Compensating controls in OT environments are alternative security measures when risks posed by vulnerabilities can't be patched immediately.

In OT environments, systems often cannot be taken offline for updates due to their critical role in infrastructure and production processes. Compensating controls secures the OT environment and reduces the risk until the vulnerability can be fully remediated using permanent solutions, such as patches or hardware replacements.

The following table describes certain scenarios where compensating controls helps in reducing risk:

Table 1. Use cases scenarios for compensating controls

Use case scenario	Compensating controls
Unauthorized access to programmable logic controllers (PLCs).	Implement access control lists (ACLs) on network devices. Disable unused ports and services on PLCs. Implement strong passwords and authentication mechanisms.
Buffer Overflow in Human Machine Interfaces (HMI) Panels	Apply firmware updates released by HMI panel manufacturer. Enable hardware watchdog timers for fail-safe operations. Implement boundary checks in the application code.
Man-in-the-Middle Attacks on PROFINET	Use encrypted communications via VPNs or IPsec. Configure PROFINET with secure certificates. Implement network segmentation with firewalls.
Denial of Service (DoS) on SCADA Systems	Enable rate-limiting on critical OT network components. Configure SCADA systems for redundancy and load balancing. Apply security patches provided by Siemens.
Malware Infection on Engineering Workstations	Install and regularly update manufacturer recommended anti-malware software. Apply application allow list to prevent unauthorized software execution. Use secure removable media policies.