Cybersecurity pillar

Operational technology security

Protect converged IT/OT environments by aligning NIST SP 800-82r3 architecture patterns, IEC 62443-3-3 security levels, CISA CPG 2.0 safeguards, and ATT&CK for ICS detections.^{NIST SP 800-82r3}^{IEC 62443-3-3}^{CISA CPG 2.0}^{MITRE ATT&CK for ICS}

Architect for segmentation and safety

Design network zones and conduits that preserve safety while enabling monitoring and control.

Implement ISA/IEC zones and conduits. Use IEC 62443-3-3 security level targets to segment control, supervisory, and corporate networks with industrial DMZs and unidirectional gateways where needed.^{IEC 62443-3-3}
Harden remote access. Apply NIST SP 800-82r3 guidance on jump servers, MFA, and protocol break/proxy architectures for vendor and maintenance access to OT assets.^{NIST SP 800-82r3}
Preserve safety interlocks. Ensure segmentation changes do not bypass safety instrumented systems and that emergency stop functions remain local and deterministic.

Baseline and monitor OT assets

Visibility into firmware, configuration, and protocol behavior is the foundation for defense.

Inventory and classify. Create authoritative OT inventories with make, model, firmware, network location, and criticality mapped to NIST SP 800-82r3 system categories.^{NIST SP 800-82r3}
Protocol-aware monitoring. Deploy passive network monitoring that understands industrial protocols (Modbus, DNP3, PROFINET) and maps alerts to ATT&CK for ICS techniques for analyst triage.^{MITRE ATT&CK for ICS}
Baseline changes. Use configuration management to track PLC logic, engineering workstation changes, and vendor patch levels; require approvals consistent with CISA CPG 2.0 governance goals.^{CISA CPG 2.0}

Plan resilient operations

Prepare to operate through incidents with tested response and recovery procedures.

Scenario-specific playbooks. Build runbooks for ransomware in OT domains, unauthorized logic changes, loss of view, and loss of control, mapping steps to NIST SP 800-82r3 incident handling guidance.^{NIST SP 800-82r3}
Spare and image strategy. Maintain tested golden images and spares for PLCs, HMIs, and engineering workstations to shorten recovery when patching is unsafe during production windows.
Regulator reporting. Align incident thresholds and notification templates to sector requirements (e.g., TSA pipeline directives, EU NIS2) and ensure OT incidents are reflected in enterprise risk reports.

Test and improve defenses

Continuous validation keeps compensating controls aligned with evolving attacker techniques.

Tabletop and field exercises. Run joint OT/IT exercises that test isolation procedures, manual overrides, and communications with operators and regulators; capture metrics on detection time and process safety impact.
Adversary emulation. Use ATT&CK for ICS techniques (e.g., T0830 Manipulation of Control, T0805 Alarm Suppression) in red/purple team tests to validate detections and containment steps.^{MITRE ATT&CK for ICS}
Vendor assurance. Require suppliers to provide patch guidance, SBOMs, and vulnerability notifications consistent with IEC 62443-3-3 SR 6.2 and CISA CPG expectations.^{IEC 62443-3-3}^{CISA CPG 2.0}