The ongoing momentum towards becoming and staying compliant would transform industrial cybersecurity, moving operators out of reactive checklists and into continual, systematic change. Formerly something that was addressed periodically, cyber compliance is now an integral part of the daily process of doing business as regulations tighten across the globe and the specter of cross-border audits looms. Industrial tends to be pretty far from anything where it’s a modern OT (operational technology) system, and logging and access control, and real-time visibility were considered as design parameters. But now these abilities are how audit readiness is demonstrated.
Making it audit-ready is more than just plugging holes in the OT environment. It calls for bringing in asset visibility and control across operational spaces that have grown dark and isolated from traditional IT fields of view. Businesses are starting to transform these blind spots into strengths by embedding monitoring, asset discovery, and access governance into foundational operations, rather than begrudgingly doing the minimum for last-minute audit prep.
Yet the maturity gap is still stark. Numerous large multinational industrial companies have sites of varying security postures, where the governance models are scaling, adjusting locally, and imposing minimum standards globally. Companies have to battle with the tension between audit requirements and spending for true security. The costs of compliance continue to increase, and security must adapt accordingly. Harmonization of cyber obligations across national borders is no longer a legal exercise in a compartmentalised legal universe, but has become more and more of a strategic necessity.
How cyber regulations are redefining industrial security
Industrial Cyber reached out to cybersecurity experts to identify which regulations are having the greatest impact on how industrial operators shape their cybersecurity programs. They also look into what makes those rules so disruptive or transformative.
Robert Huber, chief security officer, head of research and president of Tenable Public Sector, identified that regulations like the EU’s NIS2 Directive, North America’s NERC CIP standards, and Australia’s SOCI Act are expanding the scope of industrial cybersecurity, increasing leadership accountability, and imposing penalties for non-compliance.
“To meet these demanding requirements, operators are widely adopting international standards such as the ISA/IEC 62443, which is often used with the NIST Cybersecurity Framework, whose flexible, risk-based approach helps create a common language for security that bridges the gap between technical teams and executive leadership,” Huber added. “Together, these regulations and frameworks are compelling industrial operators to treat cybersecurity as a fundamental business function, demanding strategic investment and engagement from the highest levels.”
Jose Seara, founder and CEO of DeNexus, identified to Industrial Cyber that in the U.S., key regulations influencing industrial cybersecurity include NERC CIP standards for the power sector, TSA security directives for pipelines and rail, the SEC’s cyber-disclosure rule, and the upcoming CIRCIA breach-reporting requirement. One notable provision, NERC CIP-015-1, focuses on securing critical cyber assets in the supply chain. Across Europe and the U.K., the NIS 2 Directive and the UK’s revised NIS Regulations are driving stricter cybersecurity and incident reporting requirements for essential and digital service providers.
He added that “They are disruptive because they impose 24- to 72-hour incident reporting, board-level accountability, heavy fines tied to global turnover, and require operators to have an OT asset inventory, prove safety-of-process, and maintain evidence continuously—not only during annual audits, hence the need for continuous monitoring.”
From a European perspective, Sarah Fluchs, CTO of OT cybersecurity consultancy admeritia, told Industrial Cyber that regulation comes from two vectors: critical infrastructure regulation (NIS-2) and functional safety regulation that was recently extended to also include cybersecurity (e.g., directives on major accidents or occupational safety). “What makes them disruptive simply is that cybersecurity becomes a legal requirement for the first time.”
“It all depends on how much those who regulate and audit understand and are able to answer those questions,” Vytautas Butrimas, a now retired industrial cybersecurity consultant and member of the International Society of Automation (ISA) told Industrial Cyber. “I once made a presentation to a group of European energy regulators. I asked beforehand about the background of those who will be in the audience – most of them were lawyers.”
Shifting cyber compliance from periodic to permanent
As regulatory pressure ramps up across sectors, the executives address the organizational shifts that are making compliance part of daily industrial operations instead of a box checked periodically.
“Effective cybersecurity demands strong plant-level stakeholder alignment, with operations integrating security as a core goal due to its impact on availability, safety, and confidentiality,” Huber evaluated. “Enterprise-level risk ownership is crucial. Organizations should aim for proactive cybersecurity, where this isn’t fully feasible in industrial operations, comprehensive visibility is paramount. OT equipment changes often need manufacturer approval.”
Additionally, Huber pointed out that organizations must prioritize vulnerabilities posing the greatest risk to critical processes by leveraging threat intelligence and predictive technologies for a data-driven, proactive risk reduction approach.
Seara said that, partially pushed by regulatory pressure, and partially because of cybersecurity hygiene and best practices, leaders are shifting from ‘audit projects’ to continuous assurance, for better integration between OT cybersecurity products is becoming an enabler, helping industrial operators better manage their security. “From regular vulnerability scanning, 24×7 OT network monitoring, integration with SIEM/SOAR/SOC, and proactive cyber risk management helps owners identify and manage their risk.”
He also highlighted that cross-functional ‘OT cyber teams’ put engineering, safety, and cybersecurity experts under a common framework, increasing collaboration. “Financial cyber risk quantification dashboards convert control gaps into dollar-equivalent risk, making daily trade-offs visible to plant managers and executives alike. Harmonizing equipment maintenance, operational excellence, and cybersecurity in similar financial terms.”
Fluchs identified that the best way to sustainably achieve compliance is not to do it for compliance reasons, but with a genuine interest in improving cybersecurity.
“In my experience I have found again and again that in protecting critical infrastructure (energy, water, petrochemical, manufacturing, transportation) the ones who are doing the regulating and auditing or the policy makers are limited by a security bias that is better suited to the IT and T found in the home and office,” Butrimas said. “This IT security approach is not always adequate for process control environments. This work would benefit from the participation of the engineers who know how the technologies monitor and control critical processes run.”
He added, “No one IMO who is not qualified as an engineer should be allowed into the regulating and auditing of operational environments.”
Bringing OT to audit-ready standards
The executives examine how industrial enterprises are achieving audit readiness in OT environments that were never built for logging, visibility, or access control.
Huber said that combining active querying and passive monitoring is necessary for complete OT network visibility. “Organisations should initially test active querying outside production environments, deploying it in stages to ensure satisfactory completion. For some organisations, particularly in critical infrastructure, querying may seem too risky; in these cases, using queries during maintenance windows can significantly improve visibility.”
“Ultimately, active querying provides timely and detailed insights into the OT network, including information on operating systems, firmware, configurations, and ladder logic,” according to Huber. “It delivers vital, up-to-date data on assets, vulnerabilities, and security risks, along with alerts for changes to control devices. This leads to more contextual and meaningful alerts with fewer false positives, resulting in a stronger security posture and reduced overall cyber risk for industrial control systems.”
Seara mentioned that operators start with visibility without disruption with technology like passive network monitoring, lightweight agents for Microsoft Windows, and credentialed data collection from supported endpoints. “A local collector normalizes logs and forwards them through a demilitarized zone to a central repository. Privileged-access workstations, jump-hosts, and portable media “scanning kiosks” create auditable access paths.”
He added that some firewall manufacturers are now offering similar network traffic analysis capabilities in their latest generation of devices, reducing or eliminating the need for additional hardware, network taps, and/or passive monitoring tools.
In Europe, Fluchs noted that “all cybersecurity regulations targeted at operators rarely require specific measures. They require a cybersecurity management system. Therefore, audit readiness doesn’t mean logging or access control are implemented, but risks are managed sensibly.”
Butrimas used two examples, one from the US and one from Europe. “The US issued a cybersecurity strategy that mentions (as illustrative examples) the need to protect baby monitors and fitness devices. This choice of examples, in my opinion, indicated a bias toward IT and failure to understand or appreciate the peculiar security requirements of process control (OT/ICS/IACS) environments.”
“I have been openly critical of the EU’s CRA for its failure to clearly define what is meant by devices with ‘digital elements,’” he added. “My smart watch qualifies as such a device, but it would be most helpful in the implementation if a better example is provided, such as a PLC or protection device used to protect the bulk power equipment at a substation. Focusing on just a device is also not enough. It is critical to think in terms of systems.”
Bridging the cyber maturity gap with governance
The executives turn their attention to governance models that are proving effective for managing cybersecurity audits across globally distributed industrial sites with varying levels of security maturity.
“Traditional, siloed governance models are inadequate for managing cybersecurity audits across distributed industrial sites,” Huber noted. “Organizations need a centralized, risk-based governance model, supported by an exposure management platform, to achieve continuous cyber resilience. This approach addresses challenges like lack of visibility and inconsistent security standards by providing a unified view of exposures, prioritizing critical vulnerabilities, and offering clear, risk-based action plans.”
Ideally, he added that organizations should collaborate with the business to outline risks
and establish a clear risk appetite or tolerance. “For example, a slow and difficult HMI patching process increases the risk of ransomware and a resulting process outage of X hours. Understanding the impact of such an outage is crucial.”
Seara identified that a federated model works best covering corporate sets of minimum controls mapped once to NIST CSF 2.0, 62443, etc., that can apply to different countries. “Sites are tiered (Tier 1 critical, Tier 3 minor) and follow Cyber Risk-based analysis and scoping. The more critical facilities present higher risk and are afforded greater cybersecurity controls.”
He added that a central ‘assessment’ team schedules external audits, while regional OT security leads execute self-assessments quarterly or even monthly, thanks to new automated Cyber Risk Quantification platforms, allowing for better capture of the dynamic nature of Cyber Risk: new vulnerabilities, exploits, threats. “Metrics roll up into an enterprise Cyber Risk report expressed in monetary impact that contains facility and portfolio level information, enabling the risk committee or board to compare a refinery in Texas with a wind farm in Scotland on the same scale.”
Fluchs detailed that it has proven valuable to have a common risk assessment methodology that all sites, no matter how immature, carry out as a first step. “If the risk assessment contains a good system model/cybersecurity decision diagram as a basis, this means not only do the sites become aware of risks and most pressing cybersecurity measures, but central governance becomes aware of technical realities at each site.”
“How the risk is assessed and how the system is designed with its functions,” Butrimas estimated. “How those functions will work in the system that will ensure intended safety, performance, reliability, and resilience. If these matters are not attended to properly by the right people (engineers instead of lawyers), then one cannot have much confidence in what is being regulated and audited. I am afraid the EU CRA will need another Act that focuses on systems.”
Negotiating audit pressure vs. real protection
With compliance costs climbing, the executives explore how operators are balancing audit demands with the need to invest in meaningful security improvements.
Huber said that previously, organisations viewed cyber insurance as a substitute for implementing security measures. “However, this is no longer feasible as insurers now demand real-time API-level access to assess an organisation’s asset and environment security. The current insurance landscape includes extensive questionnaires on ransomware readiness, necessitating that organisations invest in both OT security and insurance, given insurers’ growing concern about cybersecurity posture.”
“A strategic approach should involve a cost-benefit analysis, similar to Annualised Loss Expectancy (ALE) computations. C-level executives must evaluate the cost and annual probability of a cyberattack against the cost of investing in cybersecurity defences,” Huber added. “These risk-reward discussions are crucial for allocating necessary budgets to secure OT environments. Even with budget constraints, organisations can take essential, lower-cost steps to enhance cybersecurity.”
Seara pointed out that automated cyber risk quantification lets CFO//CISO/risk managers/executives see when the marginal risk reduction of another control or cybersecurity investment is lower than the cost of a single audit exception, or the cost of capital, or the financial return on that investment. “Many facilities fund a shared evidence-automation platform rather than site-by-site consultants, freeing budget for higher-value mitigations such as advanced detection or remote access upgrades.”
“Cyber-insurance and captives act as risk-transfer mechanisms for low-frequency, high-severity scenarios, ensuring security dollars chase residual risk, not just compliance checkboxes,” he added. “Financial Cyber Risk Quantification empowers CFO/CISO/Risk Managers/Executives to understand and decide between risk mitigation and risk transfer options, and to size the balance sheet to the risk retained by the organization.”
“The art is to focus on meaningful security improvements and see the compliance requirements as boundary conditions / a side-product of those meaningful improvements – not vice versa,” Fluchs highlighted. “For example, focus on cleverly automating as much documentation required for compliance as possible, to spend more time making sound cybersecurity decisions, not documenting them.”
Aligning cyber obligations in a fragmented world
As regulatory frameworks tighten globally, executives address how industrial organizations are preparing for cross-border audits and aligning compliance obligations across jurisdictions.
“Organisations should view compliance not as an end goal, but as a natural outcome of a robust cybersecurity program,” Huber said, adding that to achieve this, they should align their cybersecurity efforts with comprehensive, international standards such as the NIST Cybersecurity Framework or ISA/IEC 62443. “These globally respected frameworks feature control objectives and are referenced by most national regulations as industry best practices.”
He added that by establishing a program that meets these high standards, operators can ensure they satisfy the vast majority of requirements from specific mandates like NIS2, the SOCI Act, and others, as well as create a defensible and reasonable standard of care.
“Compliance drives good hygiene, but OT Cyber Risk is dominated by safety and availability and legacy systems, whereas IT risk centers on confidentiality,” Seara said. “True resilience demands full Risk Management: identify, quantify, decide the mix of mitigation (controls, architecture, training) and transfer (insurance, contracts), and reassess continuously to capture the dynamic condition of Cyber Risk.”
He added that cyber risk quantification, whether FAIR, Monte-Carlo, or scenario-based, turns regulatory obligations into a business decision, ensuring that every dollar and every control targets the highest, cross-domain industrial cyber risk.
Identifying this as hard, Fluchs commented that international standards like ISA/IEC 62443 help. “Thankfully, they are increasingly referenced in regulations across the globe. This is why it matters so much to keep standards lean, practically applicable, and aligned with industrial realities as well as compliance requirements globally – something we’re currently working on in the 62443-3-2 revision, for example.”
“I hope when that time comes they will look toward adopting a standard like the ISA/IEC 62443 industrial automation and control system security standard that will aid others at a practical level in the design of systems and their functions,” Butrimas said.
He concluded that it would be a good place as any for starting the work on establishing a baseline for improving the regulatory, audit, and compliance spheres.
