Fortinet finds Canadian OT cyber maturity rising, C-suite leads

Fortinet has released its 2025 State of Operational Technology and Cybersecurity Report, highlighting ongoing security challenges and the increasing involvement of executive leadership in OT security across Canadian industries.

The report draws from a global survey, including responses from Canadian professionals in sectors such as manufacturing, transportation, healthcare, oil and gas, energy, chemicals, and water management. According to the findings, nearly half - 48% - of Canadian respondents reported at least one cybersecurity incident affecting their operational technology infrastructure in the past year, with 11% of organisations experiencing more than six breaches.

The persistence of security incidents remains a concern. In North America, including Canada and the United States, the report finds that twice as many attacks persist for months, as opposed to the hours or weeks typically seen in the EMEA region.

OT maturity and intrusion impact

The maturity of OT security has a marked effect on the number and severity of intrusions. At the Level 1 maturity stage, which consists of establishing visibility and implementing segmentation, 26% of organisations have achieved this basic step, compared to 20% in the previous year. The majority of organisations now place themselves at Level 2, which focuses on access control and profiling.

There is a clear correlation between increased maturity and a reduction in cyberattacks. The report highlights that 65% of companies operating at Maturity Level 4 reported zero intrusions, compared to just 46% among those at Levels 0-2. The adoption of more sophisticated security solutions is enabling mature organisations to better handle common threats such as phishing, although advanced persistent threats and OT-specific malware remain harder to detect for less mature organisations.

C-suite engagement

Responsibility for OT security has shifted upwards within corporate structures. The survey shows a significant rise in accountability at the C-suite level, with 52% of Canadian organisations reporting the Chief Information Security Officer (CISO) or Chief Security Officer (CSO) as primarily responsible for OT security - an increase from 16% in 2022. For all senior leadership roles, this number rises to 95%.

Looking ahead, 80% of respondents intend to move OT cybersecurity under CISO oversight in the coming year, up from 60% in the previous survey period. The prominence of the CISO reflects the heightened profile of OT security at board level.

Adoption of best practices

The report notes that increased maturity is also driving the standardisation of cybersecurity best practices. Organisations that enforce basic cyber hygiene, provide training and awareness programmes, and integrate threat intelligence have witnessed positive effects, such as a notable reduction in business email compromise incidents.

The uptake of threat intelligence specifically has increased by 49% since 2024. Vendor consolidation is also highlighted as an indicator of maturity, with 78% of respondents now using between one and four OT vendors. This consolidation has been linked with improved operational efficiency and aligns with the experience of organisations using the Fortinet OT Security Platform, which reported a 93% reduction in cyber incidents and a seven-fold improvement in incident triage and setup times.

Recommended strategies

Fortinet's report outlines several best practices for organisations to bolster their OT security posture. These include establishing visibility and controls for OT assets, deploying network segmentation, integrating OT considerations into security operations and incident response planning, employing a platform approach for security architecture, and embracing OT-specific threat intelligence and services.

Specifically, organisations should focus on the ability to monitor all OT network assets, protect vulnerable devices with appropriate controls, and enforce network segmentation in line with international standards such as ISA/IEC 62443. The report stresses that successful security operations require collaboration between IT, OT, and production teams, with the CISO ensuring appropriate resource allocation.

Many organisations have suffered from overly complex architectures caused by the deployment of multiple security solutions from different vendors. The report suggests a consolidated, platform-based security approach can simplify management and enable timely, automated responses to emerging threats, especially those unique to OT environments.

"The seventh installment of the Fortinet State of Operational Technology and Cybersecurity Report shows that organisations are taking OT security more seriously. We see this trend reflected in a notable increase in the assignment of responsibility for OT risk to the C-suite, alongside an uptick in organisations self-reporting increased rates of OT security maturity. Alongside these trends, we're seeing a decrease in the impact of intrusions in organisations that prioritise OT security. Everyone from the C-suite on down needs to commit to protecting sensitive OT systems and allocating the necessary resources to secure their critical operations," said Nirav Shah, Senior Vice President, Products and Solutions, at Fortinet.

The findings indicate ongoing improvements in Canadian OT security practices but underscore that significant risk and room for further progress remain.