From assessment to compliance: building OT maturity in practice

Most organisations operating industrial environments already know they have gaps.

That is not the problem.

The real challenge is understanding where to start, what matters most, and how to improve without disrupting operations.

And the pressure to act is increasing.

NIS2 and emerging national cybersecurity legislation are introducing explicit requirements for risk management, incident response, supply chain security, and continuous monitoring. Regulators are no longer asking whether organisations take cybersecurity seriously. They are asking for evidence — documented risk assessments, defined processes, and demonstrated capability to detect and respond to incidents.

For organisations operating OT environments, this is a significant shift.

Because compliance cannot be achieved through isolated projects or annual audits.

It is the outcome of a mature and sustainable approach to managing OT risk.

Why maturity and not compliance, should be the goal

Many organisations approach OT security as a compliance exercise: meet the requirements, pass the audit, move on.

The problem is that frameworks such as IEC 62443, ON104, ISO 27001, and NIS2 were never designed to be one-time checklists. They are built around continuous improvement.

The organisations that achieve the highest levels of resilience do not focus primarily on compliance. They focus on maturity: the ability to operate, secure, maintain, and continuously improve OT environments in a structured and risk-aware manner.

Compliance is simply the by-product.

The more important question is not “Are we compliant?” — it is “Are we capable of handling what comes next?”

What is an OT maturity assessment?

An OT maturity assessment is a structured evaluation of an organisation’s current capabilities across the key dimensions of OT control: asset visibility, governance and ownership, risk management, network architecture and segmentation, change management, vendor management, vulnerability management, detection and response capabilities, and regulatory compliance.

The goal is not to generate a lengthy report filled with recommendations.

The goal is to create a clear understanding of what is working well, where the most significant risks exist, which gaps require immediate attention, and what should be prioritised next.

A good assessment creates alignment between operations, cybersecurity teams, engineering personnel, and management. It gives everyone a common language and a shared understanding of the organisation’s current state.

OT risk is different from IT risk

One of the most common mistakes organisations make is applying traditional IT risk models directly to industrial environments.

OT requires a different perspective.

Availability comes first. In IT, a service outage may result in reduced productivity. In OT, downtime can halt production, interrupt critical services, damage equipment, or create safety risks. Security controls must therefore be evaluated not only for their effectiveness but also for their operational impact.

Consequence matters more than probability. In industrial environments, low-probability events can have extremely high consequences. A manipulated PLC, an unauthorised configuration change, or a compromised engineering workstation may affect physical processes rather than digital assets alone. This fundamentally changes how risk should be assessed and prioritised.

Dependencies create cascading effects. A disruption in one part of the environment can quickly affect multiple production systems, facilities, or operational processes. In the Norwegian energy sector and in industrial manufacturing environments, we consistently find that these dependencies are poorly documented — and that understanding them is essential for making informed security decisions.

Without this perspective, risk assessments often lead to misleading conclusions and poor prioritisation.

Understanding the OT maturity journey

Maturity frameworks help organisations understand where they are today and what improvement should look like.

A framework such as ON104 describes four broad maturity levels.

Level 1 – Initial: Controls exist, but they are largely informal and dependent on individual expertise. Knowledge is concentrated among a few key people. Processes are inconsistent.

Level 2 – Managed: Processes have been defined and documented. Security activities are repeatable, although not always consistently applied across the organisation.

Level 3 – Defined: Governance, processes, and controls are standardised across the organisation. OT security becomes part of a formal management system.

Level 4 – Optimised: Continuous improvement is embedded into daily operations. Performance is measured. Lessons are learned. Security evolves alongside operational requirements.

Most industrial organisations today operate somewhere between levels one and two. For most organisations, the objective is not to reach level four immediately. The goal is to establish sustainable control and move consistently toward higher maturity over time.

Gap analysis: turning findings into priorities

A maturity assessment identifies where an organisation stands today. A gap analysis helps determine what should happen next.

Many gap analyses fail because they focus on documentation rather than decision-making.

Treating every gap as equally important results in a list of dozens of recommendations with no prioritisation. Nothing gets implemented because nobody knows where to begin.

Focusing only on technology misses the point. Governance, ownership, vendor management, and operational processes often have a greater impact on overall risk than any individual technical control.

Producing reports without roadmaps means the work has limited value. A gap analysis should drive action — it should become a management tool, not a document that sits on a shelf.

An effective gap analysis is risk-based, prioritised, action-oriented, aligned with operational realities, and linked directly to recognised frameworks and regulations.

Building a roadmap: what should come first?

There is no universal roadmap. However, certain sequences consistently deliver better results than others.

1. Start with visibility. You cannot secure what you cannot see. Asset discovery and passive network analysis provide the factual foundation for every decision that follows.

2. Establish governance and ownership. Before implementing new technologies, clearly define who owns OT security, who approves changes, how responsibilities are divided between IT and OT, and how risks are escalated. Without governance, technical improvements are difficult to sustain.

3. Strengthen operational processes. Core processes — management of change, vendor access management, asset lifecycle management, and incident response — should be formalised before introducing more advanced security capabilities.

4. Improve architecture and segmentation. Once visibility and governance are established, segmentation can be based on actual communications and operational requirements rather than assumptions.

5. Implement continuous monitoring and OT SOC capabilities. This is often the first capability organisations want to deploy. In reality, it is usually the fifth.

A modern OT SOC provides continuous monitoring, incident detection, investigation, and response across both IT and OT environments. In the Nordic region, we work with energy companies, water utilities, port operators, and industrial manufacturers where this integration is increasingly critical — particularly as NIS2 introduces explicit requirements for continuous monitoring and incident reporting.

However, without visibility, governance, and defined processes in place, monitoring tools generate more noise than value. Analysts spend their time investigating false positives rather than responding to genuine threats.

When the foundations are in place, a SOC transforms OT control from a periodic activity into a continuous capability.

What NIS2 and cybersecurity legislation mean for OT

NIS2 and its national implementations — including Norway’s digitalsikkerhetsloven — are changing expectations for organisations operating critical infrastructure and essential services. This applies broadly: energy companies, water and wastewater operators, port authorities, manufacturing facilities, and parts of the maritime sector.

For OT environments, the most relevant requirements include:

Risk management: Organisations must identify, assess, and manage cybersecurity risks — including those affecting industrial operations.

Incident detection and reporting: Organisations must be able to detect, investigate, respond to, and report significant incidents within defined timeframes.

Supply chain security: Risks associated with vendors, service providers, and third parties must be assessed and managed.

Continuous monitoring: Periodic reviews are no longer sufficient. Organisations must maintain ongoing visibility into their environments.

For organisations already working with IEC 62443, ON104, or ISO 27001, many of these concepts are familiar. The difference is that they are now regulatory obligations — and regulators are beginning to ask for documentation.

Common questions about OT maturity

What is the difference between an OT maturity assessment and a penetration test? A penetration test identifies technical vulnerabilities. An OT maturity assessment evaluates broader organisational capability — governance, processes, architecture, and operational controls. The two are complementary, and a maturity assessment often provides the context needed to interpret penetration testing results effectively.

Can we perform a gap analysis ourselves? Yes, and regular self-assessments are valuable. However, external assessments provide a more objective perspective, broader industry experience, and stronger credibility with management and regulators. The best approach is usually a combination of both.

How long does it take to improve OT maturity? Many organisations achieve meaningful improvements within three to six months on prioritised areas. Establishing a mature governance framework typically takes longer. OT maturity should be viewed as a continuous journey rather than a fixed destination.

Do we need ISO 27001 certification to comply with NIS2? No. However, a governance framework based on ISO 27001 principles makes compliance significantly easier to manage — providing the structure required to document risks, decisions, improvements, and accountability.

Where are you today?

This is often the most important question — and the most difficult one to answer without a structured assessment.

Most organisations have a general sense of where weaknesses may exist. Few have an objective, evidence-based understanding of their overall maturity.

That understanding is what enables informed decisions: investing where risk is highest, demonstrating progress to leadership and regulators, and building resilience that lasts.

NetNordic OT Maturity Assessment provides a factual picture of your current state, evaluated against IEC 62443, ON104, and the requirements of NIS2 and applicable national legislation. The result is not a list of problems — it is a prioritised roadmap for what should be done, in what order, adapted to your operational constraints and risk profile.

The assessment covers the full chain: from asset visibility and governance, through network architecture and process maturity, to detection capability and SOC integration.

Because control is not a single measure.

It is the sum of many things working together.

| [Read part 1: From Purdue to modern OT security] | [Read part 2: OT control is about more than security]

NetNordic helps organisations assess, improve, and continuously strengthen OT maturity — from asset visibility and governance to SOC integration, regulatory compliance, and long-term operational resilience.