A security control is a specific safeguard or countermeasure used to reduce information security risk for systems, data, and operations. In industrial and manufacturing environments, security controls are applied to both IT and OT systems to protect confidentiality, integrity, and availability of information and to manage cyber-physical risks.
What a security control includes
Security controls commonly refer to:
- Technical measures, such as access controls, encryption, network segmentation, firewalls, endpoint protection, and logging/monitoring.
- Administrative (procedural) measures, such as policies, standard operating procedures, account management processes, training, and incident response playbooks.
- Physical measures, such as locked cabinets, badge access, visitor management, and environmental protections for critical equipment.
Each control should be defined, documented, assigned an owner, and implemented in a way that can be tested or assessed. Controls are often grouped into control families in standards and frameworks.
Security controls in manufacturing and OT
In manufacturing and other regulated operations, security controls apply to:
- OT and industrial control systems (PLCs, DCS, SCADA, historian servers, sensors and actuators).
- Manufacturing IT systems such as MES, ERP, LIMS, QMS, and data collection platforms.
- Interfaces between OT and IT, including gateways, OPC servers, and integration buses.
Examples include role-based access control for MES users, network zoning between plant floor and corporate networks, multi-factor authentication for remote maintenance, and procedures for managing software changes on validated systems.
Security controls and frameworks (including NIST SP 800-53)
Many organizations select and describe security controls using established frameworks. One commonly referenced framework is NIST Special Publication 800-53, which organizes hundreds of security and privacy controls into control families (such as access control, configuration management, and incident response). Within such frameworks:
- Each security control is a discrete requirement or safeguard.
- Control families are thematic groupings of related controls.
- Actual use of a control depends on scoping and risk assessment, particularly for manufacturing and OT systems.
In regulated environments, selected security controls are typically traced to documented risk assessments, implementation records, and verification or validation evidence.
Common confusion
- Security control vs. control family: A security control is a single safeguard or requirement. A control family is a category that groups multiple related controls.
- Security control vs. process control: Process control manages how equipment and processes operate (for example, PID loops on a line). A security control manages cyber and information security risk, even though it may affect how process control systems are accessed or configured.
Operational use
In practice, security controls show up in workflows as:
- Items in policies, standards, and work instructions.
- Configuration settings in systems and network devices.
- Steps in change control, access provisioning, backup, and incident handling processes.
- Checklist items in audits, risk assessments, and vendor evaluations.
Organizations often maintain a control catalog or matrix that maps each security control to systems, owners, and evidence sources, which is particularly relevant during internal and external assessments.