Self-Assess Your OT Security Readiness

Most OT security programs have architecture gaps they haven't found yet. This scorecard is designed to help surface them in 25 questions across five categories. Each question has scored responses that map to a structural indicator to help know whether, and why, your posture in that area is strong, developing, or at risk.

What's covered:

• Patch management readiness: speed, coverage, cost per device, rollback capability, and whether you can produce a software version inventory on demand

• Audit and access posture: who can change what, whether your audit log is tamper-resistant, and how vendor access is granted and revoked

• Architectural integrity: whether your management plane requires inbound ports, depends on a third-party cloud, and can operate in a fully air-gapped environment

• Regulatory exposure: which frameworks apply to your environment, how close your next milestone is, and whether you can produce evidence on demand

• Operational reality: weekly hours on patch and audit operations, tool consolidation, onboarding speed, and audit confidence

‍Who it's for:

OT security leads, industrial CISOs, GRC managers, and compliance officers in manufacturing, energy, utilities, water, transportation, and healthcare OT, particularly those preparing for or approaching a regulatory audit or conformity assessment.

Download the scorecard

Get your self-scoring assessment‍

‍

OT security readiness: common questions

Why an OT security readiness assessment?

‍An OT security readiness assessment is a structured diagnostic that evaluates an organization's operational technology security posture across key areas: patch management, access controls, audit trail integrity, architectural resilience, and regulatory preparedness. Unlike a penetration test, a readiness assessment identifies structural gaps and areas where the management architecture cannot enforce the security policy, regardless of what the policy says.

What is the difference between a policy gap and an architectural gap in OT security?

‍A policy gap is a process or procedure that hasn't been defined or followed. An architectural gap is a structural limitation, i.e. the infrastructure has no mechanism to enforce the intended control, even if the policy is correct. Common architectural gaps in OT environments include audit logs stored on the host being accessed (making them modifiable by the actor they're meant to record), management systems that require inbound ports (creating attack surface regardless of firewall rules), and patch processes that require manual intervention per device (making routine coverage economically unviable).

What does IEC 62443 require for OT patch management?

IEC 62443-2-3 defines a five-phase patch management lifecycle for industrial control systems: patch identification, prioritization, testing, deployment, and verification. The standard requires organizations to establish a formal process for tracking vulnerabilities and evaluating whether a patch is necessary, prioritize patches by risk and operational impact, test patches in a controlled environment before deployment, document the deployment process including a change management procedure, and verify that patches have been successfully applied. Organizations patching quarterly without centralized fleet visibility typically cannot meet the evidence and traceability requirements the standard expects.

What evidence does a NIS2 audit require for OT security?

‍NIS2 audits assess whether operators in critical sectors have implemented appropriate risk management measures for their network and information systems, including OT environments. Auditors typically ask for evidence of patch deployment coverage, access control policies and their enforcement, incident detection and response capability, and supply chain security measures. The ability to produce this evidence on demand, not just assembled manually before each review, is itself an indicator of architectural maturity.

When do EU Cyber Resilience Act obligations apply to OT environments?

‍The EU Cyber Resilience Act's incident reporting and vulnerability disclosure obligations apply from September 11, 2026. Main obligations covering security-by-design requirements, supported update periods, and conformity assessments apply from December 11, 2027. Organizations placing products with digital elements on the EU market, including OT hardware and software, are in scope.

How much does it cost to patch an OT device?

‍The cost varies significantly with access complexity. Devices manageable remotely through a centralized platform can be patched for under $100 and under 30 minutes per device. Devices that require vendor field service can cost hours and hundreds to thousands per device, and those requiring an on-site consultant can cost even more time and money. These economics are the primary reason most OT organizations batch and defer patching, and why centralized fleet management changes the calculation.

What is outbound-only connectivity in OT management, and why does it matter?

‍Outbound-only connectivity means OT devices initiate connections to the management plane rather than accepting inbound connections from it. The device has no open inbound ports and is not enumerable on the public internet. This removes the entire class of attacks that depend on discovering and accessing a management endpoints like VPN vulnerabilities, exposed RDP ports, or port-forwarding misconfigurations. It is increasingly referenced as an architectural baseline in OT security frameworks including IEC 62443 and is a specific requirement under some national cybersecurity frameworks for critical infrastructure.

How do I know if my OT audit logs are tamper-resistant?

‍If your audit logs are stored on the same host being accessed, or if an administrator with rights on that host can modify the logs, then they are not tamper-resistant by architectural standard. A tamper-resistant audit trail requires that management actions are recorded at the control plane rather than on the device being accessed, and that the log stream is forwarded to storage outside the administrative boundary of the actor being recorded (typically a SIEM or write-once storage). The test: could the vendor who just accessed a device alter the record of what they did? If yes, your audit posture has a structural gap regardless of your access control policy.

‍

Download the scorecard

Get your self-scoring assessment

‍