What are the 4 categories of security controls?

In most industrial cybersecurity and information security frameworks, security controls are commonly grouped into four practical categories:

1. Physical controls

Physical controls prevent or limit physical access to facilities, equipment, and infrastructure. In manufacturing and regulated environments, this typically includes:

• Badged access to production areas, server rooms, and critical test labs
• Locks, cages, and safes for network cabinets and media
• Video surveillance and environmental monitoring (e.g., for tamper or intrusion)
• Segregated areas for export-controlled or ITAR-sensitive activities

These controls depend heavily on site layout, legacy building infrastructure, and how well physical access systems are integrated with HR, visitor management, and change control processes.

2. Technical (logical) controls

Technical controls use technology to enforce security requirements on systems, networks, and data. Typical examples in brownfield manufacturing environments include:

• Network segmentation and firewalls between OT, MES, ERP, and corporate IT networks
• Authentication, authorization, and role-based access control for MES, QMS, PLM, and SCADA
• Endpoint protection, application whitelisting, and secure configuration baselines
• Encryption for data in transit between plants and data centers or cloud services
• Logging, monitoring, and SIEM integrations for critical systems

The effectiveness of technical controls depends on integration quality, asset inventory accuracy, and whether legacy equipment can support modern security mechanisms without disrupting validated or qualified configurations.

3. Administrative (procedural) controls

Administrative controls are policies, procedures, and governance mechanisms that define how people should design, operate, and maintain systems. In regulated industrial settings, these typically include:

• Access provisioning and de-provisioning procedures tied to HR and training records
• Change control and configuration management for OT, MES, QMS, and automation systems
• Vendor and remote access procedures, including temporary access and monitoring
• Incident response plans coordinated across IT, OT, quality, and operations
• Training and awareness on handling controlled technical data and production records

These controls are only effective if they are documented, followed in daily operations, and aligned with regulatory expectations for traceability, validation, and auditability.

4. Compensating controls

Compensating controls are alternative safeguards put in place when a preferred or “standard” control cannot be implemented, often due to legacy equipment, validation constraints, or downtime risk. Examples include:

• Enhanced physical access controls and camera coverage when legacy OT devices cannot be patched promptly
• Strict procedural workarounds (e.g., dual signoff, manual checks) when a system lacks fine-grained access control
• Network isolation and tightly controlled jump hosts for equipment that cannot support endpoint protection agents
• Additional monitoring and logging when encryption or protocol changes would require costly requalification

Compensating controls should be documented, risk-justified, and periodically reviewed. In regulated environments, they must be clearly traced in risk assessments and change records, and they do not remove the underlying obligation to address the primary risk when feasible.

How this plays out in brownfield, regulated plants

In mixed vendor, long-lifecycle environments, you typically rely on all four categories working together. Full replacement of legacy systems purely for security reasons is often impractical due to qualification and validation burdens, integration complexity, and downtime risk. As a result:

• Physical and administrative controls are frequently strengthened to compensate for technical gaps in legacy assets.
• Technical controls are layered at the network or gateway level when device-level controls are not possible.
• Compensating controls become a formal part of your documented risk treatment, with clear traceability for audits.

When designing or assessing your control set, it is important to classify controls in these four categories explicitly, document dependencies and limitations, and ensure that changes to any one control are managed through appropriate change control and revalidation where required.