Behind the Curtain: U.S. Enterprises Struggle to Lock Down Vendor Access Despite OT Security Gains

At first glance, America’s industrial giants appear to be winning the battle for operational technology (OT) security. But beneath the glossy numbers, a new report exposes a troubling truth: the very vendors entrusted to maintain and support critical systems are now the biggest security blind spot. The result? A modern-day Trojan horse scenario - where the enemy slips in through the front gate, not by force, but by invitation.

According to the “2026 State of OT Security Report” by cybersecurity firm Tosi, U.S. enterprises are making real progress in OT security maturity. Asset visibility and threat detection have become strengths, but a dangerous pattern persists: organizations deploy advanced tools, yet fail to consistently enforce controls, especially around third-party remote access. In manufacturing, the situation is especially dire - most firms lack any structured method for managing or revoking vendor credentials, scoring a dismal 1.67 out of 5 on this critical question.

Tosi’s study, based on 77 U.S. enterprises, highlights that only one in three manufacturers has reached the “managed” Level 4, and even fewer can swiftly revoke vendor access if a compromise occurs. In contrast, the wastewater sector, pressured by the EPA and CISA, leads in operational discipline, scoring high in asset visibility, threat detection, and - crucially - remote access management. Yet even here, multi-site visibility lags as organizations expand faster than they can secure new locations.

The report uncovers three unexpected patterns. First, organizations are better at managing connections within plant floors than at the IT/OT boundary, leaving a weak perimeter. Second, while some have invested in sophisticated threat detection at key sites, these capabilities are not deployed network-wide, resulting in significant blind spots. Third, rapid site deployment outpaces the ability to maintain cross-site visibility, adding more shadows to an already complex environment.

The root of the problem? It’s no longer just about technology. The gap is now in process and enforcement. Many organizations have the tools, but lack the operational discipline to turn them into effective, consistently applied controls. Especially in manufacturing, reliance on generic IT tools instead of purpose-built OT solutions leaves critical systems exposed. Tosi recommends enforcing time-limited, identity-based vendor access, assigning OT security responsibility to operations teams, and making visibility a prerequisite for any new deployment.

As the digital and physical worlds collide in America’s factories and utilities, the message is clear: security is only as strong as its weakest gatekeeper. The organizations that rise to the top aren’t just buying better tools - they’re making sure every access point, especially those belonging to vendors, is locked down and watched. In the high-stakes world of OT, the difference between “having” and “using” security controls could define the next major breach - or prevent it entirely.

WIKICROOK

• Operational Technology (OT): Operational Technology (OT) includes computer systems that control industrial equipment and processes, often making them more vulnerable than traditional IT systems.
• Asset Visibility: Asset visibility is the ability to discover and monitor all devices, systems, and applications connected to a network for improved cybersecurity.
• Vendor Remote Access: Vendor remote access allows third parties to connect to company systems remotely, often for support, but poses security risks if not tightly controlled.
• Network Segmentation: Network segmentation divides a network into smaller sections to control access, improve security, and contain threats if a breach occurs.
• IT/OT Boundary: The IT/OT boundary is the interface where IT systems connect with OT networks, requiring specialized security to protect critical infrastructure.