The Importance of Compensating Controls in Cybersecurity

May 19, 2023
Download PDF


Compensating controls are an added layer of defense to address the vulnerabilities of existing controls. Prioritizing where these additional controls are needed is important for any business’s cybersecurity plan.

The recent disclosure of 56 vulnerabilities affecting thousands of operational technology (OT) devices from ten major vendors — collectively known as OT:ICEFALL — serves as a potent reminder not only of the risks exacerbated by digital transformation, but also of the escalating challenges facing security practitioners and asset owners. Nonetheless, the notion that these vulnerabilities indicate a lack of progress in OT security over the past decade is misleading.

Rather, the report's finding that many OT devices remain inherently vulnerable or "insecure by design" — despite, in many cases, certifications or other indicators implying the opposite — reinforces why maintaining an up-to-date asset inventory, zero-trust architecture (particularly with respect to segmentation and access controls), continuous monitoring, and effective governance are so crucial. Indeed, such measures are core to the OT:ICEFALL mitigations recommended by the affected vendors as of this writing.

Growing Interest in ICS Vulnerability Research

According to Claroty's Biannual ICS Risk & Vulnerability Report: 2H 2021, the total number of ICS vulnerabilities disclosed annually increased by 110% in just three years, from 683 in 2018 to 1,439 in 2021. During the same period, the number of vulnerability disclosures published by ICS vendors' internal research teams increased 76% from 128 to 226.

Vulnerabilities exist regardless of whether or not they are discovered by researchers or exploited by adversaries. The rise in ICS vulnerability disclosures and CVE assignments does not necessarily reflect a worsening or stagnation of effort to enhance the security of OT devices. Rather, these growing numbers closely correlate with increased interest in — and awareness of the critical importance of — strengthening ICS security among both researchers and vendors.

What are Compensating Controls?

In cybersecurity, compensating controls are measures taken to address any weaknesses of existing controls or to compensate for the inability to meet specific security requirements due to various different constraints. In the instance of a security vulnerability or threat, compensating controls are typically implemented to mitigate or reduce risk. Compensating controls are important in cybersecurity because they help to manage and mitigate risk associated with threats that are not addressed with traditional security controls. By implementing them, organizations can reduce the risk of a cyber incident, and minimize the impact if one does occur. They also help many organizations to meet regulation requirements and comply with industry standards. Many times, organizations are unable to meet these regulations with the current cybersecurity practices and tools they have in place. Another important role compensating controls play is their ability to provide organizations with the flexibility they need to address vulnerabilities or threats that are not addressed by traditional security tools. For example, a critical infrastructure organization may use compensating controls to address risk associated with legacy systems that are not easily updated or replaced.

Read more here.

Sign up today for a free Essential Membership to Automation Alley to keep your finger on the pulse of digital transformation in Michigan and beyond.


Claroty is the industrial cybersecurity company. Trusted by the world's largest enterprises and endorsed by leading industrial automation vendors, we help our customers reveal, protect, and manage their OT, IoT, and IIoT assets.

Become a Member