Compliance does not equal OT network security

Research reveals operational technology security (OT) leaders believe that maintaining regulatory compliance is their top concern. Today’s threat landscape requires more.

One of the key findings of Skybox Security’s research report, Operational Technology Cybersecurity Risk Underestimated by Operational Technology Organizations, is that “maintaining compliance with regulations and requirements” is the top concern of organizations. OT security decision makers.

Learn how to reduce risk in your OT environment

It’s easy to see why compliance is a concern: mandates change often, are difficult to interpret, and are often overwhelming. In the OT environment, there are many security requirements and methodologies. For example, there is:

  • STIG compliance requirements
  • NERC CIP Compliance
  • Compliance with fair methodology
  • Cyber ​​Value at Risk (CVAR) Model

So while compliance is the primary concern in many different functions, it is not – in and of itself – a silver bullet against bad actors. Why not?

Compliance is only part of a larger security picture

Compliance frameworks provide insight into the fine-tuning of technologies in place, but compliance is only one facet of security intended to explain how things are progressing for that unique and specific area of ​​concern. For example, NIST 800-41 focuses only on security controls and firewalls and only ensures compliance at a network’s perimeter and zone-to-zone access. That’s it. It does not deal with an entire business and its components. That’s not the full range of security measures needed for user identity, virtualization, or container security.

What are some of the main reasons for the misconception that compliance is enough? Part of that comes from normalization – a culmination of thoughts ratified. Like that old chewing gum ad, “four out of five dentists recommend Dentine for patients who chew gum.” It’s not an absolute endorsement, but it gives credit.

Satisfactory checklists do not guarantee OT security

Many companies invest significant time and money in resources and technology to secure their environments, including meeting the demands of auditors. When companies pass and pass the checklist, it can be easy to assume that they have met the criteria and therefore should be safe. “We have the papers to prove it!” Unfortunately, this wishful thinking often leads to security vulnerabilities.

For example, research found that security teams vastly underestimate the critical risk of a cyberattack against their crown jewels. For example, 56% of all respondents are very confident that their organization will not experience an OT breach in the next year, but 83% said they had had at least one OT security breach in the past 36 months. In terms of compliance, it tells me, “I’m compliant, but I continue to be vulnerable to breaches.”

Consider the expression “you are only as strong as your weakest link”. Imagine a square table and three of the four corners are monitored for compliance. All three sides pass, but the fourth corner is a question mark. But officials from the other three corners can report that they are compliant. It doesn’t matter that the fourth corner isn’t. The whole table collapses. Or in the case of an OT organization, you are violated. An exposed vulnerability is all an attacker needs to wreak havoc on your business, and compliance alone won’t stop it.

With Skybox, you are compliant. But more importantly, you are safe.

Don’t sweep your cybersecurity vulnerabilities under the rug

Putting all your faith in compliance means sweeping your security vulnerabilities under the rug. It’s putting your head in the sand. Don’t think for a moment that compliance is all you need. It’s a recipe for getting caught at 3 a.m. when you find your plant’s machinery held hostage with a large production schedule that needs to be delivered the same day.

OT organizations need to improve their security and give vulnerability management the same importance as security policy and compliance management. This requires a platform that can visualize and analyze OT, hybrid and multi-cloud networks, providing full context and understanding of the attack surface. OT organizations can use this information and context to increase the overall strength of their cybersecurity compliance controls, processes and programs.

Find out how Skybox can help you with your audit and compliance needs.

Learn how to reduce risk in your OT environment.

About Skybox Security
More than 500 of the world’s largest and most security-conscious enterprises rely on Skybox for the information and assurance needed to stay ahead of dynamically changing attack surfaces. Our security posture management platform provides comprehensive visibility, analytics, and automation to quickly map, prioritize, and remediate vulnerabilities across your organization. The vendor-neutral solution intelligently optimizes security policies, actions and change processes across all enterprise networks and cloud environments. With Skybox, security teams can now focus on the most strategic business initiatives while ensuring businesses are protected. We are Skybox.

Visit for more information or view all recent Skybox Security content at

  • This promoted content has been paid for by the relevant party

Kevin M. Risinger