Transforming Industrial Cybersecurity: Closing the Gaps Compliance Leaves Behind

This article was contributed by Dr. Jerome Farquharson, Managing Director and Senior Executive Advisor, Arcova

Critical infrastructure operators have made measurable progress in strengthening cybersecurity through regulatory frameworks such as NERC CIP for electric power systems, TSA’s pipeline directives, and the EPA’s guidance for water utilities. These standards have helped sharpen accountability and increase the baseline of operational protection. 

However, regulation also shapes where organizations direct attention and investment. The systems and environments not explicitly named in compliance requirements often receive less scrutiny, even when they are connected to core operational assets. This results in an uneven distribution of security and creates seams and gaps, where adversaries look for vulnerabilities. 

The challenge ahead is not to diminish the importance of compliance, but to mature beyond it. Resilience depends on developing consistent security practices across all operational systems, not only those under regulatory oversight.

The 50/50 Problem: Where Attackers Move

Across sectors, critical infrastructure operators often have what could be called a 50/50 posture. The regulated portion of their environments receives substantial investment, continuous attention, and well-defined controls. The other portion that falls outside of compliance scope tends to be less monitored, segmented, and defended. In many of the most disruptive incidents over the past several years, attackers did not directly breach hardened systems. They moved laterally through the less-governed operational and vendor-linked components surrounding them.

Ransomware incidents in operational environments have increased significantly year-over-year. The attack pattern has been consistent, where adversaries exploit the spaces between compliant and non-compliant environments. Compliance defines control boundaries, but attackers do not honor those boundaries. Any system that connects to operational processes becomes part of the attack surface, whether the regulation addresses it or not. True resilience requires acknowledging that reality and securing accordingly.

Engineering Resilience, Not Adding It Later

Historically, many operational technology (OT) systems were engineered first for reliability and physical safety, with cybersecurity “bolted on” later. That approach is no longer sustainable. CISA’s analysis of the Volt Typhoon campaign showed how state-sponsored actors leveraged unmonitored vendor access and overlooked OT components to compromise critical infrastructure networks. These systems were not insecure by design; they were simply outside the compliance spotlight.

A secure-by-design posture integrates cybersecurity into the system architecture itself. Instead of layering controls on top of existing operations, security considerations influence how assets are inventoried, networks are segmented, failover and restore capabilities are validated, and factory and site testing is conducted. When security becomes an engineering requirement, organizations reduce both their exposure and recovery time during disruptions.

This is a cultural shift as much as a technical one. Engineers, operators, procurement leads, and security teams must collaborate throughout the system lifecycle so that resilience becomes part of the environment.

Third-Party, Data, and AI Risks Extend Beyond Compliance Boundaries

Modern OT environments are inseparable from their vendors, integrators, suppliers, and data systems. Procurement decisions, remote maintenance practices, cloud-based analytics, and AI-enabled automation all introduce new channels where risk may enter the system. Compliance frameworks were not initially designed to cover these realities, which means organizations must adopt governance practices that demand demonstrable evidence.

This includes clarifying how data is used in AI-enabled analytics, ensuring third-party access controls align to internal network segmentation, and requiring vendors to validate their own security practices in ways that can be tested and verified. As data sharing becomes foundational to efficient operations, the ability to prove the integrity of external systems becomes just as important as defending internal ones.

A Governance Approach Executives Can Understand

Boards and leadership teams increasingly understand that cyber risk is operational risk.

However, they respond most effectively when risk is expressed in terms of operational continuity, financial exposure, recovery time, and long-term strategic impact. Frameworks such as the Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) help organizations connect regulatory adherence to performance outcomes by showing how improvements in security can translate directly into resilience and uptime.

When leaders see how a security investment safeguards communities and reduces recovery duration, the conversation shifts from “Do we have to do this?” to “Can we afford not to?”

Taking the Next Step

Compliance is essential. It establishes the floor. But resilience requires building above that floor consistently and intentionally. Organizations that move to designed-in security will be better positioned to withstand and recover from disruptions. The goal is to ensure that every interconnected asset supports the continuity of critical infrastructure operations – compliance can guide the journey, but resilience must be the destination.