Operational technology cybersecurity is one of the only cyber disciplines whose threat model genuinely changed in the last three years — and one of the few where the executive conversation has not caught up with the operational reality. This is what I see across the operators I work with at Netsync, the executive tabletops I run, and the conversations that follow keynotes.
What is mature in OT cybersecurity
Three things are genuinely mature in OT cybersecurity in 2026.
First, the regulatory frame. NERC CIP in the bulk electric system, the TSA pipeline Security Directives, the EPA cybersecurity rule for water utilities, the USCG MARSEC layer for ports, NRC 10 CFR 73.54 for nuclear, and the CISA Cross-Sector Cybersecurity Performance Goals as a unifying baseline. The frame is no longer ambiguous, even where it is incomplete.
Second, ICS detection. Passive monitoring inside OT networks is now operational rather than experimental. The technology category has matured, the cost has come down, and the executive question has shifted from “should we buy this?” to “why are we not getting more out of what we bought?”
Third, executive awareness. The Colonial Pipeline event, the JBS event, and a sequence of less-publicized incidents have done the work that years of security-vendor marketing did not. Boards now ask. Whether they ask the right questions is a separate matter — addressed below.
What is still broken
Five things are still broken in OT cybersecurity in 2026, in order of how much they show up in tabletop exercises.
1. The IT-OT pivot
Most operators have inherited an IT-OT architecture rather than designed one. The vendor remote-access path that was added in 2014 to support a single rotating-equipment supplier is still there. The Active Directory integration that was added to make engineering authentication easier still routes through the IT layer. The historian replication that was added for reporting still bridges the boundary in a way the original Purdue model would not have allowed. Closing that pivot path is mostly a governance and decision-rights problem, not a technology problem. See IT-OT convergence.
2. OT identity
OT identity is the category I most often watch fail in real time during tabletops. Shared engineer accounts, vendor accounts that nobody can deactivate, and service accounts whose passwords have not rotated in five years. The fix is unglamorous and the funding is hard, but the exposure is direct.
3. Vendor remote access
The single most under-governed category in OT cybersecurity. Operators routinely cannot list every vendor with active OT access, cannot describe the access path, and cannot independently terminate the connection. Recent supply-chain incidents have made this a board-level question. See OT supply chain cybersecurity.
4. Recovery
OT recovery is fundamentally different from IT recovery. The configuration data lives in OEM tools that may not have backed up reliably. The PLC firmware images may not have been captured at the version actually deployed. The HMI screens may have undergone undocumented changes. Recovery rehearsal is rare and the gap is enormous. See OT incident response.
5. Detection-to-decision compression
Even where ICS detection is in place, the path from a detection event to an operational decision tends to be slow. The detection lands in a SOC that does not have OT context. The OT engineering team does not have visibility into the SOC’s alert queue. The operations leader who would actually authorize a containment action is not on the original distribution list. The architectural fix is not technology; it is decision rights.
The seven decisions every operator board now owns
I run these seven through every operator-board briefing. They are the questions a director should be able to answer about their OT cybersecurity program without consulting staff.
- Who has authority to disconnect IT from OT in an active event?
- What is our vendor remote access inventory and termination process?
- What is our OT identity posture and how often is it audited?
- What is our ICS detection coverage and detection-to-decision time?
- What is our OT recovery rehearsal schedule and last-recorded recovery time?
- What is our exposure to the regulatory directive most relevant to our sector?
- When did we last run an executive tabletop on a coordinated OT event?
If a board cannot get clean answers to those seven, the program is not yet at the maturity the threat environment requires.
Where the discipline is heading
Three things will change in the next 24 months.
The convergence of AI and OT security will move from research category to operational reality. ML-based anomaly detection will become a baseline rather than a differentiator. The adversary will use AI to accelerate target reconnaissance and exploit-path discovery, particularly in OT environments that have weak inventory hygiene.
The post-quantum cryptography migration will arrive in OT through the firmware-signing path before it arrives anywhere else. Most OT vendors do not yet have published PQC roadmaps. The procurement leverage operators have today is significant and underused.
And the regulatory frame will keep extending. Sectors that were lightly regulated three years ago — water, food and agriculture, certain transportation modes — will pick up directive-level expectations. The operators who already aligned to IEC 62443 and NIST 800-82 Rev 3 will absorb the new directives at marginal cost. The operators who did not will be doing all of it at once.
Where to start
If you are running an OT cybersecurity program in 2026 and want a single starting point, run a 90-minute executive tabletop on a coordinated OT scenario, score yourself against the seven decisions above, and book the first remediation against the lowest-scoring decision. That is the pattern that closes the gap fastest, in my experience.
Mark Lynd delivers OT cybersecurity keynotes, runs executive OT tabletop exercises, and advises operators through Netsync's Executive Advisory & Strategy practice. Book a discovery call or read Cyber War: One Scenario.