Many industrial organizations invest in cybersecurity but struggle to measure whether their program is actually working. They track activity metrics—number of vulnerability scans, training sessions completed, controls implemented—but these don't tell you whether you're actually reducing risk. True maturity measurement requires identifying metrics that correlate with security outcomes and tracking them over time.
Maturity frameworks like NIST Cybersecurity Framework or CMMC provide guidance on maturity levels, but they don't give you specific metrics for OT environments. You need both—a maturity framework that describes the program you should build, and specific metrics that track your progress toward it. These metrics should be quantifiable, measurable regularly, and trended over time.
Core Metrics for OT Programs
Asset inventory completeness is your baseline metric. What percentage of your OT assets are documented in your asset management system? If you're below 90%, you don't have sufficient visibility. Track this quarterly. Configuration compliance measures how many of your assets meet your security baseline—default passwords changed, patches current, monitoring enabled. This should trend toward 95%+. Vulnerability remediation time measures how long critical vulnerabilities remain unpatched. Under 30 days for critical vulnerabilities is a good target.
Incident detection latency measures how long it takes you to discover an incident from the time it occurred. Detecting incidents within hours is good; if it takes weeks or months, your visibility is inadequate. Incident response time measures how long it takes from detection to mitigation. Most incidents should be contained within the first 24 hours. These measurements require good logging and alerting, which is why Phase 1 focuses on that foundation.
Key Program Maturity Indicators
- Asset inventory accuracy: What percentage of your assets are documented and their security status tracked. Target: 95%+.
- Patch currency: What percentage of your systems are current on critical security patches. Target: 90%+ within 90 days of release.
- Vulnerability remediation time: How long from vulnerability disclosure to patch or mitigation. Critical: under 30 days. High: under 90 days.
- Incident detection latency: How long from incident occurrence to detection. Target: hours to days, not weeks.
- Control effectiveness: Are your monitoring and logging controls detecting the behaviors they're designed to detect? Validate quarterly through testing.
- Training and awareness: What percentage of personnel involved in OT security have received current training? Target: 100% annually.
Tracking and Communicating Progress
Establish a monthly metrics dashboard that you review with your steering committee and board. Show trends over time, not just snapshots. Declining vulnerability dwell time and improving asset inventory accuracy are progress. Flat metrics suggest stagnation. If a metric deteriorates—say, patch compliance drops—investigate and adjust your program. Metrics that are heavily tied to process changes often fluctuate as your team adopts new procedures.
Use maturity metrics to justify continued investment. If you're investing in tools and training, you should see measurable improvement in key security metrics. If you're not, something in your program design or execution needs to change. This feedback loop drives continuous improvement.
We help industrial organizations establish baseline metrics, build dashboards, and use metrics to drive program maturity. Contact us to establish metrics for your OT security program.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.