COMPLIANCE MAPPING
OT Compliance Framework Mapping — NERC CIP, IEC 62443, NIST CSF 2.0 & NIS2
See exactly which controls require external OT attack surface visibility. Control-by-control mapping with penalty summaries across all four major frameworks.
Outside-in validates inside-out
Internal tools tell you what is happening inside your network. ShiftSix tells you what attackers see from the outside. Both are required for compliance.
Passive = zero operational risk
Unlike active scanners that can crash OT devices, ShiftSix’s passive approach carries zero risk to safety-critical systems.
Evidence, not attestation
Auditors want empirical evidence. ShiftSix provides timestamped, independently verifiable exposure data.
NERC CIP
Mandatory for: Bulk Electric System owners/operators in North America
Penalties: Up to $1.54M per violation per day. 20% increase in enforcement in 2024.
| Control | Requirement | ShiftSix Mapping |
|---|---|---|
| CIP-005 R1.1 | Assets within defined Electronic Security Perimeter | Discovers OT assets outside or improperly bridging the ESP |
| CIP-005 R1.2 | External connectivity through identified EAPs only | Identifies OT assets with direct internet access bypassing EAPs |
| CIP-005 R2.1 | Intermediate system required for remote access | Detects OT assets directly reachable without intermediate systems |
| CIP-007 R1.1 | Enable only needed ports, disable all others | Enumerates externally visible ICS ports (502, 20000, 4840, 47808, 2404) |
| CIP-010 R2.1 | Monitor for baseline changes every 35 days | Continuous monitoring exceeds 35-day minimum |
| CIP-010 R3 | Vulnerability assessments every 15/36 months | Provides direct input to paper and active vulnerability assessments |
IEC 62443
Applicable to: All industries using IACS — energy, oil & gas, water, manufacturing, chemicals, building automation
Consequences: Loss of contracts, insurance implications. Up to EUR 15M when referenced by EU CRA.
| Control | Requirement | ShiftSix Mapping |
|---|---|---|
| 62443-2-1 s4.2.3 | Identify and maintain inventory of all IACS components | Discovers internet-exposed IACS assets missing from inventories |
| 62443-3-2 ZCR 3 | Define security requirements for zones and conduits | Validates zones don’t have internet-reachable assets |
| 62443-3-3 SR 5.1 | Network segmentation between control and non-control | Tests segmentation by identifying OT assets reachable from internet |
| 62443-3-3 SR 6.2 | Continuous monitoring for risk decisions | Continuous external monitoring for internet-facing OT exposure |
NIST CSF 2.0
Broadly adopted by: All 16 US critical infrastructure sectors; mandatory for federal contractors
Consequences: Loss of contract eligibility, higher insurance premiums, standard of care in litigation.
| Subcategory | Requirement | ShiftSix Mapping |
|---|---|---|
| ID.AM-01 | Maintain hardware inventories | Discovers exposed OT hardware not in existing inventories |
| ID.AM-03 | Maintain network communication flow maps | Maps external data flows to OT assets that should not have internet connectivity |
| ID.RA-01 | Identify, validate, and record vulnerabilities | Identifies internet exposure of ICS assets — the most critical OT vulnerability class |
| DE.CM-01 | Monitor networks for adverse events | Detects new OT exposure, protocol changes, and configuration drift from outside |
| DE.CM-06 | Monitor external service provider activities | Monitors third-party managed OT infrastructure for internet exposure |
NIS2 Directive
Scope: ~160,000 EU entities across 18 sectors. First compliance audit deadline: June 30, 2026.
Penalties: EUR 10M or 2% global turnover (essential), EUR 7M or 1.4% (important). Personal management liability.
| Article | Requirement | ShiftSix Mapping |
|---|---|---|
| Art. 21(2)(a) | Risk analysis and security policies | Provides empirical external risk data for OT systems |
| Art. 21(2)(d) | Supply chain security | Verifies supplier-managed OT assets are properly segmented |
| Art. 21(2)(f) | Assess risk management effectiveness | Objective external validation of controls from attacker’s perspective |
| Art. 21(2)(j) | Network security and access control | Detects access control failures on OT services accessible without auth |
Cross-Framework Capability Matrix
For organizations subject to multiple compliance regimes, this matrix shows how each ShiftSix capability maps across all four frameworks simultaneously.
| Capability | NERC CIP | IEC 62443 | NIST CSF 2.0 | NIS2 |
|---|---|---|---|---|
| Internet-exposed OT discovery | CIP-005 R1, CIP-010 R3 | 62443-2-1 s4.2.3, ZCR 1 | ID.AM-01, ID.AM-02 | Art. 21(2)(a) |
| ICS protocol identification | CIP-007 R1.1, CIP-005 R1.3 | SR 1.1, SR 5.1 | ID.AM-03 | Art. 21(2)(j) |
| Device fingerprinting (500+) | CIP-007 R2.1, CIP-010 R1.1 | 62443-2-1 s4.2.3 | ID.AM-01, ID.AM-08 | Art. 21(2)(e) |
| Continuous exposure monitoring | CIP-010 R2.1 | SR 6.2 | DE.CM-01, DE.CM-09 | Art. 21(2)(f) |
| Zone/segmentation validation | CIP-005 R1.1, R1.2 | ZCR 3, SR 5.1, SR 5.2 | ID.AM-03 | Art. 21(2)(j) |
| Supply chain exposure | CIP-005 R2 | 62443-2-1 s4.3.2 | ID.AM-04, DE.CM-06 | Art. 21(2)(d) |
| Remediation verification | CIP-010 R1.2, R3.3 | 62443-2-1 s4.4.3 | ID.RA-06 | Art. 21(2)(f) |
| Audit-ready reporting | CIP-010 R3.3 | SR 6.1 | DE.AE-06 | Art. 21(2)(f) |
Download the Complete OT Compliance Mapping Matrix
Get the full control-by-control mapping across all four frameworks as a PDF. Includes penalty details, sector applicability, and audit-ready language.
Frequently Asked Questions
Which compliance frameworks require external OT attack surface monitoring?
NERC CIP (CIP-005, CIP-010), IEC 62443 (zone validation, continuous monitoring), NIST CSF 2.0 (ID.AM asset management, DE.CM continuous monitoring), and NIS2 (Article 21 risk analysis and network security) all require or strongly benefit from external OT attack surface monitoring.
What are the penalties for NERC CIP non-compliance?
Penalties can reach up to $1.54 million per violation per day. Typical ranges run from low five-figures for isolated findings to $1M+ for systemic violations. Non-monetary consequences include reliability watch lists and mandated corrective action plans.
How does outside-in OT scanning support IEC 62443 zone validation?
IEC 62443-3-2 requires defining zones and conduits with appropriate security levels. Outside-in scanning validates that zones intended to be air-gapped or internally segmented do not have internet-reachable assets, directly testing zone integrity from the attacker’s perspective.
Does NIS2 require continuous OT monitoring?
Yes. NIS2 Article 21(2)(f) requires ongoing assessment of risk management effectiveness. Article 21(2)(a) requires risk analysis for network and information systems. Continuous external monitoring provides empirical evidence for both. The first compliance audit deadline is June 30, 2026.
How does passive scanning differ from active vulnerability assessment for compliance?
Active scanning sends probes that can crash OT devices. Passive outside-in scanning observes what is already visible from the internet without sending traffic to OT devices. For compliance, passive scanning provides continuous monitoring with zero operational risk, while active assessments are periodic point-in-time checks.
Get Your Free OT Exposure Report
See what your compliance auditor would find. Passive, outside-in OT exposure assessment at no cost.