Function (Identify, Protect, Detect, Respond, Recover)

The term “Function (Identify, Protect, Detect, Respond, Recover)” commonly refers to the five high-level cybersecurity functions used to organize how an organization manages cyber risk across its technology and operational environments. In industrial and manufacturing contexts, these functions are often applied to IT, OT, MES, and connected equipment to structure security programs and controls.

The five functions

The five functions form a lifecycle view of cybersecurity risk management:

• Identify: Understand and document assets, systems, data, and business processes, along with associated risks, dependencies, and roles. In a plant, this includes inventories of OT devices, MES/ERP interfaces, critical production lines, and supporting infrastructure.
• Protect: Implement safeguards to limit or contain the impact of potential cybersecurity events. Examples include access control on HMIs and MES, network segmentation for OT, hardening of servers, patch management processes, and secure configuration of interfaces between shop-floor systems and enterprise IT.
• Detect: Develop and operate activities that identify the occurrence of a cybersecurity event. In manufacturing, this can involve monitoring for anomalous traffic on control networks, unusual MES user behavior, or unauthorized changes to recipes, work instructions, or configurations.
• Respond: Take action regarding a detected cybersecurity incident to contain, analyze, and communicate about it. This includes incident response playbooks, coordination between IT and operations, roles for production and quality teams, and steps to limit impact on safety, quality, and delivery.
• Recover: Restore capabilities or services that were impaired due to a cybersecurity incident. Industrial examples include validated system restore for MES and historians, controlled restart of production lines, verification of product quality and traceability data, and review of lessons learned.

Use in industrial and regulated environments

In regulated manufacturing, these functions are often used as a common language between IT security, OT engineering, quality, and compliance teams. They help map technical and procedural controls to operational areas such as:

• Protection of production data and digital travelers
• Security of interfaces between MES, ERP, PLM, and OT devices
• Evidence of change control, access control, and monitoring for audits
• Incident handling processes that affect product quality, traceability, or delivery

Common confusion

Not a detailed control list: The five functions are high-level organizing concepts, not specific technical requirements or configuration checklists.

Not limited to IT networks: In manufacturing, the functions apply to both IT (servers, business systems) and OT (PLC, SCADA, DCS, robots, test stands) as well as integrated MES/ERP environments.

Different from incident phases only: While Respond and Recover relate to incidents, Identify, Protect, and Detect also cover ongoing governance, engineering, and operational practices.