An asset owner can meet major federal cyber compliance standards and still run equipment that lacks the engineering to withstand an attack or a failure. New research from George Mason University examines how United States cyber policy defines reasonable care for systems that control physical processes, and it finds that compliance has become a stand-in for safety.
The work covers operational technology in critical infrastructure: industrial controls, medical devices, transportation systems, and building automation, where a software failure can produce physical harm. Its argument centers on a gap between data-centric IT security and the physics of the systems that policy now governs the same way.
Security controls that introduced physical hazards
A 2025 survey conducted by Merrill Research found that 69% of defense contractors claimed compliance with NIST SP 800-171. Only 30% passed a verified assessment. Compliance records and engineering quality have moved apart, and the documentation continues to stand in for the safety it was meant to certify.
The paper documents cases where a control meant to protect a system produced a physical hazard.
Account lockout policies…
