A gap assessment is the cheapest and most useful first step for any OT security program. Done well, it gives you a defensible roadmap. Done badly, it gives you a 60-page PDF that nobody can act on. Here is the difference.

A gap assessment is the cheapest and most useful first step in any OT security program. It answers the right first question (“where are we, relative to where we need to be?”) before any money is spent on tools, training, or certifications.

Done well, it gives you a defensible roadmap, a prioritised action list, and a business case that survives CFO scrutiny. Done badly, it gives you a 60-page PDF that nobody in operations will ever read and nobody in finance will ever fund.

Here is the difference.

Step 1. Pick your reference framework

You cannot gap-assess against “good cybersecurity.” You need a specific, published reference. The three common choices:

• IEC 62443.The deepest and most prescriptive for OT. Good for anyone who will be asked about specific controls by an auditor or regulator.
• NIST CSF 2.0.Higher-level, excellent for executive communication. Maps easily to organisational functions (Govern, Identify, Protect, Detect, Respond, Recover).
• Sector-specific frameworks.NERC CIP for bulk electric, CIS CSCs tailored to industrial, API 1164 for pipelines, AWIA for water.

Pick one primary framework and one secondary. Most mature programs use NIST CSF as the executive layer and IEC 62443 as the technical layer.

Step 2. Scope the assessment honestly

Scope is the #1 place gap assessments go wrong. Two common failure modes:

• Too broad.“Assess our entire global OT footprint.” You will get a survey, not an assessment, and the findings will be too general to act on.
• Too narrow.“Assess this one plant’s firewall rules.” You will get a tactical finding, but you will not know whether the plant’s program is any good.

The right scope for a first-time assessment: one representative plant, one year of program activities, one set of frameworks. If the organisation has multiple plant types (process, discrete, utility-side), run one assessment per type rather than averaging them.

Step 3. Gather evidence, not opinion

A good gap assessment is evidence-based. That means:

• Documents you can cite.Policies, procedures, architecture diagrams, asset inventories, incident reports, training records.
• Observations you can describe.What is on the screen, what is in the rack, what is in the procedure binder.
• Interviews you can quote.Attributed to roles (not names), triangulated across multiple interviewees to confirm.

If your assessment says “the plant has weak access controls” with no specific evidence, the plant manager will push back and win. If your assessment says “access to the engineering workstation is via a shared account documented in the SOP dated March 2022, confirmed in interviews with the shift supervisor and the automation engineer,” the plant manager cannot push back and cannot avoid fixing it.

Step 4. Score the gaps, do not just list them

A list of 200 gaps is unactionable. Score them on two axes:

• Severity.What does this gap expose you to? Use your target Security Level from IEC 62443 or your risk tolerance from the organisational risk register.
• Effort.What does it take to close? Cost, time, disruption to operations, organisational change required.

Plot them on a 2×2. The top-left quadrant (high severity, low effort) is your quick wins; go after these first. The top-right (high severity, high effort) is your program roadmap. The bottom half is optional.

This scoring is judgement-based; do not pretend otherwise. But making the judgement explicit is the point. A stakeholder can disagree with a specific score and you can have the conversation. A stakeholder cannot disagree with a vibe.

Step 5. Write the report for the reader, not for the file

Three versions of the output:

• Executive summary (1 page).Current maturity score, target maturity, top three gaps, top three investments to make. This is what the CFO reads.
• Technical appendix (the long one).Every gap, with evidence, severity, effort, recommendation, and accountability. This is what the engineers work from.
• Roadmap (3 to 5 pages).A phased 18-to-36-month plan showing what gets closed when, by whom, with what budget. This is what gets tracked.

All three from the same assessment. Different audiences, different documents.

Common mistakes

• Scoring to the current target, not the aspirational one.If your target SL is 3 and you are at 1, the answer is not “we are mostly fine.” It is “we are two levels below target on the majority of foundational requirements.”
• Treating missing documentation as missing control.Sometimes the control exists and nobody has written it down. That is a documentation finding, not a control finding. Different remediation.
• Ignoring culture and governance.Technical gap assessments that do not address “who owns this?” or “who reads the reports?” miss the most important gaps in most organisations.
• Making it a one-shot.A gap assessment is baselined and repeated. Year-over-year trend is more useful than any single snapshot.

A realistic timeline

For one plant, one framework, one primary analyst:

• Week 1.Scoping, kick-off, document request.
• Weeks 2 to 3.Document review, onsite walkthroughs, interviews.
• Week 4.Analysis and scoring.
• Week 5.Draft report, stakeholder review.
• Week 6.Final report, roadmap workshop.

Six weeks. Anyone selling you a two-week “gap assessment” is selling you a questionnaire.

RelyBlue conducts OT cybersecurity gap assessments aligned to IEC 62443, NIST CSF, and sector-specific frameworks. Each engagement produces executive, technical, and roadmap deliverables. Request a scoping call.