A 12-section interactive reference guide covering the core cybersecurity frameworks, standards, and technical disciplines used in both IT and OT/ICS environments. Includes NIST CSF 2.0 core functions, IEC 62443 security levels, CIA triad priority differences between IT and OT, network defense-in-depth, IAM and MFA, cryptography fundamentals, vulnerability management, incident response phases, cloud security, and NERC CIP compliance.
Each section targets a core cybersecurity discipline: frameworks overview (NIST CSF 2.0 six functions, ISO 27001, IEC 62443, NIST SP 800-53, MITRE ATT&CK for ICS), CIA triad and risk management (ALE formula, NIST RMF steps, residual risk), network security (defense-in-depth layers, firewall types, DMZ architecture, IDS/IPS, zero trust), identity and access management (MFA factors, RBAC, PAM for OT), cryptography (symmetric/asymmetric, PKI, TLS 1.3 for ICS), vulnerability management (CVSS scoring, OT patch process, passive scanning), incident response (NIST SP 800-61 phases, notable ICS incidents), cloud security and zero trust architecture, OT/ICS-specific security challenges, compliance and regulations (NERC CIP, AWIA, FISMA, SOC 2, GDPR), penetration testing methodology, and a quick reference section with ports, CVSS guide, IR checklist, and password policy tables.
Use the Prev / Next buttons at the bottom, or press the arrow keys on your keyboard. Click the ☰ menu button in the top-right to open the table of contents and jump to any section. The gold progress bar at the top tracks your position through all 12 sections.
One of the most important distinctions in industrial cybersecurity is the CIA triad priority reversal: IT systems prioritize Confidentiality first, while OT/ICS environments prioritize Availability because a plant shutdown, pipeline failure, or utility outage can have immediate physical and safety consequences. This fundamental difference shapes every cybersecurity decision in an industrial environment — from patch scheduling to incident response sequencing to the choice of passive vs active monitoring.
Most industrial facilities operate under multiple overlapping frameworks simultaneously. Electric utilities must comply with mandatory NERC CIP standards while also following NIST CSF and IEC 62443 for OT. Water utilities are subject to AWIA 2018. Pipeline operators must meet TSA Security Directives. Federal facilities follow FISMA and NIST SP 800-53. Cloud services providers may need SOC 2. This guide maps the key requirements across frameworks to help engineers understand how they intersect.
In IT systems, the CIA triad prioritizes Confidentiality first — protecting data from unauthorized access is paramount. In OT/ICS environments, Availability is the top priority because a plant shutdown, pipeline failure, or utility outage can have immediate physical and safety consequences. Integrity comes second (ensuring commands are not altered), and confidentiality is often least critical since OT networks typically don't process personal data.
IEC 62443 is the international standard for industrial cybersecurity, defining a zone-and-conduit model where assets with similar security requirements are grouped into security zones, and communication paths between zones are called conduits. Each zone is assigned a Security Level (SL 1–4) based on the sophistication of threat: SL1 protects against casual unintentional violations; SL2 against intentional simple means; SL3 against sophisticated attacks; SL4 against nation-state actors. The standard covers policies, procedures, and technical requirements for both asset owners and product suppliers.
NERC CIP (Critical Infrastructure Protection) standards are mandatory for bulk electric system assets in North America. Key standards: CIP-002 (identify Critical Cyber Assets), CIP-005 (Electronic Security Perimeter — define and protect network boundaries), CIP-007 (ports/services management, patching), CIP-010 (configuration change management and vulnerability assessments), CIP-013 (supply chain risk management). Violations can reach $1 million per day per violation.
OT patching is far more complex than IT patching. Many ICS devices are running unsupported OS or have no vendor patches available. When patches exist: (1) Obtain vendor approval that the patch is compatible with the control system software. (2) Test in a staging/lab environment first. (3) Schedule during a planned maintenance outage. (4) Have a rollback plan ready. (5) Document the change in the MOC (Management of Change) system. For unpatchable devices, use compensating controls: network segmentation, monitoring, and application whitelisting.