OT Security Assessment: How to Evaluate Your Posture

What Does the Assessment Discovery Phase Cover?

Discovery is the foundation of the assessment. Passive network monitoring sensors, deployed on key network segments for the assessment period, capture traffic that reveals the actual topology of the OT network. This frequently differs significantly from documented network diagrams. The SANS Institute found that organizations discover an average of 30-40% more OT devices during passive discovery than they had in their manual asset records, reflecting how organically OT environments grow over decades.

Protocol analysis during discovery identifies which industrial protocols are in use, which devices are communicating with which others, and whether those communications make operational sense. Unexpected communications, such as a PLC sending data to an internet IP address, or a historian server querying PLCs directly instead of through the DCS, are immediate red flags that warrant deeper investigation.

Physical walkthrough of the OT environment supplements network-based discovery. Control rooms, equipment rooms, and field device installations reveal physical security gaps, unauthorized USB connections, legacy devices not visible on the network, and operational practices that create cybersecurity risks. A technician using a personal laptop to connect to a DCS workstation is a finding that passive network monitoring alone might miss.

[CHART: Pie chart showing sources of OT asset discovery: passive monitoring 55%, physical walkthrough 25%, documentation review 20% - source: SANS ICS Survey 2025]

What Framework Should Guide the Gap Analysis?

IEC 62443 is the most widely adopted framework for OT security gap analysis. It defines security levels from SL-1, basic protection against unintentional violations, through SL-4, protection against state-actor attacks using sophisticated means. Most industrial organizations target SL-2, protection against intentional violation using simple means, as their minimum baseline. The framework covers both the asset owner (the industrial organization) and the system integrators and product suppliers in its supply chain.

NIST SP 800-82 provides a US-government-aligned alternative, with controls mapped to NIST SP 800-53 and organized around the NIST Cybersecurity Framework functions: Identify, Protect, Detect, Respond, Recover. Organizations subject to US government contracting requirements often prefer NIST 800-82 alignment. Both frameworks can be used together: IEC 62443 for technical depth, CSF for executive communication.

Sector-specific standards add regulatory requirements on top of the general frameworks. Electric utilities in North America must also assess against NERC CIP standards. Oil and gas operators may reference API Standard 1164 for pipeline SCADA security. European operators of essential services must align with NIS2 requirements that explicitly address OT security. A comprehensive gap analysis identifies compliance gaps against all applicable frameworks simultaneously.

IEC 62443 standard explained

How Do You Prioritize Remediation After an OT Assessment?

Remediation prioritization in OT security must be driven by consequence of failure, not just by technical vulnerability severity. A critical vulnerability in a historian server that holds non-essential data may rank lower than a medium vulnerability in a PLC controlling a safety-critical process. OT risk scoring frameworks, including the CVSS-ICS extension and the IEC 62443 security level targets, account for consequence, not just likelihood. This consequence-first prioritization is what makes OT risk management fundamentally different from IT risk management.

Prioritization must also account for implementation feasibility. A high-priority recommendation that requires six months of production downtime to implement cannot be treated as immediately actionable. The remediation roadmap should distinguish between quick wins achievable within 30-90 days, medium-term projects requiring planned downtime, and long-term capital investments such as system replacements. This three-horizon structure makes the roadmap executable rather than aspirational.

Compensating controls for findings that cannot be immediately remediated must be explicitly specified. A PLC running an unsupported operating system cannot be patched. The assessment report must specify what compensating controls, such as network isolation, protocol filtering, and enhanced monitoring, should be implemented to reduce its exploitability until replacement is feasible. Without compensating controls, high-priority findings become permanent open risks with no plan for mitigation.

[IMAGE: Photo of OT security engineer reviewing network diagram with plant floor visible in background - search terms: industrial cybersecurity engineer OT assessment plant]

What Should an OT Security Assessment Report Include?

An OT security assessment report must serve multiple audiences. The executive summary should communicate risk in business terms: operational disruption probability, compliance risk delivery status, and peer benchmark comparisons, without technical jargon. The technical findings section provides detailed evidence for each gap, including affected assets, observed evidence, exploitation scenarios, and specific remediation recommendations. The remediation roadmap translates findings into an actionable, sequenced improvement plan.

Quantitative risk scoring, where feasible, strengthens the executive case for remediation investment. When a finding can be associated with a specific probability and consequence, such as a 30% probability of ransomware-induced production halt within 24 months, costing $2-5 million in downtime and recovery, executives can make rational investment decisions about remediation. This type of quantitative framing is increasingly requested by boards and insurers.

The report should also include a monitoring and re-assessment recommendation. An OT security assessment is a point-in-time evaluation: the environment changes, new vulnerabilities are disclosed, and threat actor techniques evolve. Annual reassessment against the same framework tracks progress and identifies new gaps introduced by OT environment changes. Many organizations establish continuous monitoring as the interim between formal assessments, with periodic reassessments to evaluate whether monitoring findings are being addressed effectively.

How Long Does an OT Security Assessment Take?

Assessment duration depends on environment complexity and scope. A single-site assessment of a mid-sized manufacturing facility typically takes two to four weeks for the active assessment phase, plus two weeks for report development. A multi-site assessment of a large utility or industrial company may take three to six months. Passive discovery requires a minimum of two weeks to capture representative network behavior across production cycles, planned maintenance, and shift changes.

Organizations should not compress assessment timelines to fit calendar constraints. A compressed discovery phase that misses critical communication patterns will produce an incomplete asset inventory and a gap analysis built on incomplete data. The cost of a thorough assessment is small compared to the cost of a major OT security incident. Budget and schedule should reflect this proportionality.

OT security best practices and 12 essential controls

Should You Use Internal Resources or External Assessors?

External OT security assessors bring independence, specialized expertise, and benchmark data that internal teams typically cannot provide. An internal team assessing their own environment may unconsciously avoid challenging design decisions they made, miss findings that require fresh perspective, or lack the specialized ICS protocol knowledge to properly evaluate technical findings. External assessors with multi-sector experience bring patterns from dozens of assessments that internal teams rarely accumulate.

That said, internal knowledge is irreplaceable for certain assessment components. Understanding why specific design decisions were made, the operational constraints that shape what is feasible, and the history of previous incidents all require insider knowledge that external assessors must spend time gathering. The most effective OT security assessments combine external expertise with strong internal engagement: external assessors driving the methodology, internal staff providing operational context and site knowledge.

For organizations considering their first OT security assessment, Opsio's OT security services provide IEC 62443-aligned assessment methodology with sector-specific expertise across manufacturing, energy, water, and transportation environments.

Frequently Asked Questions

Can an OT security assessment disrupt production?

A properly conducted OT security assessment should not disrupt production. Passive discovery methods observe network traffic without sending any packets that could affect device behavior. Physical walkthroughs are observational only. The only active testing that carries any disruption risk is configuration review on engineering workstations or HMIs, which must be coordinated with operations staff and approved in advance. Any assessor who proposes active scanning of OT networks without explicit safety planning should be challenged immediately.

How much does an OT security assessment cost?

OT security assessment costs vary by scope, site count, and environment complexity. A single-site assessment for a mid-sized manufacturing facility typically ranges from $50,000 to $150,000 USD, including passive monitoring sensors, labor, and report development. Multi-site or complex utility assessments are priced proportionally higher. Costs should be evaluated against the potential cost of an OT security incident: 60% of organizations experienced incidents in 2025, with recovery costs commonly exceeding $1 million.

What is the difference between an OT security assessment and a penetration test?

An OT security assessment evaluates security posture across people, process, and technology through observation, documentation review, and passive discovery. A penetration test attempts to actively exploit vulnerabilities to demonstrate exploitability. OT penetration testing is rarely advisable in live production environments because exploitation of vulnerabilities can cause real operational disruption. Where technical testing is needed, it should be conducted in test environments or lab replicas, not in production OT systems.

How often should we conduct OT security assessments?

Annual OT security assessments are recommended for high-criticality environments, such as utilities and safety-critical manufacturing. Biennial assessments may be appropriate for lower-criticality facilities with continuous monitoring in place. Triggered assessments should follow major OT environment changes, significant security incidents, new regulatory requirements, or major threat landscape shifts. The SANS Institute recommends treating OT security assessment as an ongoing program, not a one-time project.

Conclusion

An OT security assessment is the starting point for any serious OT security program. It transforms vague awareness of risk into specific, evidence-based findings that can be prioritized, resourced, and tracked to closure. The 60% of organizations that experienced OT incidents in 2025 and the 40% annual growth in OT ransomware attacks make the case clearly: the cost of assessment is far lower than the cost of the incidents it helps prevent.

The key to an effective assessment is methodology rigor, operational sensitivity, and consequence-driven prioritization. With these elements in place, the assessment output becomes a practical roadmap for building OT security maturity at a pace the organization can sustain.

---

Author: Opsio Security Practice | Published: April 2026 | Last updated: April 2026