The inaugural Midwest OT Cybersecurity Summit, held April 24, 2026, at Marquette University in Milwaukee, convened cybersecurity professionals, faculty, and industry leaders to establish shared maturity benchmarks and governance frameworks for operational technology (OT) security across the manufacturing, energy, healthcare, and transportation sectors. The event was hosted by the Security For the Folks Cybersecurity Community in partnership with Marquette's Center for Cyber Security Awareness and Cyber Defense, running from 11 a.m. to 5:30 p.m. at the Alumni Memorial Union. Sessions addressed regulator expectations, cross-sector risk prioritization, and funding models for OT security programs heading into 2026-27.
Background
The summit arrived at a pivotal moment for industrial cybersecurity governance. CISA published its updated Cross-Sector Cybersecurity Performance Goals (CPG 2.0) in late 2025, aligning IT and OT goals under a unified six-function structure-Govern, Identify, Protect, Detect, Respond, and Recover-and introducing a new "Govern" function emphasizing executive accountability and risk management strategy. Separately, the Operational Technology Cybersecurity Coalition (OTCC) has proposed a 1-to-5 maturity scoring model for evaluating federal Sector Risk Management Agencies (SRMAs), reflecting persistent inconsistency in cybersecurity maturity across critical infrastructure sectors. The OTCC framework would allow the Office of the National Cyber Director to rate each SRMA annually on domain expertise, policies, risk assessments, incident response, and cross-sector coordination.
Against this regulatory backdrop, the Fortinet 2025 OT Security Report found that half of OT organizations experienced breaches the prior year, while higher maturity levels correlated with measurably better outcomes. IBM X-Force data identified manufacturing as the most breached sector globally in 2024, representing 24.6% of all incidents.
Details
Panel discussions centered on the uneven maturity landscape across sectors. Participants noted that energy operators face structured compliance obligations under NERC CIP, with FERC approving mandatory cybersecurity controls for low-impact bulk electric system (BES) cyber systems in early 2026, while manufacturing organizations often lack equivalent sector-specific mandates and rely on voluntary frameworks such as NIST CSF 2.0 and IEC 62443. IEC 62443 has accelerated in adoption across manufacturing, energy, and critical infrastructure, with its security architecture centered on zones and conduits defining progressively granular security levels from SL1 through SL4.
Healthcare and transportation attendees highlighted distinct challenges. In healthcare, operational technology includes medical devices and building systems that frequently lack segmentation from clinical networks. Transportation stakeholders pointed to vendor and third-party access as the sector's most acute governance gap. Cross-industry assessment data shows that in roughly 40% of OT security engagements, vendor laptops or site-to-site tunnels provided the easiest path into OT environments, with third-party access often weakly monitored.
On funding models, speakers aligned around risk prioritization rather than across-the-board investment. The SANS 2025 ICS/OT Cybersecurity Budget Survey found that nearly 62% of organizations redirected budgets from perimeter tools toward resilience strategies including integrated visibility, continuous monitoring, and automated governance. The summit's closing consensus identified three priorities for 2026-27 programs: formalizing governance ownership with executive accountability, completing OT asset inventories as a prerequisite to maturity advancement, and operationalizing detection coverage by zone rather than relying solely on IT-boundary monitoring. Cross-industry assessment data indicates that in approximately 50% of OT environments, backup systems remained reachable from IT or management tiers and lacked offline or immutable copies, leaving organizations exposed during destructive ransomware scenarios despite having backups in place.
Regulator expectations emerged as a unifying theme. CISA, TSA, and EPA have each introduced OT-specific expectations for resilience and incident response, though standards are not applied consistently across sectors or borders, creating compliance program management challenges for multi-site operators.
Outlook
The summit's organizers indicated plans to expand the event in 2027, with ambitions to formalize cross-sector working groups that translate summit discussions into shared maturity roadmaps. Regulatory pressure is expected to intensify across all four sectors discussed: the SANS 2026 workforce report found that 95% of organizations now report some level of regulatory influence on cybersecurity hiring, up from 40% in 2025. OT security leaders leaving the summit were urged to audit their programs against CISA CPG 2.0 governance criteria and to close the gap between asset visibility tools-where most organizations have invested-and the Protect and Detect-and-Respond capabilities that regulators and insurers increasingly require as baseline expectations.
