Published: March 29, 2026 Revised: May 15, 2026

The Coverage Trap

Most OT security practitioners working in brownfield industrial environments reach the same point. The program is running. Controls are being deployed. Assessments are producing findings. And yet the sense that the fundamental exposures are not being addressed does not go away. Budget cycles close without the structural conditions improving. The same gaps surface in successive assessments. The practitioner inside the environment recognises the mismatch. The institutional structures around the program have no mechanism for surfacing it. The program is active. The exposure is not materially reduced.

This paper argues that the mismatch is structural rather than circumstantial. It is a property of the investment logic the discipline inherited, not a resourcing failure or an execution problem. Accurate diagnosis of that structure is a prerequisite for correcting it. The Sequenced OT Resilience Framework, specified in the companion document, is one specification of a corrected investment logic. This paper carries the argument for why the correction is needed.

Security investment in OT has produced real progress under the existing model. Controls have been deployed, gaps inventoried, and audit structures established that gave security programs organisational legitimacy they previously lacked. The practitioners who built those programs made reasonable decisions with the tools and institutional conditions available. The argument here is not that the work was misguided. It is that the investment logic those programs use has a structural ceiling in OT environments, and that correcting the investment logic is different from discarding the work.

This mismatch is not the result of incomplete execution. It is the result of organising investment around the wrong unit of measurement.

This paper develops the diagnostic structure in stages: the condition (how coverage becomes the governing unit), the causes (why coverage became the only institutionally legible form of security investment), the failure modes (what coverage measurement cannot represent), and the diagnostic instrument (three questions a coverage program cannot answer that determine whether security investment is producing resilience or degrading it). Readers who want the diagnostic instrument directly can skip to “Three questions coverage cannot answer”.

The Coverage Trap

The Coverage Trap is a condition in which control coverage becomes the governing unit of security investment. The trap is not arbitrary. It is the predictable execution layer of an inherited posture.

OT security inherited from IT security the assume-breach posture: no architectural layer can be trusted to constrain the next, so every layer must defend independently. In IT environments, where architectural layering does not reliably hold and the perimeter is effectively absent, this posture is often valid. When transferred into OT as a universal assumption, it produces a universal exposure model. Every system in the estate is treated as potentially exposed to every threat, because no verified boundary limiting how far compromise can propagate has been established. The exposure assumption is unbounded. It produces an unbounded obligation surface: every system requires detection, patching, hardening, monitoring, recovery capability, and access governance. The obligation surface has no upper limit because the exposure assumption has no limit.

Unbounded obligation cannot be executed through judgment at scale. It collapses into catalog execution. Coverage is what unbounded obligation looks like when it meets finite resources and the requirement for institutional legibility. It measures the presence of controls. It does not establish whether those controls constrain credible pathways to consequence.

A program organized around coverage has no defined stopping point because the posture it executes has no stopping point. The catalog grows. The burden grows with it. At scale, that burden drives the program toward centralized management infrastructure: patch distribution platforms, remote access aggregation, monitoring collectors. That infrastructure requires privileged cross-boundary access by design. The program introduces the pathways it was meant to reduce. The coverage model has no mechanism for registering that outcome as a cost.

The result is a self-reinforcing condition. The program cannot reach the structural gaps the catalog cannot see. The infrastructure required to sustain it becomes part of the exposure it was meant to address. The inverse posture is a bounded exposure posture. The coverage model structurally cannot adopt it. This condition did not emerge by accident. It follows directly from how OT security investment was first made legible to institutions.

Why coverage became the organising principle

OT environments were not designed without security. They were designed around isolation. Air-gap separation between operational technology and external networks was the primary control, and under that model no standing security program was needed because the attack surface was physically bounded. When connectivity increased, driven by remote access, IT/OT integration, and operational efficiency requirements, that control eroded. The transition moved faster than the institutional structures required to support site-specific security architecture. Environments correctly designed to require no standing security program suddenly required one, and nothing existed to fill that position except IT security.

The build-operate divide explains why no OT-native alternative emerged to replace it. Capital projects delivered systems, operations inherited them, and neither side was structured or funded to develop site-specific security architecture. As a result, no actor in the system was responsible for producing an architectural security model at the site level. When regulatory pressure arrived, the discipline needed frameworks it could specify, procure, and audit. It reached for what existed: mature control catalogs, tooling categories, maturity scoring, and evidence models that procurement and finance functions already understood. OT-specific concepts existed, but institutional implementation reduced them back into coverage logic.

The result was a coverage-based model. Throughout this paper, “coverage model” refers to the investment logic of treating control presence as a proxy for protection state, and “coverage program” refers to the program operating under that logic. Coverage is not meaningless: it can show whether obligations were attempted and whether a program is producing evidence. The trap begins when it becomes the organizing principle for security investment. Under these institutional conditions, coverage was not simply chosen. It was the only model that could be specified, procured, audited, and scaled without requiring the deep site-specific understanding the environment actually demands.

IEC 62443 represents the discipline’s attempt to correct this. Zones defined by function, conduits governing what crosses between them, security levels derived from consequence profile: these concepts were developed specifically because applying IT-shaped catalog coverage to OT environments was producing the wrong results. The conceptual architecture of IEC 62443 is consequence-derived. The critique here is not of that architecture, but of what happened when institutional machinery received it. Zone documentation became a compliance checkbox. Security level selection became a maturity metric. Conduit assessment became a gap list. The mechanism that produced this outcome was governance incentive structure. The corporate layer demands standardised, auditable outputs that boards can report and regulators can verify. Site-specific engineering judgment, however technically sound, cannot produce those outputs. Coverage logic can. Practitioner depth may influence how strongly the translation is resisted, but it does not alter the outcome. The structural pressure operates independently of individual competence. An operationally deep engineer embedded in the same reporting structure faces the same output constraint. The corrective concepts were absorbed into the pattern they were designed to correct. The coverage model did not fail to adopt IEC 62443. It converted the framework into another form of itself.

The logical failure

Institutional inevitability explains why the model locked in. It does not make the model logically adequate. The coverage model has a separate defect: it is not logically sufficient to represent the protection state it claims to track. Protection state is the verified condition that credible pathways to consequence are constrained or terminated. A program that records deployed controls produces the same output regardless of whether those controls interrupt credible pathways to consequence or not.

The coverage model’s claim is that deployed controls represent the protection state of the environment. This claim emerges as the execution layer of the unbounded assume-breach posture. That claim cannot be invalidated by outcomes within the model. When an incident occurs in a high-coverage environment, the model’s response is always the same: insufficient coverage, a missed control, a gap not yet closed. The model has no internal mechanism that would lead it to conclude that coverage is the wrong unit. Absence of incident confirms the model. Incident confirms the model.

A model whose central assumption survives every possible outcome is not governing risk. It is self-confirming.

This failure follows directly from executing an exposure assumption that architectural verification never bounds. The model has no mechanism to discover that coverage and protection state have diverged, because its measurement was never designed to ask.

Why the model persisted

A model with this defect would normally be corrected through experience. In OT security, it was not.

Coverage persists because it is the only form of security investment that is institutionally legible. It produces artifacts that can be specified, implemented, and audited without requiring contextual judgment about the environment. That judgment does not produce the standardized artifacts institutional governance requires: outputs that boards can report, insurers can score, and regulators can verify. Site-specific engineering assessment, however technically sound, cannot be ingested by that machinery. It produces no comparable evidence artifact. Without auditability, a contextual approach cannot satisfy the institutional requirements governing security investment, and without satisfying those requirements it cannot attract or sustain funding. That constraint is what prevented the correction mechanism from developing.

The structural logic runs through every layer of the reporting chain. Management visibility requires metrics. Metrics require standardized, comparable units. Control counts, maturity percentages, and gap closure rates are standardized and comparable. Whether they correlate with actual protection state is a question the reporting structure is not designed to ask. Coverage meets the procurement, implementation, and audit requirements of the governance layer independently of its relationship to protection. It can be specified in a contract, delivered by a third party, audited by a fourth, and reported upward as a percentage. Each step requires no contextual knowledge of the environment it is supposed to protect.

That institutional legibility made coverage commercially viable, and commercial viability made it structurally self-reinforcing. Vendors built product lines mapped to control catalogs. Consultancies built service lines mapped to maturity models. The market instantiated the investment logic commercially, and the commercial instantiation reinforced framework demand. Coverage is not only an institutional logic. It is a market structure that rewards vendors for producing catalog-compatible controls and buyers for deploying them. The investment logic and the commercial infrastructure that serves it are now the same structure.

The regulatory environment reinforced both. Regulators implementing capability-based requirements accepted coverage-based evidence because it was the evidence the regulated population produced and because a consequence-based alternative had not been demonstrated at scale. That acceptance was not a determination that coverage evidence satisfied proportionality obligations. It was a reflection of what was available. Where governance structures had made coverage the only legible investment form and commercial infrastructure had instantiated it as a market, regulatory acceptance removed the one correction mechanism that operated externally to both. The result was a system with no internal or external mechanism for detecting the logical defect at its centre.

Why the model does not self-correct

That logical defect would be correctable if the institutional structures surrounding the model had a mechanism for detecting it. They do not. Audit methodology confirms that controls are present, not whether they interrupt credible pathways to consequence. The model’s imperviousness is most visible at incident time. A high-coverage program that fails is interpreted as insufficient coverage or a missed implementation gap, not as evidence that coverage is the wrong unit. The model survives the outcome that should have challenged it.

The deeper reason correction cannot develop is that the model substitutes for a risk assessment exercise the environment structurally cannot support. Likelihood estimates require a statistical basis that does not exist in OT security: incident data is sparse, attacker populations are heterogeneous, and the specific vulnerability landscape shifts continuously. Impact cannot be bounded without a defined consequence ceiling. Without one, every compromise opens into an unbounded consequence space, and the assessment has no architectural basis for constraining what is reachable. The rational response to unbounded impact and unquantifiable likelihood is to treat every exposure as potentially catastrophic, which produces an unbounded control requirement. Coverage fills that vacuum by being finite. Risk, without architectural bounding, is not.

The model can only add.

This structural blindness is not limited to adversarial scenarios. The pathway through which ransomware propagation reaches a control system is the same pathway a faulty management platform update would traverse, the same pathway a vendor session with excessive privilege would exploit, and the same dependency structure operational decay would silently degrade. Actor intent varies. The structural entry condition does not. A program correcting for adversarial threat while leaving foundation conditions unexamined is governing the entry point while leaving the pathway open through a different mechanism. The self-correction problem is not limited to adversarial scenarios. Operational decay erodes the conditions that boundaries, recovery paths, and diagnostics depend on without presenting as a missing control, without triggering an audit finding, and without appearing in a gap list. It is structurally invisible to the model for the same reason adversarial pathway exposure is: coverage was not designed to examine foundation conditions.

The incentive structure that prevents correction operates at the individual level as well as the institutional. When the cautious choice and the contextually correct choice diverge, the structure rewards the cautious choice regardless of which better serves the environment. A practitioner who follows an established framework and later experiences an incident can point to recognised standards. A practitioner who deviates based on contextual engineering judgment carries that judgment personally. Coverage measurement cannot distinguish between a control deployed through careful site-specific assessment and the same control deployed through generic catalog application. Both produce identical artifacts. Under time and resource pressure, the incentive runs toward the latter. The model does not merely fail to reward engineering judgment. It creates pressure against it, because judgment takes longer and produces no additional measurable output.

The result is a model that is easy to enter and structurally resistant to exit. Coverage programs produce immediate visible progress. Transition to a consequence-derived model replaces that visible progress with structural improvement the measurement system cannot see. During transition, metrics stagnate or decline while exposure is being reduced. To governance structures conditioned on coverage, this appears as failure. A program reducing its exposure position by removing unjustified connections and governing necessary ones will score lower on catalog coverage than a program maintaining all of them. The measurement and the outcome point in opposite directions. That is the coverage trap, visible at the moment of correction.

The heterogeneity problem

The lock-in compounds with the environments the model is applied to. No two sites share the same starting point, the same system connections, or the same pathway structure. That variance is not incidental to the coverage model’s failure. It is structural.

Every OT site is the product of decisions accumulated across its operational life, sitting on a constraint no operational choice can override: the process dictates the layout, the layout dictates the control architecture, and the control architecture determines how systems are connected, what paths exist between them, and where consequence can be reached. No two processes are identical. The specific pathways through which a compromise can reach a consequential function differ between sites even within the same industry, the same vendor ecosystem, and the same regulatory regime.

Coverage logic is attractive precisely because it removes the requirement to understand those connections in the specific environment. Apply the same controls everywhere, and the question of whether any given control is appropriate for this environment disappears. But that is also why coverage logic fails structurally. A control that is correct in one network topology can introduce the exposure it is intended to prevent in another. A firewall rule, a remote access mechanism, or a monitoring platform that reduces exposure at one site can widen the pathways to consequence at a site with different system connections and different trust relationships. The engineering judgment that coverage replaces is not optional. It is the only instrument for making that determination.

A framework cannot know the distance between its target state and where any given site actually starts. The same missing control can represent a catastrophic exposure at one site, an irrelevant artifact at another, and an already-governed dependency at a third. Percentage completion cannot represent that variance. The only valid baseline is the verified state of that specific environment, assessed against its specific pathways and connections. That is not a property any revision to the coverage model can correct. It is a property of the environments the model is applied to.

What coverage programs measure

Coverage measurement has four structural gaps in OT environments. It does not derive control requirements from the pathways through which consequence is reached. It records deployment rather than enforcement. It has no instrument for the decay of foundation conditions that deployed controls depend on. And it cannot represent the threat reduction that effective upstream security delivers before any OT-side control is applied.

Disruption in OT environments becomes consequential through governable structures. Contact points are the boundary crossings through which an external condition enters the environment. Dependencies are the system relationships that determine how far a condition propagates once inside. Modification capacity is the access through which a compromised position can alter the behaviour of a consequential function. Degraded recovery is the condition in which the mechanisms assumed to restore normal operation are unavailable or unverified. Loss of diagnosability is the condition in which the environment can no longer determine its own state. Coverage logic does not derive its control requirements from these structures. A program built on catalog-derived controls has no category for the pathways through which consequence is reached. It records deployment.

That distinction produces measurement failures that are invisible to the score. A firewall configured to allow all traffic is a control in place. A centralised backup platform with inbound credentials and write access to every protected system, and a pull-based system with device-initiated outbound transfer, both deliver backup capability. Coverage records both identically. The mechanism through which the capability is delivered, the exposure it introduces, and whether the control intercepts any credible pathway to consequence are not represented. A coverage score cannot distinguish between protection concentrated on the most critical functions and protection spread uniformly across the full surface. A site optimised for consequence and a site optimised for catalog compliance can produce identical scores.

The deeper property behind that failure is the assumption that deployment equals enforcement. The coverage model optimises for what can be demonstrated to a governance audience. Demonstrability favours presence over enforcement: a deployed control is visible, a constrained pathway is not. Because enforcement is assumed rather than verified, measurement and protection state can diverge without the program detecting the divergence.

Coverage programs have no instrument for operational decay as a separate failure category. Decay does not present as a missing control. The control is recorded as present. What has changed is the foundation condition the control depends on. The firewall exists, but the network topology it was designed to segment has drifted. The backup system runs, but the restore path has not been validated against the current system state. The certificate authority is documented, but the certificates it issues have begun to lapse without renewal. Each control is present. Each control’s effectiveness depends on a foundation condition the coverage model does not examine. Foundation condition decay is not visible to coverage measurement because coverage measurement was not designed to see it.

Effective IT security reduces the threat population that arrives at the IT/OT boundary before any OT-side control is applied. That reduction is real and materially changes what boundary investment needs to deliver. It does not appear in OT maturity scores, OT gap lists, or OT program reviews. The result is a systematic distortion: the perceived size of the OT security problem is larger than it is for organisations with mature IT security, and investment decisions are correspondingly over-specified for the OT side and under-credited for the IT side. Coverage measurement cannot represent a threat reduction it did not produce.

A coverage score is a record of deployment decisions. It is not a representation of the protection state of the environment.

How the compliance burden consumes the capacity to address structural gaps

Distorted measurement produces distorted allocation. Where the metric cannot distinguish between protection that is necessary and protection that is demonstrable, investment follows the demonstrable. The protect-everything posture produces a catalog without a natural boundary: every layer requires protection because any layer could be the entry point. Under a fixed operational budget, a catalog bounded by scope rather than by the consequence profile of the environment spreads engineering capacity across the full control surface. Whether the primary failure modes have been adequately addressed remains unknown.

Every control is a permanent operational obligation. Patching, firmware maintenance, backup verification, access review, vulnerability tracking, vendor support, alert triage, lifecycle replacement, incident response. The catalog rewards deployment. It does not reward verification of enforced effect. Every control added extends the obligation. The burden compounds with the accumulated total of everything already in place.

At scale, managing these obligations drives programs toward centralised mechanisms: backup orchestration platforms, endpoint detection agents, patch management infrastructure, remote monitoring. The function each performs cannot be delivered without crossing zone boundaries. Cross-boundary access is not a configuration choice a better implementation avoids. It is a structural requirement of the function itself. Each mechanism introduces privileged inbound access paths by design. Coverage records them as controls. The program cannot detect that its management infrastructure has widened the governed exposure position, because the tools widening that position appear on the protection side of its own ledger. The infrastructure required to sustain the coverage program becomes part of the exposure it was intended to reduce, and the program’s own measurement confirms it is working.

The operational fragility extends beyond the attack surface argument. Assume-breach posture mandates components distributed across the estate: agents, monitoring platforms, management infrastructure, update channels, centralised services. Each depends on other systems to remain healthy: license servers, certificate authorities, network connectivity, identity infrastructure, vendor support. The failure space is combinatorial, not linear. Update channels fail silently. Monitoring agents stop reporting without generating alerts. Backup jobs complete without producing restorable state. None of these failures requires an adversary. The coverage program’s own execution layer generates operational risk it cannot see and does not count.

A coverage program executing an unbounded exposure assumption tends toward greater exposure over time, not less. The compounding burden grows as the catalog expands. Management infrastructure expands with it. As staff turn over, the contextual judgment they held about site-specific conditions leaves with them. The gap between reported state and actual protection state widens with each assessment cycle. The program reports improving metrics while the structural conditions that determine resilience accumulate deferred maintenance, unverified dependencies, and ungoverned exposure.

The defining property of the coverage model over time is not stagnation.

It is divergence: between reported state and actual protection state.

This is not a function of poor implementation. It is a property of the model. A system that expands obligation faster than it can verify enforced effect cannot converge toward adequacy regardless of how completely it is executed. Better tooling increases the precision of measurement. Stronger governance increases the scale of execution. Neither changes the direction of travel.

The coverage score provides continuous forward progress signal regardless of whether the structural exposure position is improving or deteriorating. Management is not managing risk. It is managing a score. The signal that would otherwise create urgency, the one that would surface the question of whether direction corresponds to actual improvement, is removed by the model itself.

Management receives metrics. The engineer carries reality.

That asymmetry is not a communication failure. The model does not fail to communicate risk. It structurally prevents risk from being expressed in a form governance can recognise. Risk is displaced downward as a result. The engineer working within the environment understands which conditions are nominal rather than enforced, which dependencies are unverified, which pathways remain open despite coverage metrics indicating closure. That knowledge has no representation in the governance model. It cannot be recorded, reported, or acted upon within the structures that define program success. Where the model cannot represent a class of risk, that risk becomes unowned.

The same divergence that makes the program’s protection state opaque during normal operation makes incident response harder to execute when something goes wrong. Incident response in OT requires rapid determination of which systems are affected, which dependencies are compromised, which pathways are live, and which functions can be isolated without producing operational consequence. That determination depends on an accurate model of the environment: verified system relationships, known dependency structures, documented communication patterns, and understood trust boundaries. A coverage program does not require that model and does not build it.

The complexity the coverage program has introduced compounds the response problem directly. Every management mechanism added to service the catalog at scale, every agent, orchestration platform, monitoring collector, and update channel, creates a dependency the response team must account for under incident conditions. The dependency structure that was opaque before the incident is more opaque during it, because the management infrastructure the program introduced has added relationships and trust paths that were not present in the original architecture. The responder inherits not just the original environment but the environment plus everything the program added to it.

From the outside, a mature coverage program looks like progress. The audit artifacts are complete. The compliance evidence is current. The gap list is being worked. The maturity score is improving. The structural exposure is not visible through any of those instruments. That hidden failure has no natural endpoint within the coverage model, because the model has no stopping point derived from consequence.

The stopping point problem

The coverage model has no stopping point derived from consequence. The control catalog defines what must be done but not when enough has been achieved. This is not a design oversight. The model executes assume-breach as an unbounded requirement, and an unbounded exposure assumption produces an unbounded obligation by construction. Adding a stopping point requires bounding the exposure assumption first, and bounding the exposure assumption requires the architectural verification that assume-breach posture rules out as a precondition. The stopping point problem cannot be solved from inside the model. The result is not insufficient protection but structurally misallocated protection: investment distributed across an unbounded catalog rather than concentrated on the pathways that matter most.

Process safety engineering has a discipline for exactly this. Relief valves, containment areas, emergency shutdown systems, and independent protection layers are each placed where they address a specific failure mode on a specific pathway to harm. Each barrier reduces the requirement for the next. Investment terminates where the residual risk falls within the accepted tolerance. Process safety can terminate investment because it bounded the problem architecturally first. The safety case defines what is independent, what is constrained, and what the worst credible consequence is. That architectural bounding is what makes the stopping point derivable.

What is being imported from process safety is the investment logic, not the practice: the principle that barriers can be placed against specific failure modes on specific pathways to consequence, and that investment can be bounded by a consequence-derived ceiling rather than run against an unbounded catalog. The analogy does not require cyber scenarios to have process safety’s data quality. It requires only that investment be placed against pathways to consequence and bounded by the protection already provided by independent barriers.

Without an equivalent mechanism, a coverage program cannot produce a defensible answer to the question that should govern security investment: whether the most important exposures have been governed to a tolerable residual. That is the condition the questions in the following section are designed to surface. The coverage model cannot derive that answer because it never establishes what it is trying to bound.

Three questions coverage cannot answer

Three questions determine whether security investment is producing resilience or consuming the capacity for it. A coverage program cannot answer any of them.

The first question: are the controls in place protecting against threats that can actually reach consequential functions, or are they adding maintenance burden against pathways that do not exist in this environment? A coverage artifact records control presence against a catalog. It does not record whether any given control sits on a pathway to consequence or whether that pathway exists at all in this site’s specific architecture. A control with no credible threat pathway behind it is not neutral. It is a permanent operational obligation: patching, verification, lifecycle management, alert triage. It consumes the engineering capacity that would otherwise address conditions that matter. The catalog grows. The burden compounds. The controls that are adding burden rather than reducing exposure are indistinguishable from the controls that are doing both.

The second question: is the consequence ceiling the program operates under verified or assumed? Every security investment model implies an answer to the question of how bad the worst outcome can be. Under an unbounded assume-breach posture, that answer is never made explicit: every compromise is treated as potentially catastrophic because no architectural condition has been verified to limit how far it can propagate. In practice, most industrial environments have physical or architectural constraints that bound the worst credible consequence. Those constraints either hold or they do not, and whether they hold is a question the coverage model never asks. In safety-defined environments, the safety case defines which protection layers are independent and which architectural conditions prevent control system compromise from alone producing the worst outcome. A coverage program records safeguard presence. It does not verify that the independence those safeguards depend on has not been degraded by integration decisions made after the original engineering. In environments without a formal safety case, the physical process still defines what simultaneous failure conditions produce the worst outcome, and whether those conditions are independent of control system state is still an assessable architectural question. Where the ceiling is assumed rather than verified, every exposure analysis defaults to worst case and the investment requirement is unlimited. Where it is verified, investment can be bounded by what is actually reachable within the confirmed architectural condition. The coverage program has no instrument for making that determination either way.

The third question: is the complexity the program has introduced improving resilience or reducing it? Every management mechanism deployed to service the catalog at scale requires cross-boundary access. Every agent, orchestration platform, and centralised service introduces a dependency the environment did not previously have. Each is recorded as a control. None is recorded as an exposure. A program that has added significant catalog coverage may have simultaneously widened the pathways to consequence it was deployed to reduce. Coverage measurement has no instrument for this direction of travel. The program cannot determine from its own outputs whether it is net positive or net negative for the resilience of the environment it governs.

These are not questions a better coverage score can answer. They require a different unit of analysis: the pathway by which consequence is reached, the dependency structure that determines whether protection layers are genuinely independent, and an explicit account of what the program has introduced alongside what it has constrained. The coverage model was not built to ask them.

They are also the questions a proportionality-based regulatory framework will ask. The practitioner who cannot answer them from inside the coverage program will not be able to answer them to a regulator either. The evidentiary gap is the same gap.

The regulatory dimension

NIS2 Article 21’s requirement for appropriate and proportionate risk management measures asks whether the operator can demonstrate that risks have been identified, assessed, owned, and governed in the specific operational environment. The evidence coverage produces is incomplete in a specific way: it demonstrates that a program exists and that controls were deployed. It does not demonstrate that the program was calibrated to the environment it governs, that consequence was assessed, or that the organisation has a documented position on what exposure it has consciously accepted.

The more demanding obligation is Article 20, and the distinction matters. Article 21 asks whether appropriate and proportionate risk management exists. Article 20 asks whether the management body understands, approves, and owns what that risk management has determined. These are different obligations with different evidentiary requirements. A maturity score demonstrates that a program exists. It does not demonstrate that the management body understands the consequence position the program is governing, what exposures have been accepted, or on what basis. Coverage logic produces partial evidence for Article 21 and almost none for Article 20.

The three questions the coverage model cannot answer map directly onto this evidentiary gap. Whether controls address real threat pathways is a proportionality question: Article 21 asks for measures appropriate to the risk, which requires a record that the risk was derived from the specific environment. Whether program complexity is improving or reducing resilience is a governance question that neither article can be satisfied without answering: an organisation that cannot determine whether its program is net positive or net negative for resilience cannot demonstrate proportionate risk management to Article 21 or meaningful oversight to Article 20. Whether the consequence ceiling is verified or assumed is an ownership question: Article 20 requires the management body to understand what the program has determined about the worst reachable consequence, which requires that determination to have been made and documented at the level of architectural condition rather than assumed from posture.

A consequence-derived investment model closes all three gaps simultaneously. Pathway assessments and governed exposure records satisfy Article 21’s proportionality requirement by demonstrating that risk management was derived from the specific operational environment. Management acceptance records with operational consequence language satisfy Article 20 by demonstrating that the management body understood and owned the decisions the assessment produced. The organisations best positioned when proportionality-based enforcement develops are not those with the highest coverage scores. They are those that can demonstrate the consequence position their program has governed and the ownership structure that sits behind it.

What the diagnosis points toward

The three questions coverage cannot answer map directly to the four conditions a corrected investment logic must satisfy.

Whether controls address real threat pathways or add maintenance burden against pathways that do not exist requires a stopping point derived from consequence: a verified condition at which the most important exposures have been governed and remaining work sits below them in a known consequence order. Without that stopping point, the program cannot determine whether its investment is concentrated on what matters or distributed across what is merely catalogued.

Whether the consequence ceiling is verified or assumed requires both pathway derivation and explicit ownership of accepted exposure. Pathway derivation means controls are present because a specific pathway requires them and absences are documented because no assessed pathway requires them. Explicit ownership means every unresolved condition is named to a responsible owner who understands what they are accepting at the level of operational consequence. This is the mechanism by which risk moves from the engineer who identified it to the manager who is accountable for it. Without both conditions, the ceiling remains an assumption the program has never examined and the organisation has never owned.

Whether the complexity the program has introduced is improving resilience or reducing it requires condition verification rather than control presence: demonstrated enforcement observed at the operational system, not asserted in documentation, and a recovery model built from verified system structure rather than accumulated management infrastructure. Without condition verification, the program cannot determine whether the controls it has deployed are producing the protective conditions they were deployed to establish, or whether the infrastructure servicing them has widened the exposure they were meant to reduce.

In environments where the coverage model is the primary investment logic, these conditions describe the default state. The organisation running a mature coverage program is not choosing to accept structural exposure. The model is accepting it on their behalf by being unable to surface it. The consequence ceiling the safety case depends on may already have been degraded by integration decisions the coverage program never examined.

The four conditions in the order the companion document operationalises them: condition verification rather than control presence, pathway derivation rather than catalog coverage, a stopping point derived from consequence, explicit ownership of accepted exposure. The argument for why they are necessary is what this paper has carried.

What makes the alternative tractable

The structural properties that make the coverage model fail are the same properties that make an alternative tractable.

The coverage model fails in OT because genuine architectural layering exists that assume-breach ignores. That same layering is what makes a consequence ceiling derivable. Consequence varies significantly by zone. A loss of control in a safety-instrumented process and a disruption to operational support infrastructure are not the same category of event. That variance makes a stopping point achievable: once the highest-consequence exposures are governed, the remaining work sits below them in a known consequence order. The program can terminate at a defensible position rather than running indefinitely against an unbounded catalog.

For process industry environments operating under functional safety regulation, the consequence ceiling is partially constituted before the security assessment begins. The safety case defines which functions are independent and which certified protection layers bound unacceptable consequence. Where those independent protection layers hold, no control system compromise alone produces the worst credible outcome. That architectural condition converts an otherwise unbounded problem into a bounded one. The question shifts from preventing every possible consequence to governing what is reachable within a verified ceiling. Without that ceiling, every exposure analysis tends toward worst case and the investment requirement is unlimited. With it, the analysis is tractable. Where independence has been degraded, that degradation is the primary investment target: the load-bearing condition the safety case depends on, and the primary unexamined exposure in a coverage program that never asked whether independence assumptions were real. In environments without a formal safety case, the same architectural question applies: whether physical or process constraints prevent control system compromise from alone producing the worst credible outcome, and whether those constraints remain intact.

OT communication patterns are deterministic, asset populations are relatively static, and legitimate traffic is predictable. A governed boundary in this environment does not need to accommodate the continuous churn that makes IT boundary governance difficult to sustain. That structural simplicity is what makes a bounded exposure posture operationally feasible in OT where it is not in IT. IT environments require the assume-breach posture because their architecture does not provide reliable layering to bound it. OT environments do not need to inherit that requirement when their architecture can be verified to provide it.

These are not properties a framework imposes on the environment. They are properties the environment already has. The coverage model does not use these properties. It cannot: assume-breach posture rules out the architectural verification that would allow them to be bounded and used. A consequence-derived investment model is built on them. The bounded exposure posture, the position that compromise reach can be constrained by verified architectural conditions and that investment can be sized to what those conditions establish as reachable, is the inverse of assume-breach. OT environments have the structural properties this posture requires. IT environments do not.

What follows

The Sequenced OT Resilience Framework, published alongside this paper, instantiates each of these requirements as an assessable investment sequence for brownfield industrial environment. The consequence ceiling provides the stopping point. Contact boundary assessment provides pathway derivation. Governed exposure mechanics enforce explicit ownership. Constraint verification, observed at the operational system, replaces presence-based confirmation.

A governed site operating at a consequence-derived stopping point will carry gaps against the coverage catalog. Those gaps are documented, owned, and below the threshold of material exposure. That is the correct state. The framework specification defines what it looks like.

The difference is not in how much is done, but in whether what is done can be shown to constrain the paths through which consequence is reached. That is the unit the coverage model cannot represent. Without it, the model cannot govern what it measures.