In late 2025,a coordinated cyberattack disrupted parts of Poland’s power grid, affectingrenewable energy plants and industrial control systems despite extensivemonitoring and logging in place.
That incident did not stem from a lack of visibility. It stemmed from the factthat visibility does not act as a control mechanism — seeing activity after ithappens does not stop it from occurring.
<spanlang=en-us>In many industrial environments, access activity is thoroughlylogged. Sessions are recorded, actions are traceable, and audit trails areavailable when incidents are reviewed. Yet attacks still succeed, andoperations suffer. The reason lies in an assumption inherited from IT security:that visibility equates to control.</spanlang=en-us>
Approval-based access control is built on the expectation that the conditions present at approval time will remain valid when work is carried out. In IT environments, this expectation often holds. Approval and execution occur close together, systems behave predictably, and changes are usually reversible.
OT operations follow a different pattern. Maintenance windows shift. Equipment states evolve. Task scopes expand under operational pressure. Additional personnel may become involved after approval is granted. By the time access is exercised, the original conditions may no longer exist, even though the approval record remains valid.
The approval still exists. The context does not.
In traditional IT systems, logging and monitoring evolved alongside controls that could tolerate delay. A suspicious event might be analysed hours after it occurs, and corrective actions imposed without severe impact. Under those conditions, visibility feels actionable.
Operational technology environments behave differently. Industrial systems run continuously, tolerate little disruption, and involve physical processes where actions take effect immediately. When a log entry is created, the action it records has already occurred. That recording cannot undo the consequence.
Logs explain behaviour after execution; they do not shape behaviour at the moment access is exercised.
The difference between recording and controlling is structural. Logs are generated during or after execution, not before. Many OT assets produce limited or inconsistent telemetry, making comprehensive visibility difficult even in mature environments. Where data volumes are high, operational teams often face more signals than they can interpret in time.
Most importantly, logs do not bind access to intent or context. They record that an action happened, but not whether it should have been allowed under current operational conditions. Visibility answers what happened; control determines what must not be allowed to happen.
Relying on logging as a compensating control shifts risk management downstream. Unsafe access events are detected rather than prevented. In OT environments, that distinction has direct operational consequences.
According to the Global Cybersecurity Outlook 2026 from the World Economic Forum, cyber risks are accelerating and evolving rapidly, driven in part by emerging technologies and a complex threat landscape. While the report covers broad trends, its findings underscore a fundamental theme: gaps between awareness and action persist in cybersecurity.
Organisations increasingly recognise risk, but visibility alone does not translate into control at the point where access decisions are made.
This is not a data problem; it is a control problem.
Logs and monitoring remain essential. They support accountability, forensic investigation, and compliance. What they cannot do is replace preventative control.
Visibility can tell you who acted and when. It cannot ensure that access expired with the task. It cannot prevent inherited permissions from being reused. It cannot align execution with operational conditions in real time. Treating visibility as control confuses evidence with enforcement.
In OT access, that confusion is costly.
Visibility improves understanding, but control shapes outcomes. Logging can explain what happened after the fact. It does not constrain what is allowed to happen at the moment access is exercised. When decisions are made upstream and reviewed downstream, operational risk sits in between.
--------------------
swIDch will continue its quest to innovate and pioneer next-generation authentication solutions. To stay up-to-date with the latest trends sign up to our newsletter and check out our latest solutions.