The 71-Point Detection Gap in Oil and Gas OT

Oil and gas operators are spending aggressively on OT security after Operation Epic Fury, and most are confident they would detect an active OT breach within 24 hours. A new Tosi survey suggests most of that confidence rests on tools that were not built for OT.

In a recent survey, 87% of operators (upstream and midstream) rate themselves confident they would detect a breach within 24 hours. Only 16% base that confidence on continuous OT monitoring. The rest are relying on IT security tools that were not built for OT, or on a field operator noticing something is wrong. 

That is a 71-point detection gap. IT security tools and field operator attention do important work, but neither was built to catch an OT breach. A sophisticated intrusion will not announce itself with visible production disruption. OT detection is purpose-built for industrial protocols, assets, and behaviors. IT tools are not.

The threats are real and rising

The volume of attacks against industrial organizations is at a record high, and the sophistication is at a new level. Both should change how operators think about detection.

April 2026 was the highest-volume ransomware month since BlackFog began tracking in 2020, with 105 publicly disclosed attacks across 22 countries and the U.S. accounting for 60% of all incidents. The Resilience cyber insurance report published this month found that ransomware accounted for more than 90% of total financial losses. Dragos tracked 119 ransomware groups targeting industrial organizations in 2025, up 49% year over year, affecting 3,300 organizations globally.

On sophistication, one finding from the Dragos 2026 Year in Review tells the story. VOLTZITE, a state-aligned threat group, compromised Sierra Wireless cellular gateways to reach U.S. midstream pipeline operations and pivoted to engineering workstations to extract configuration files. KAMACITE has been systematically mapping control loops across U.S. infrastructure. These adversaries are already inside. They are studying how operations work so they can decide later what to do with that access. They will not announce themselves with visible production disruption.

Within our own survey, 99 of 100 operators reported at least one cyber incident category since February 28, 2026. The two most common were precautionary OT shutdowns triggered by an IT-side incident, and ransomware affecting systems that interact with OT.

Budget is not the constraint anymore

The survey asked operators to name the single biggest barrier to faster OT security progress. Forty-five percent named the IT and OT culture gap. Eleven percent named budget. The barrier landscape has shifted from financial to organizational, and it has shifted decisively.

This matters because it changes what good investment looks like. The answer is no longer just more spending. It is selecting tools that operations trusts and a small team of OT experts owns and manages. The last point is key since our survey showed that 85% of operators run with five or fewer dedicated OT security staff.

What the capital should fund

Every operator should ask four questions before the next investment decision: 

• Is this tool purpose-built for OT environments?
• Can we deploy this tool without interfering with production?
• Can our existing OT security team operate what we are buying?
• Who owns the OT security program when IT and operations disagree? 

The constraints in OT are different from IT, and the consequences of getting it wrong are much higher. A technically correct security response can still be operationally wrong, and that is the part many IT-based approaches continue to miss. At Tosi, we have been building purpose-built OT security since 2011, when most of the industry was still treating OT as a subset of IT.

This is the budget cycle that decides whether the next OT breach in oil and gas is one operators catch in hours, or one they read about in the news. The capital is there. The choice is what to spend it on.

Sakari Suhonen is CEO of Tosi US (formerly Tosibox), a global pioneer in cyber physical systems platforms for operational technology networks. The 2026 Oil and Gas OT Decision Maker Survey was conducted independently by Dimensional Research on behalf of Tosi in April 2026 and includes responses from 100 OT decision makers at US upstream and midstream oil and gas operators.

Hear the findings discussed live in the Tosi webinar "The evolution of OT security in oil and gas: a conversation with Al Lindseth" on Wednesday, May 27, or watch the replay after May 27.