access control

Access control commonly refers to the processes, rules, and technical or physical mechanisms that regulate who or what is allowed to view, use, or modify specific resources. In industrial and regulated environments, this includes control over access to OT and IT systems, applications such as MES and ERP, production equipment, sensitive data, and physical spaces like control rooms or secure storage areas.

Key elements of access control

Most access control approaches involve three main components:

• Identification: Claiming an identity, such as entering a username, scanning a badge, or presenting a certificate.
• Authentication: Verifying that the identity is valid, for example using passwords, multi-factor authentication (MFA), biometrics, or cryptographic keys.
• Authorization: Deciding which actions or resources the authenticated user or system is allowed to access, such as read-only access to batch records or the ability to start and stop equipment.

Control is usually enforced by access control mechanisms in software, hardware, or physical security systems, and governed by documented access policies and procedures.

Common types of access control

In manufacturing and other regulated operations, access control models are often formalized. Common models include:

• Role-based access control (RBAC): Permissions are assigned to roles (for example, operator, supervisor, quality engineer), and users are assigned to one or more roles.
• Attribute-based access control (ABAC): Access decisions consider attributes such as user role, location, time of day, equipment state, or data classification.
• Discretionary access control (DAC): Resource owners can grant or revoke access at their discretion, for example file or folder sharing in a team workspace.
• Mandatory access control (MAC): Access decisions are enforced centrally based on classifications and clearances, often used for highly sensitive technical data.

Access control in industrial and regulated environments

Within manufacturing operations, access control typically covers:

• System and application access: Controlling which users can log in to MES, SCADA, historians, quality systems, ERP, and other OT/IT applications, and what functions they can perform once logged in.
• Data access: Restricting access to production data, batch records, recipes, SOPs, electronic logbooks, technical drawings, and other sensitive information based on role and need-to-know.
• Physical access: Using locks, card readers, biometric readers, or similar systems to control entry to facilities, control rooms, server rooms, warehouses, and high-risk areas.
• Equipment and process control: Limiting who can change equipment configurations, modify recipes, bypass interlocks, or release holds in the MES or quality system.

In regulated environments, access control settings and changes are often logged to provide an audit trail, support investigations, and demonstrate that only authorized personnel performed critical actions such as releasing product, changing specifications, or approving deviations.

Relationship to security frameworks and controls

Access control is a foundational category in many cybersecurity and information security frameworks, including those published by NIST. In these contexts, access control refers to families of controls that govern how user accounts, privileges, sessions, and device or network access are managed and monitored.

Examples include:

• Policies defining who may request and approve access to specific systems or data.
• Technical controls enforcing least-privilege access and session timeouts.
• Periodic reviews of user accounts and access rights.

These controls provide structure for designing and assessing access management but do not, by themselves, ensure security or compliance without appropriate implementation and oversight in the specific environment.

Common confusion

• Access control vs. authentication: Authentication verifies identity. Access control uses that identity, along with policies and attributes, to decide what the user or system is allowed to do.
• Access control vs. identity management: Identity and access management (IAM) covers the entire lifecycle of identities and their entitlements. Access control is focused on the decision and enforcement aspect of who can access which resources under which conditions.
• Access control vs. physical security only: In many industrial settings, the term is used for card readers and door locks, but in OT/IT and compliance contexts it also includes logical (system and data) access.