Passing the Audit, Failing the Attack Path Test

On Dec. 23, 2015, a Ukrainian electric utility passed every relevant security check it faced. Its VPN access controls were in place. Its perimeter defenses were documented. Operators used legitimate credentials to connect to SCADA systems, just as designed.

That's exactly how the lights went out for approximately 225,000 customers.

Attackers didn't break the controls. They flowed through them. According to CISA's advisory on the incident, malicious operators used stolen but legitimate credentials through existing VPN connections to manipulate industrial control systems remotely. The attack path ran straight through infrastructure that any compliance audit would have checked and approved.

This is what compliance frameworks can't catch: shadow currents flowing through controls that exist and are documented but never tested against actual attack paths.

The major frameworks governing industrial cybersecurity have a common design. NERC CIP checks that electric utilities have documented Electronic Security Perimeters, access controls and physical security measures. IEC 62443 verifies that industrial control systems have the security properties their design specifies. NIST CSF confirms organizations can identify, protect, detect, respond and recover. ISO 27001 validates information security management practices.

What none of them require is proof that those controls stop a real attack from reaching critical systems.

As Dragos notes, compliance frameworks are "detailed guidelines for implementing controls" rather than validated proof that attack paths are blocked. Auditors confirm controls exist and are documented. They don't test whether the shadow current can still find its way through.

That design flaw created a glaring gap in the electric sector that persisted for decades. NERC CIP required perimeter security from its earliest versions. But it contained no mandatory requirement for monitoring internal east-west traffic until CIP-015-1 was approved in 2025. Regulated entities have until October 2028 to implement it.

East-west traffic is exactly how attack paths travel after breaching a perimeter. Lateral movement, the technique attackers use to expand access from an initial foothold, flows east-west through internal networks. For years, utilities could be fully NERC CIP compliant while having zero mandatory requirement to monitor the traffic patterns that indicate a shadow current is moving toward critical assets. FERC's Order 887, which directed NERC to develop the standard, found the CIP-networked environment remained vulnerable to attacks bypassing perimeter-based controls.

Decades of compliance. Zero requirement to watch what happened inside.

ISACA has documented what it calls the "compliant yet breached" phenomenon extensively. Target, FedEx, Staples and others held compliance certifications and suffered major breaches. A Fortune 500 breach victim described the dynamic precisely: "The hackers focused on overcoming our security controls while the security and compliance teams were measuring our security in terms of adherence with formal compliance certification."

Two teams. Two completely different definitions of security.

The data reinforces how widespread this gap is. According to Gartner's 2025 research, only 37% of compliance leaders feel fully confident in their ability to assess the effectiveness of their own compliance programs. Most compliance teams don't actually know if their programs work against real attack paths. They know documentation is complete. That's not the same thing.

SANS 2025 research on ICS/OT environments offers an important nuance: regulated sites report the same number of incidents as unregulated ones but show roughly 50% fewer operational impacts. Compliance isn't worthless. It reduces damage. But it doesn't stop shadow currents from flowing in the first place.

The Colonial Pipeline attack in May 2021 illustrates another dimension of the compliance-security gap. The 5,500-mile pipeline carrying roughly 45% of East Coast fuel had no mandatory cybersecurity requirements at all. Prior to the attack, the Transportation Security Administration had issued only voluntary guidelines for pipeline operators. Only the electric grid operated under mandatory compliance requirements.

Attackers used compromised VPN credentials to access Colonial's IT network, then pivoted toward OT-adjacent systems. The pipeline operator shut down operations preemptively rather than risk physical damage. Colonial paid a $4.4 million ransom.

Days after the attack, TSA issued mandatory Security Directive Pipeline-2021-01.

This is how compliance frameworks develop: reactively, after attacks demonstrate where gaps exist. The frameworks that industrial organizations comply with today were shaped by incidents that already happened. The shadow currents flowing through your environment right now don't wait for the next regulatory update.

As we traced in our earlier post on the email-to-outage attack path, every step of that incident, from phishing email through IT compromise to OT impact, could have existed inside a fully compliant environment. Compliance checked whether controls were documented. The attack path flowed through the spaces between them.

The compliance-security gap isn't just about incomplete frameworks. It's structural. Compliance measures point-in-time status. A FireMon analysis captures the problem: "Networks aren't static. Firewalls get updated, rules change, new cloud instances spin up daily. What was compliant yesterday could be out of alignment today. Between audits, you're flying blind."

Attack paths don't operate on audit schedules. Shadow currents flow continuously, adapting to whatever conditions exist in your environment right now. A penetration test conducted last November tells you almost nothing about your exposure in January.

There's also the cross-domain visibility problem. NERC CIP audits Electronic Security Perimeters. IEC 62443 audits industrial automation and control systems. Neither framework requires mapping or monitoring the attack paths that cross from IT networks into OT. Yet according to SANS 2025 research, 58% of ICS/OT incidents had IT compromise as the initial attack vector.

The attack path starts where compliance doesn't look.

And attackers know it. According to Forescout's annual Threat Roundup research, more than 70% of actively exploited vulnerabilities do not appear in CISA's Known Exploited Vulnerabilities catalog, leaving organizations without official guidance on most threats attackers are actively using.

None of this means compliance is wrong. NERC CIP, IEC 62443, NIST CSF and comparable frameworks establish security foundations that matter. Compliant organizations do demonstrate fewer operational impacts when incidents occur. The governance discipline compliance requires has genuine value.

But passing an audit isn't the same as stopping an attack.

Shadow currents don't respect documentation. They find the paths that compliant controls don't monitor, cross the boundaries that compliance frameworks don't scope and flow through legitimate channels that auditors check off as functional. The Ukraine attack flowed through a working VPN. The Colonial attack used credentials that worked exactly as designed.

The real question isn't whether your controls are documented. It's whether your controls actually block the paths attackers would use.

That means continuous validation instead of annual audits, cross-domain visibility into how paths flow from IT into OT, and testing controls against actual attack behavior rather than simply verifying they exist. As Shieldworkz notes in their 2026 OT security guidance, organizations should use Breach and Attack Simulation tools designed for OT to validate that controls actually work.

Compliance creates documentation. Shadow currents create risk. You need both, but they're not the same thing.

If compliance audits don't catch shadow currents, organizations often turn to penetration testing for validation. Pen tests simulate attacks, find vulnerabilities and test defenses. But do they map shadow currents? Not usually. That's where we'll look next.