Compliance gives you a checklist. Security gives you protection. These are not the same thing, and the distance between them is exactly where attackers operate. NERC CIP 15 is the latest example of a standard that moves in the right direction while leaving critical gaps that practitioners have to fill themselves.
Featured Episode Deep Dive
This issue centers on Episode 94: Compliance Is Not Security: NERC CIP 15 and the Real Gaps in OT Network Monitoring.
Why this episode matters right now: NERC CIP 15 introduces new network monitoring requirements for utilities and critical infrastructure operators. But as Ep 94 makes clear, meeting the letter of the standard is not the same as having a detection capability that would actually catch an attack.
3 Key Takeaways:
Compliance is the floor, not the ceiling. NERC CIP 15 defines a minimum baseline, and organizations that stop there are leaving exploitable gaps in their detection posture.
Network monitoring without context is noise. Collecting OT traffic data means nothing if your team cannot distinguish normal process behavior from malicious activity.
Documentation and detection are different things. Many organizations can prove they have monitoring controls on paper but cannot actually detect an intrusion in progress.
Episode 56: Beyond Compliance Cybersecurity Insights With Blake Hoge and Aaron Crow - A direct conversation about why compliance-first thinking creates organizations that pass audits but fail breaches.
Episode 35: Understanding Cybersecurity Risks and Management: Insights from Harry Thomas - Covers risk-based approaches to cybersecurity that go beyond checkbox compliance and connect security decisions to actual business risk.
Episode 14: Practical Approaches to OT Cybersecurity in Critical Infrastructure - An early foundational episode that frames the tension between regulatory compliance and operational security in critical infrastructure.
Quick Intel Brief
The gap between compliance and security is well documented in incident post-mortems. Colonial Pipeline was compliant with relevant standards at the time of the 2021 attack. SolarWinds customers had passed SOC 2 audits. Compliance frameworks are lagging indicators designed by committees, not the dynamic threat actors targeting your network. The ICS/OT community increasingly recognizes that a risk-based approach anchored in NIST CSF or ISA/IEC 62443 provides better outcomes than compliance-first frameworks.
Aaron's Take
I have worked with organizations that spend 80% of their security budget on compliance activities and then wonder why they still feel exposed. Compliance tells you what to do at a point in time. Security is what you do continuously. The practitioners who get this right are the ones who use compliance as a starting point and then ask: "What would an attacker do that our controls would not catch?" That question drives the real work.
What To Do Next
What's your experience with the gap between what compliance requires and what actually protects your environment? Hit reply and let me know.
Aaron Crow