OT Cybersecurity Maturity: How to Assess, Benchmark, and Improve Your Organisation's Security Posture

In recent years, critical national infrastructure operators (CNI) have witnessed a growth in OT-targeted cyber-attacks seeking to disrupt or destroy day-to-day operations.

At the same time, regulation of CNI sectors has been growing and companies have been challenged to meet increasingly more detailed security and compliance requirements.

In Australia, this has been driven by the original Security of Critical Infrastructure Act 2018 (SOCI Act) and ongoing amendments and updates in the last eight years.

With growing convergence between previously separate IT and OT environments, it has become critical for operators to measure and manage the continuous improvement of security maturity in their organisation.

What is an OT cybersecurity maturity assessment?

Security practitioners are used to routinely testing and evaluating controls in place - be that via vulnerability scanning of internal and internet facing systems, targeted penetration tests or a broader maturity assessment against a well estbalished or formally mandated security framework with functions, categories and control measures tightly defined.

For operational technology environments, maturity models could include the Australian Energy Sector Cyber Security Framework (AESCSF), the US Cybersecurity Capability Maturity Model (C2M2), SANS Five ICS Cybersecurity Critical Controls, or a higher level framework such as the NIST CSF whioch provides a broader oversight of organisatioanl governnace and risk mangement practices.

The main cybersecurity maturity models and how they differ

The Cybersecurity Capability Maturity Model (C2M2)

The C2M2 was developed by the U.S. Department of Energy (DOE), private- and public-sector experts, and representatives of asset owners and operators within the energy sector and first released in 2012.

It has been widely used across the world to support self-assessments in various sectors and version 2.1 was launched in June 2022. There are resoutrces provided to build your knowledge of the approach.

Best for: OT-heavy critical infrastructure operations such as energy, utilities and industrial organisations

• Built specifically for critical infrastructure and OT/ICS
• 350 practices across 10 domains
• Uses Maturity Indicator Levels (MIL1 to MIL3) to show progression

Strength: Most practical for OT environments
Weakness: Less recognised by boards/regulators outside critical sectors

SANS ICS 5 Critical Controls

For sectors with no regulation, the five ICS Critical Controls need to be a programmatic focus across prioritised operational assets. For organisations subject to larger regulation, they represent areas where efforts should be pursued to go beyond the baseline minimum requirements.

Best for: Quick wins and prioritisation of key technical controls

• Focused on a small set of high-impact ICS controls
• Designed to reduce risk quickly, not full maturity scoring
• Based on real-world analysis of recent industrial compromises and attacks

Strength: Practical and actionable
Weakness: Not a full maturity model like NIST CSF

AESCSF

Best for: Energy sector organisations, especially regulated environments in Australia (and soon New Zealand)

• Tailored to energy OT environments
• Combines maturity scoring and regulatory alignment for annual reporting
• Highly prescriptive for utilities with anti-patterns to avoid

Strength: Sector-specific and regulator-aligned downunder
Weakness: Complex to learn and takes time to complete a full assessment

The NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is a voluntary, flexible, and widely adopted set of guidelines and best practices designed to help organisations of all sizes and sectors understand, manage, and reduce cybersecurity risks.

In 2024, version 2 was updated to include six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.

Best for: Executive alignment, cross-sector benchmarking across many industries

• Uses Implementation Tiers (1–4) to represent maturity progression
• Widely adopted and regulator-friendly
• Quick and easy to understand and apply

Strength: Common language for leadership and regulators
Weakness: Not OT-specific; needs tailoring for your complex encvironment

How the frameworks can fit together

Whilst similar in nature, each framework should be evaluated for application and purpose. A quick view of the four highlighted shows different ways to get value into your security programme:

• C2M2 is your primary OT maturity model
• NIST CSF is your board/executive reporting layer
• SANS ICS controls gives a prioritised improvement backlog
• AESCSF is a must do for Australian regulated energy operators

How to run a maturity assessment

Step 1: Define scope

Decide upfront:

• Which environments are being assessed (IT, OT or both)
• Which sites and assets
• Which framework(s) matter most

Step 2: Build an assessment team

You need cross-functional input from the whole business:

• OT engineering
• IT security
• Operations
• Risk and compliance
• Key third-parties and vendors

Step 3: Choose your scoring approach

• Score according to your chosen framework or CMM
• This may be simple tiers or defined criteria to meet exactly
• Capture evidence, not just opinions, to provide true assurance

Step 4: Gather evidence (critical)

For each control or practice ensure you review or document:

• Policies
• Procedures
• Technical configurations
• Logs
• Metrics over risks and reporting
• Proof of execution consistently

Step 5: Produce outputs

You should end with a full understanding of your current maturity (or non/compliance). Reporting can include:

• Heatmaps or ratings by function or domain
• Maturity score split out and as an aggregeate value
• Target maturity based on your threats and risks, not just a three for the sake of it
• Gap list where you assess current vs target state

Turning your assessment into a real programme

This is the next key stage in moving the maturity needle and mitigating key risks and we'll dive into the programme approach in a follow up blog.

OT maturity: a summary

For a quick lift to your OT security practices:

• Consider your regulatory compliance needs
• Use the SANS ICS controls to prioritise action
• Use C2M2 as your core OT maturity model
• Use NIST CSF to communicate with leadership - you can cross map findings and ratings
• Focus less on the scoring, more on reducing real operational risks identified through the process

The Overcyte platform supports ongoing maturity assessments, maps to multiple frameworks (AESCSF, NIST CSF, Essential Eight), and provides dashboards that track progress over time. We can move your programme beyond a single, point in time assessment to a continuous improvement approach where efforts to resolve or remediate risks can flow instantly into your overall maturity score.

Reach out to us today for a platform demo.