A Quantitative Assessment of Cybersecurity Frameworks for Industrial Control Systems in Critical Energy Infrastructure

Abstract

This study investigates the effectiveness of cybersecurity frameworks in enhancing Industrial Control System security within critical energy infrastructure, addressing the problem that many organizations adopt frameworks formally without achieving consistent operational protection. The purpose is to provide a quantitative evaluation of how cybersecurity framework adoption influences measurable security outcomes across ICS environments. A quantitative, cross-sectional, case-study–based design was applied using a structured Likert-scale survey, with a final valid sample of 210 professionals from cloud-integrated and enterprise energy environments including SCADA, OT networks, and smart grid systems. Key variables included cybersecurity framework adoption, governance and compliance, risk management practices, threat detection capability, incident response effectiveness, operational resilience, and overall ICS cybersecurity performance. Data analysis was conducted using descriptive statistics, reliability testing, Pearson correlation, and multiple regression modeling. Findings reveal that cybersecurity framework adoption achieved a high mean score of 4.12 and significantly predicted ICS cybersecurity performance, with a strong correlation (r = 0.71, p < 0.001) and the highest regression effect (β = 0.31, p < 0.001). The regression model explained 64.3% of the variance (R² = 0.643), confirming strong explanatory power. Governance and compliance (β = 0.24), threat detection capability (β = 0.21), risk management (β = 0.18), incident response (β = 0.16), and operational resilience (β = 0.14) were all significant predictors. The ICS maturity index indicated a managed level (M = 4.03), while readiness gap analysis highlighted weaknesses in recovery capability (gap = -0.18) and IT/OT segmentation. These results imply that cybersecurity frameworks significantly enhance ICS security when implemented with strong governance, detection, and resilience practices rather than as compliance tools. The study contributes practical and theoretical insights by validating a TOE-based model and emphasizing the need for improved recovery planning and operational resilience in energy-sector cybersecurity.