SCADA/ICS/OT Security Standards and Frameworks

SCADA (Supervisory Control and Data Acquisition), ICS (Industrial Control Systems), and OT (Operational Technology) security is governed by a fragmented but increasingly coordinated set of sector-specific and cross-sector standards. The primary cross-sector frameworks are: NIST SP 800-82 revision 3 ("Guide to OT Security," final published September 2023), which provides ICS-specific guidance overlaid on NIST SP 800-53 rev 5 controls; IEC 62443, which defines technical security requirements for IACS components and systems; and the CISA Cross-Sector Cybersecurity Performance Goals (CPGs), which provide a prioritized baseline applicable to all critical infrastructure sectors. Sector-specific frameworks include NERC CIP (electric utility), TSA Security Directives (pipeline and rail), NRC 10 CFR 73.54 (nuclear), and AWIA 2018 Section 2013 (water utilities).

The fundamental engineering challenge of SCADA security is that ICS/OT devices were designed for reliability and availability — not for security. Many PLCs (Programmable Logic Controllers), RTUs (Remote Terminal Units), and DCS (Distributed Control System) components run proprietary real-time operating systems with no patching capability, no authentication, and no encryption. The Purdue Model (ISA-95) provides the conceptual network hierarchy (Level 0: field devices, Level 1: basic control, Level 2: supervisory control, Level 3: site operations/MES, Level 3.5: DMZ, Level 4: enterprise IT) that guides zone segmentation design. Modern SCADA security architecture implements this segmentation with next-generation firewalls performing application-layer inspection of industrial protocols (Modbus TCP, DNP3, EtherNet/IP, OPC-UA), passive network monitoring for anomaly detection, and jump servers for all remote access — eliminating direct connections from enterprise IT to OT networks.

NIST SP 800-82 rev 3's most significant update over rev 2 is its full integration with NIST SP 800-53 rev 5 controls, providing a mapping table that identifies ICS-specific control tailoring (e.g., SI-2 Flaw Remediation is tailored to acknowledge that patching may require extended maintenance windows in OT environments). The document adds new sections on cloud-based OT, OT-specific supply chain risk management, and artificial intelligence/ML in ICS environments. CISA's Industrial Control Systems Joint Working Group (ICSJWG) and the Idaho National Laboratory (INL) provide additional OT security resources, including the Consequence-driven Cyber-informed Engineering (CCE) methodology, which approaches OT security from the perspective of preventing the most severe physical consequences rather than managing a vulnerability backlog.

We deliver OT security programs anchored in NIST SP 800-82 rev 3 and IEC 62443, beginning with an asset inventory using passive discovery tools to avoid disrupting operational processes. We design Purdue Model-aligned network segmentation architectures, deploy industrial protocol-aware monitoring, implement secure remote access with privileged access management for OT, and build OT-specific incident response playbooks that account for availability requirements.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.