OT/ICS Foundations
Distributed Control System (DCS)
A Distributed Control System is an OT control architecture that supervises a process plant or production facility through controllers distributed geographically across the process, all integrated through a communications network for monitoring and centralized supervisory control. DCSs are commonly used in continuous-process industries such as power generation, chemical manufacturing, oil refining, and water treatment, where tightly coupled, high-availability control of large numbers of field devices is required.
Source: NIST SP 800-82 Rev. 3
How ConsoleWorks delivers this →
Human-Machine Interface (HMI)
A Human-Machine Interface is the hardware and software that operators use to monitor the state of a process under control, modify control settings, and manually override automatic control operations in the event of an emergency. HMIs typically run on engineering workstations or operator consoles and present graphical views of PLCs, RTUs, and other field devices, making them high-value access targets and a standard target for OT cybersecurity controls.
Source: NIST SP 800-82 Rev. 3
How ConsoleWorks delivers this →
Industrial Control System (ICS)
Industrial Control System is a general term that encompasses several types of control systems and associated instrumentation used for industrial process control — including SCADA systems, distributed control systems (DCS), and other smaller control configurations such as programmable logic controllers (PLCs). ICS environments operate the physical processes underlying critical infrastructure sectors, where availability and safety constraints differ fundamentally from typical IT systems.
Source: NIST SP 800-82 Rev. 3
How ConsoleWorks delivers this →
Operational Technology (OT)
Operational Technology is the hardware, software, and firmware that detects or causes a change through direct monitoring and/or control of physical devices, processes, and events in industrial environments. OT spans systems such as industrial control systems (ICS), building automation, transportation systems, physical access control, and environmental monitoring — and prioritizes safety, availability, and integrity of physical processes over the confidentiality concerns that typically dominate IT.
Source: NIST SP 800-82 Rev. 3
How ConsoleWorks delivers this →
Programmable Logic Controller (PLC)
A Programmable Logic Controller is a small, industrially hardened solid-state control computer that performs discrete or continuous control functions in a wide variety of process and equipment environments. PLCs read inputs from sensors, execute deterministic control logic, and drive outputs to actuators on a scan cycle measured in milliseconds. Their authentication is typically handled through proprietary protocols rather than IT-style agents, which is why standard IT security tooling cannot reach them directly.
Source: NIST SP 800-82 Rev. 3
How ConsoleWorks delivers this →
Purdue Reference Model (Purdue Model)
The Purdue Reference Model is a hierarchical reference architecture for ICS and manufacturing networks that segments environments into levels — from physical processes and field devices (Levels 0-1), through control and supervisory systems (Levels 2-3), to enterprise IT (Levels 4-5). The model is widely used as the basis for OT network segmentation, zone-and-conduit security design, and discussions of how access flows from the corporate network down to Level 0 field devices.
Source: NIST SP 800-82 Rev. 3; ISA-95
How ConsoleWorks delivers this →
Remote Terminal Unit (RTU)
A Remote Terminal Unit is a field-deployed device that collects telemetry from sensors and equipment and transmits it back to a central SCADA or control system, while also receiving and executing supervisory control commands. RTUs are common in geographically distributed environments such as electric substations, pipelines, and water systems, where proprietary or serial protocols and limited bandwidth mean that IT-oriented agents and PAM tools cannot manage their credentials or configurations directly.
Source: NIST SP 800-82 Rev. 3
How ConsoleWorks delivers this →
Supervisory Control and Data Acquisition (SCADA)
SCADA is a generic name for a computerized system capable of gathering and processing data and applying operational controls over long distances — typical uses include power transmission and distribution, pipelines, and water distribution systems. SCADA systems coordinate RTUs, PLCs, and HMIs across geographically dispersed sites and are routinely in scope for OT cybersecurity frameworks such as NERC CIP and IEC 62443.
Source: NIST SP 800-82 Rev. 3
How ConsoleWorks delivers this →
Standards & Frameworks
CMMC 2.0 (Cybersecurity Maturity Model Certification)
CMMC 2.0 is the U.S. Department of Defense's tiered cybersecurity certification program for contractors and subcontractors handling Federal Contract Information and Controlled Unclassified Information. It defines three maturity levels aligned to FAR 52.204-21 and NIST SP 800-171, with assessment requirements scaled to the sensitivity of information handled. CMMC certification is becoming a contractual prerequisite across the Defense Industrial Base.
Source: U.S. Department of Defense — Cybersecurity Maturity Model Certification Program
How ConsoleWorks delivers this →
IEC 62443
ISA/IEC 62443 is the international series of standards for cybersecurity of industrial automation and control systems (IACS), addressing security for the full lifecycle of OT environments — from asset owners and integrators through product suppliers. It defines the zone-and-conduit model for segmentation, security levels (SL 1-4), and a set of foundational requirements that govern access control, use control, data integrity, and timely response, and is widely referenced by manufacturing and process-industry operators.
Source: International Society of Automation (ISA) / International Electrotechnical Commission — ISA/IEC 62443 Series
How ConsoleWorks delivers this →
ISO/IEC 27001
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS), specifying the requirements for establishing, implementing, maintaining, and continually improving an ISMS. The 2022 revision aligns Annex A controls with ISO/IEC 27002:2022 and is widely used as a certification standard across regulated industries. ISO 27001 certification provides external attestation that an organization's information security program meets the standard's requirements.
Source: International Organization for Standardization — ISO/IEC 27001:2022
How ConsoleWorks delivers this →
NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection)
NERC CIP is the mandatory set of cybersecurity reliability standards governing the Bulk Electric System in North America, applicable to electric utilities and other Bulk Electric System operators. The standards cover topics such as asset categorization (CIP-002), security management controls, personnel and training, electronic security perimeters, systems security management (CIP-007), incident response (CIP-008), and configuration change management and vulnerability assessments (CIP-010). NERC CIP is among the most prescriptive OT security frameworks in existence, with mandatory audits and significant financial penalties for noncompliance.
Source: North American Electric Reliability Corporation — CIP Reliability Standards
How ConsoleWorks delivers this →
NIS2 Directive
The NIS2 Directive is the European Union's updated cybersecurity directive, expanding the original NIS Directive to cover a broader range of essential and important entities — including energy, transport, water, healthcare, manufacturing, digital infrastructure, and public administration. It establishes baseline security and incident-reporting obligations, supply-chain risk management requirements, and management-body accountability for cybersecurity, with member-state enforcement and fines for noncompliance.
Source: European Union Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union
How ConsoleWorks delivers this →
NIST Cybersecurity Framework (NIST CSF 2.0)
The NIST Cybersecurity Framework is a voluntary, outcome-based framework that helps organizations of any size manage and reduce cybersecurity risk. CSF 2.0 organizes cybersecurity activities into six core functions — Govern, Identify, Protect, Detect, Respond, and Recover — and is widely used as a common language for risk management and as a crosswalk reference across other frameworks. It is applicable to both IT and OT environments.
Source: NIST Cybersecurity Framework (CSF) 2.0
How ConsoleWorks delivers this →
NIST SP 800-82 (Guide to Operational Technology Security)
NIST SP 800-82 is the U.S. National Institute of Standards and Technology's guidance for securing operational technology environments, including ICS, SCADA, DCS, and other industrial control systems. Revision 3 provides recommendations on OT-specific threats, vulnerabilities, performance and safety constraints, and a tailored application of the NIST SP 800-53 control catalog appropriate for OT environments. It is the canonical U.S. reference for OT cybersecurity.
Source: NIST Special Publication 800-82 Revision 3
How ConsoleWorks delivers this →
TSA Security Directives (Pipeline & Rail)
TSA Security Directives are mandatory cybersecurity requirements issued by the U.S. Transportation Security Administration for designated owners and operators of pipelines and rail systems. They establish requirements such as designating a Cybersecurity Coordinator, reporting cybersecurity incidents to CISA within prescribed timeframes, implementing and maintaining a TSA-approved Cybersecurity Implementation Plan, and conducting cybersecurity assessments. TSA Security Directives have been periodically reissued and updated since 2021.
Source: U.S. Transportation Security Administration — Pipeline and Rail Security Directives
How ConsoleWorks delivers this →
Access & Identity
Just-in-Time Access (JIT)
Just-in-Time access is a privileged-access model in which elevated permissions are granted only for the duration of a specific authorized task and revoked automatically when the task ends — eliminating standing privileges. JIT is a core element of modern Zero Trust and Privileged Access Management programs, and reduces the window during which a compromised credential can be abused. In OT environments, JIT is typically applied to vendor and contractor sessions on critical assets.
Source: NIST SP 800-53 Rev. 5 (AC-2, AC-6 control enhancements); ConsoleWorks capability page: /secure-remote-access/
How ConsoleWorks delivers this →
Least Privilege
Least privilege is the principle that users, processes, and systems should be granted only the minimum access rights and permissions necessary to perform their authorized functions. Applied to operational environments, this includes limiting which commands an operator may execute on a given device, scoping vendor access to specific assets, and removing credentials when an engagement ends. Least privilege reduces the blast radius of compromised accounts and insider misuse.
Source: NIST SP 800-53 Rev. 5, control AC-6
How ConsoleWorks delivers this →
Multi-Factor Authentication (MFA)
Multi-Factor Authentication is an authentication method that requires the user to present two or more distinct authenticator types — typically a combination of something the user knows (password), has (token, smart card, mobile authenticator), or is (biometric). MFA significantly reduces the risk of credential-based account takeover and is a prerequisite control in NERC CIP, NIST 800-53, and most modern Zero Trust architectures for any privileged access path.
Source: NIST SP 800-63B
How ConsoleWorks delivers this →
Privileged Access Management (PAM)
Privileged Access Management is the discipline and tooling for governing accounts with elevated privileges — vaulting credentials, brokering and recording sessions, rotating passwords, and enforcing least-privilege and just-in-time access policies. In OT environments, traditional PAM tools struggle to reach Level 0 field devices such as PLCs, RTUs, and protective relays whose authentication is handled through proprietary protocols, so OT-aware PAM must rotate credentials directly on the device through native protocols.
Source: NIST SP 800-53 Rev. 5 (AC-2, AC-6, IA-5); ConsoleWorks capability page: /credential-management/
How ConsoleWorks delivers this →
Role-Based Access Control (RBAC)
Role-Based Access Control is an access control model in which permissions are assigned to roles and users acquire permissions by being assigned to one or more roles, rather than receiving permissions directly. RBAC simplifies administration in environments with large user populations and well-defined job functions, makes access decisions auditable, and is the prevailing model for governing operator, engineer, vendor, and contractor access to OT assets.
Source: NIST SP 800-53 Rev. 5 (AC-2, AC-3); NIST RBAC Standard (INCITS 359)
How ConsoleWorks delivers this →
Session Recording (Privileged Session Management)
Session recording is the capture and protected storage of every action performed during a privileged session — CLI sessions logged keystroke-by-keystroke, GUI sessions (RDP, VNC) recorded as full screen capture — tied to a verified user identity. The resulting forensic record supports incident investigation, audit evidence for frameworks such as NERC CIP and IEC 62443, and a clear answer to "what did the vendor change while they were on the device?"
Source: NERC CIP-007 R4 (Security Event Monitoring); NIST SP 800-53 Rev. 5 (AU-14); ConsoleWorks capability page: /secure-remote-access/
How ConsoleWorks delivers this →
Zero Trust
Zero Trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated — every access request is authenticated, authorized, and scoped, regardless of where the request originates. In OT environments, Zero Trust requires that no user has a direct network path to a protected asset; access is brokered, every zone crossing is verified, and credentials are never exposed to the user.
Source: NIST SP 800-207
How ConsoleWorks delivers this →
Asset & Risk Management
Active Interrogation (Active Asset Discovery)
Active interrogation is the practice of connecting directly to a managed device — through its native protocol — and retrieving authoritative configuration data such as firmware version, running configuration, and active accounts. Unlike passive discovery, active interrogation returns the actual state of the device rather than what is inferred from network observation, and is essential for high-confidence inventory and configuration management on OT assets that do not produce useful passive signal.
Source: NIST SP 800-82 Rev. 3; ConsoleWorks capability page: /asset-intelligence/
How ConsoleWorks delivers this →
Configuration Drift
Configuration drift is the gradual, uncontrolled deviation of a device's running configuration away from its approved baseline — caused by patches, vendor maintenance, emergency fixes, or undocumented changes that accumulate over time. Without continuous baseline comparison, drift can introduce security exposures and compliance gaps that go undetected until an audit. NERC CIP-010 explicitly requires baseline configuration documentation and continuous monitoring for changes on Bulk Electric System Cyber Assets.
Source: ConsoleWorks capability page: /configuration-change-management/; NERC CIP-010 R1 (Configuration Change Management)
How ConsoleWorks delivers this →
OT Asset Inventory
An OT asset inventory is an authoritative, continuously updated record of every device in an operational environment along with its current operational state — firmware version, configuration, ownership, location, and risk-relevant attributes. Most environments still maintain inventories from spreadsheets and stale tool exports; a usable OT inventory requires both passive discovery (for breadth) and active interrogation (for authoritative depth). Asset inventory is the foundation for risk scoring, compliance scoping, and incident response.
Source: NIST SP 800-82 Rev. 3; CISA Securing Industrial Control Systems: A Unified Initiative; ConsoleWorks capability page: /asset-intelligence/
How ConsoleWorks delivers this →
Passive Discovery
Passive discovery is the identification of assets through observation of network traffic — listening to broadcast, ARP, and protocol traffic — without sending probes that could disturb sensitive OT devices. Passive discovery is well suited to environments where active scanning is unsafe, but it tells you that a device exists rather than what it is configured to do. It is most powerful when combined with active interrogation for authoritative asset state.
Source: NIST SP 800-82 Rev. 3; CISA Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies
How ConsoleWorks delivers this →
Risk Assessment
Risk assessment is the process of identifying, estimating, and prioritizing risks to organizational operations, assets, and individuals based on the likelihood and impact of identified threats exploiting identified vulnerabilities. In OT environments, risk assessment must additionally account for safety, reliability, and physical-process consequences. Continuous, measurement-driven risk assessment provides current posture rather than a point-in-time snapshot that ages between cycles.
Source: NIST SP 800-30 Rev. 1; NIST SP 800-82 Rev. 3
How ConsoleWorks delivers this →
Secure Controls Framework (SCF)
The Secure Controls Framework is a comprehensive metaframework of cybersecurity and privacy controls designed to crosswalk to over 100 global laws, regulations, and frameworks — including NIST 800-53, NIST CSF, NERC CIP, ISO 27001, IEC 62443, and many others. SCF allows organizations to define controls once and demonstrate coverage across every framework that applies to them, eliminating duplicate measurement work across overlapping regulatory regimes.
Source: Secure Controls Framework (SCF); ConsoleWorks capability page: /risk-analysis/
How ConsoleWorks delivers this →
Vulnerability Management
Vulnerability management is the cyclical practice of identifying, evaluating, prioritizing, remediating, and verifying software and configuration vulnerabilities in organizational assets. In OT environments, patching constraints, uptime requirements, and vendor support commitments mean that compensating controls and risk-based prioritization often play a larger role than in IT. Effective vulnerability management depends on an authoritative asset inventory and a means to verify that remediations actually held.
Source: NIST SP 800-40 Rev. 4; NIST SP 800-82 Rev. 3
How ConsoleWorks delivers this →
Compliance & Continuous Measurement
Audit Trail
An audit trail is a chronological, tamper-resistant record of system activity sufficient to reconstruct, review, and examine the sequence of events surrounding an operation, procedure, or security-relevant event. In OT environments, audit trails span privileged sessions, configuration changes, credential rotations, and measurement results — and are required evidence under NERC CIP, NIST 800-53, IEC 62443, and TSA Security Directives.
Source: NIST SP 800-53 Rev. 5 (AU family — Audit and Accountability); NERC CIP-007 R4
How ConsoleWorks delivers this →
BES Cyber Asset / BES Cyber System
A BES Cyber Asset is a programmable electronic device — including its software and data — that, if rendered unavailable, degraded, or misused, would within 15 minutes adversely impact one or more reliability tasks of the Bulk Electric System (BES). One or more BES Cyber Assets logically grouped to perform a reliability task constitute a BES Cyber System. These are the assets in scope for the NERC CIP standards and for which baseline configuration, access control, and monitoring evidence must be maintained.
Source: NERC Glossary of Terms Used in Reliability Standards; NERC CIP-002
How ConsoleWorks delivers this →
Continuous Compliance
Continuous compliance is the practice of maintaining, measuring, and demonstrating conformance to applicable regulations on an ongoing basis rather than assembling evidence at audit time. It depends on automated control measurement, evidence collection as a byproduct of normal operations, and a continuously current view of posture per framework. The model replaces the audit-cycle scramble with a posture that is always defensible because it is always being measured.
Source: NIST SP 800-137; ConsoleWorks capability page: /continuous-measurement/
How ConsoleWorks delivers this →
Control Mapping (Crosswalk)
Control mapping, or crosswalk, is the practice of relating individual controls in one framework to equivalent controls in others — for example, relating a NERC CIP-007 R5 requirement to corresponding NIST 800-53 and IEC 62443 controls. Crosswalking allows a single underlying measurement to demonstrate coverage across multiple regulatory regimes simultaneously, which is essential for organizations subject to overlapping frameworks.
Source: Secure Controls Framework (SCF); NIST OLIR (Online Informative Reference) Program; ConsoleWorks capability page: /compliance-reporting/
How ConsoleWorks delivers this →
Evidence Collection (Audit Evidence)
Evidence collection is the production and retention of records — log files, session recordings, configuration baselines, measurement results, attestations — sufficient to demonstrate to an auditor that a control is operating as designed over a specified period. In ConsoleWorks-style continuous environments, evidence accumulates as a byproduct of measurement cycles, privileged sessions, and remediation actions, eliminating the manual assembly that traditionally precedes an audit.
Source: NIST SP 800-53A Rev. 5; NERC CIP Evidence Request Tool (ERT)
How ConsoleWorks delivers this →
Information Security Continuous Monitoring is defined by NIST as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. ISCM operationalizes the idea that security posture is dynamic — assets change, configurations drift, threats evolve — and that effective risk management therefore requires automated, continuous measurement of controls and conditions rather than periodic point-in-time assessment.
Source: NIST SP 800-137
How ConsoleWorks delivers this →
NERC CIP-007 R5 (System Access Controls — Password Management)
NERC CIP-007 R5 is the password-management requirement of the CIP-007 reliability standard, requiring Responsible Entities to enforce technical or procedural controls for the password complexity, change frequency, and management of authenticated user access for in-scope BES Cyber Assets. It includes obligations such as changing default passwords, enforcing password complexity, and changing passwords on a defined cadence — historically a labor-intensive control to demonstrate manually for OT field devices.
Source: NERC Reliability Standard CIP-007, Requirement R5
How ConsoleWorks delivers this →
NERC CIP-010 (Configuration Change Management & Vulnerability Assessments)
NERC CIP-010 is the NERC CIP reliability standard that requires Responsible Entities to develop a baseline configuration for each in-scope BES Cyber Asset, monitor those assets for changes from the baseline, authorize and document each change, and conduct periodic vulnerability assessments. CIP-010 is one of the most evidence-heavy CIP standards and a frequent driver for automated configuration collection and continuous baseline comparison in electric utility environments.
Source: NERC Reliability Standard CIP-010
How ConsoleWorks delivers this →