smaller operators and manufacturers are required to comply with regulations such as NIS2, or must meet the supply-chain requirements of their customers, how realistic is it to expect them to meet cybersecurity requirements without assistance or more affordable security models?