Full Report
OT cybersecurity firm Tosi disclosed that the average U.S. enterprise scores 35.9 out of 50, placing the field... The post Tosi reports US enterprises improve OT security maturity, but vendor access emerges as critical weakness appeared first on Industrial Cyber.
Analysis Summary
# Industry News: US Enterprises Mature in OT Security but Fail at Vendor Access Controls
## Summary
A new benchmark study by OT cybersecurity firm Tosi reveals that while U.S. enterprise OT security maturity has reached a "managed" Level 4 (scoring 35.9/50), critical gaps remain in operationalizing security. Despite improvements in asset visibility and threat detection, the inability to manage and revoke third-party vendor access has emerged as the primary localized weakness across the industrial sector.
## Key Details
- **Date:** April 8, 2026
- **Companies Involved:** Tosi (Primary Author), U.S. Industrial Enterprises (77 respondents across Manufacturing, Wastewater, and Financial Services)
- **Category:** Market Analysis / Research Report
## The Story
Tosi’s ‘2026 State of OT Security Report’ highlights a maturing landscape where 18% of organizations have reached the "optimized" tier of security. However, this progress is uneven. While visibility—knowing what is on the network—is at an all-time high, the execution of access control is lagging dangerously behind.
The report identifies **vendor remote access** as the single lowest-scoring capability in the dataset. Many organizations lack a structured method for granting access, and even those with tools often lack the process to revoke access once a task is completed. This creates persistent "exposure windows" that attackers can exploit via compromised vendor credentials.
The study also reveals a stark sectoral divide:
- **Wastewater:** Leads with an average score of 39.4/50, driven by aggressive regulatory mandates.
- **Manufacturing:** Lags significantly with a score of 31.2/50. In this sector, the remote access sub-score fell to a critical 1.67 out of 5, indicating that most manufacturers have no formal structure for managing third-party connectivity.
## Business Impact
### For the Companies Involved (Tosi)
- Positions Tosi as a thought leader in "Secure Remote Access" (SRA), directly aligning their product portfolio with the market’s biggest identified pain point.
### For Competitors
- Competitors in the SRA and OT visibility space (e.g., Claroty, Dragos, Bastion) will face increased pressure to demonstrate not just "visibility," but "enforcement" and "revocation" capabilities.
### For Customers
- **Industrial Operators:** Must shift budget from visibility tools to identity and access management (IAM) tailored for OT.
- **Vendors/Suppliers:** Likely to face more stringent audits and requirements for using specific secure access gateways rather than generic VPNs or TeamViewer-style solutions.
### For the Market
- There is a clear market shift from "What is on my network?" (the focus of 2023-2025) to "Who is allowed to touch it?" (the 2026 priority). This signals a transition from passive monitoring to active governance.
## Technical Implications
The report highlights a failure in **access revocation**. Technically, this suggests a lack of integration between OT access tools and central identity providers (like Active Directory or Entra ID). The reliance on "unstructured access" implies that legacy methods (static passwords, shared accounts) are still prevalent across manufacturing shop floors.
## Strategic Analysis
- **Market Positioning:** Organizations are "buying" security but not "doing" security. The gap between tool deployment and policy enforcement suggests a need for managed services.
- **Competitive Advantage:** Firms that can automate the lifecycle of a vendor’s access (from request to automatic revocation) will win the next cycle of OT spending.
- **Challenges:** The "velocity vs. security" trade-off; enterprises are deploying new remote sites faster than they can secure them, creating a perpetual backlog of "visibility blind spots."
## Industry Reactions
- **Analyst Opinion:** The report confirms that regulation (seen in Wastewater) is the most effective driver for OT security maturity, outperforming market incentives in Manufacturing.
- **Market Response:** Growing demand for "Secure-by-Design" infrastructure, as evidenced by Microchip’s recent IEC 62443 certification mentioned in related news.
## Future Outlook
- **Predictions:** Expect a surge in "Zero Trust for OT" marketing and product updates through 2026.
- **What to watch for:** Potential legislative action targeting the manufacturing sector, similar to existing water utility regulations, to close the maturity gap.
## For Security Professionals
- **Prioritize Audit:** Immediately review third-party access lists. If you cannot "cleanly revoke" access for a vendor today, your organization is at high risk.
- **Focus on Process:** The tools for SRA exist; the failure is in the governance. Focus on establishing a "Least Privilege" workflow for all remote maintenance activities.