What Your Maturity Score Doesn't Show

That's the maturity mirage in documented form. Mature on paper. Undetected in practice.

Most organizations measure OT security maturity by asking their own teams how mature they think they are. According to Fortinet's 2025 State of Operational Technology and Cybersecurity Report, 81% of organizations globally self-assess at Level 3 or Level 4 on a five-level scale, with 46% claiming Level 4, the highest tier, characterized by continuous improvement and integrated threat intelligence. Every one of those numbers came from organizations evaluating themselves.

Now look at what professional assessments find. According to Dragos's 8th Annual OT Cybersecurity Year in Review, covering engagements conducted in 2024: 45% of professionally assessed OT networks had inadequate visibility, despite organizations typically believing they had it. 65% of assessed sites had insecure remote access conditions including default credentials, unpatched VPNs and exposed remote desktop sessions. Many had no OT-specific incident response plan despite claiming mature security programs.

Two different pictures of the same industry. Both can't be right.

Here's something the leading international standard for industrial cybersecurity states explicitly: there is no relationship between maturity level and security level. According to exida, an authoritative source on IEC 62443, an organization can develop and maintain a security Level 4 system using a maturity Level 1 process. The reverse is equally true. A high maturity score means your documentation is thorough. It does not mean your controls stop someone who is actively trying to bypass them.

That's not a flaw in IEC 62443. It's a design feature organizations systematically misread. The standard's maturity levels, modeled on CMMI (Capability Maturity Model Integration), measure how well security processes are defined, practiced and consistently followed. They measure documentation quality and process discipline. They do not measure adversarial resistance.

NIST SP 800-82, the U.S. government's primary OT security guidance, works the same way. Control baselines are organized and verified against checklists. Compliance is self-assessed. Adversarial testing is not required to demonstrate compliance at any level. CISA's own Cyber Security Evaluation Tool allows organizations to self-evaluate against NIST 800-82 by answering a questionnaire -- no external challenge required.

Both frameworks are genuinely useful. Neither was designed to answer the question an adversary answers on day one of an engagement: does this actually work? That compliance-documentation gap is the foundation of what Article 8 in this series examines directly: the specific ways compliance-based assessment produces a maturity picture that looks complete on paper while leaving gaps that assessments pass and adversaries use.

The gap between documented maturity and tested capability tends to appear in the same places. Segmentation that looks clean on a network diagram has evolved into flat architectures with undocumented cross-zone pathways. Industrial protocols including Modbus and DNP3 transmit in plaintext with no authentication and are routinely left unmonitored. Even OPC-UA, which includes built-in security capabilities, is frequently deployed without those features enabled. Detection capabilities generate alerts nobody investigates. Vendor remote access connections established for a maintenance window months ago remain open and unreviewed.

Our Shadow Current series has traced how these conditions translate into exploitable attack paths, how adversaries move through unmonitored protocol traffic and assumed-secure segment boundaries that organizations believe they've closed. The Red Team applies those same paths in a controlled engagement, documenting not just that the path exists but whether your defenses detect it.

According to SANS Institute's 2025 State of ICS/OT Cybersecurity survey, only 3% of organizations have full penetration testing coverage of their OT environments. Only 8% have full detection coverage at field and remote sites. Only 14% feel fully prepared for emerging threats.

These are not theoretical gaps. They are the conditions that allowed CISA's 2022 red team to operate undetected against a self-described mature program. In a separate 2024 advisory, CISA described an engagement where leadership had minimized the business risk of a known attack vector their own security team had already identified. The red team exploited it and reached OT human-machine interface access. That pattern -- leadership deprioritizing a risk their own team had already flagged -- connects directly to the Industrial CISO gap the first article in this series documented. When OT security lacks an accountable executive owner, assessment findings don't get escalated with appropriate urgency. The leadership vacancy doesn't just produce untested controls; it produces the organizational conditions that keep them untested.

The organizations most certain about their maturity are often the ones with the largest gaps. A 2025 identity security study by BeyondID found that organizations rating themselves "Advanced" followed only 4.7 out of 12 security best practices on average, fewer than those rating themselves merely "Established," who followed 5.1. Higher confidence, fewer controls in practice.

There's a broader data point that frames the scale of the problem. Gartner research, cited in analysis following the Colonial Pipeline incident, found that 60% of critical infrastructure organizations were at the earliest stages of OT security maturity. The same period saw organizations self-reporting at 81% Level 3 or higher. That is not a rounding error. It reflects a structural disconnect between how organizations measure themselves and what external assessment finds.

Dragos's 2026 OT Cybersecurity Year in Review adds a concrete operational dimension to the gap. Organizations with comprehensive OT visibility detected and contained ransomware incidents in an average of five days. The industry average was 42 days. The difference between those two numbers is the difference between a contained incident and a production shutdown.

A Red Team assessment does not produce a maturity score. It produces a map. Where the team entered. Which controls they bypassed and how. Where detection failed. What the actual path to high-value OT systems looks like in your specific environment under realistic adversarial pressure.

MITRE ATT&CK for ICS provides the technique library. An OT-focused Red Team applies the specific tactics, techniques and procedures documented threat actors use against industrial environments, then records which defenses held and which didn't. The output is evidence, not assumption.

That evidence replaces the hypothesis. Organizations that know which controls actually performed can direct investment toward capabilities with demonstrated gaps rather than documented ones. The vCISO series covers how the OT vCISO establishes that honest baseline through structured assessment, with the Red Team's adversarial findings serving as the external component that makes that baseline accurate rather than assumed. The CFC series covers how the fusion center conducts the structured methodology assessment that programs use as their starting point, and what it means when Red Team validation puts those capabilities under realistic adversarial pressure.

The recalibration that follows a Red Team engagement is not a verdict on the security program. It's the information that makes every other part of the program honest.

Maturity tells you the strength of your defenses. Threat intelligence tells you what those defenses need to stop. When the intelligence picture is incomplete or disconnected from real adversary behavior, even a genuinely mature program can be aimed at the wrong targets. That's where we go next.