security baseline

A security baseline is a documented, minimum set of security controls, configurations, and behaviors that every system, application, or environment is expected to meet. It establishes a consistent starting point for protecting systems and data from unauthorized access, disclosure, or modification.

What a security baseline includes

In industrial and regulated manufacturing environments, a security baseline commonly covers:

• Technical configuration, such as operating system hardening, network segmentation rules, patch levels, endpoint protection, and secure default settings.
• Access control requirements, including identity and authentication methods, account management, and role-based permissions for OT, MES, ERP, and supporting IT systems.
• Monitoring and logging expectations, for example which events must be logged, minimum log retention periods, and time synchronization of control and information systems.
• Data protection controls, such as use of encryption, secure protocols, and protection of configuration data, recipes, and production records.
• Operational safeguards, including procedures for change control, backup and recovery, and handling of security alerts in production environments.

The baseline is usually defined per class of asset or environment (for example, plant network segments, MES servers, engineering workstations, mobile devices) so that requirements are clear and repeatable.

How it is used in practice

Operationally, a security baseline is used as a reference during design, deployment, and maintenance:

• Design and procurement: New equipment, software, and integrations are assessed against the baseline before introduction into production.
• Implementation: Build guides and configuration templates translate the baseline into concrete settings for OT, MES, and supporting IT systems.
• Validation and audit: Periodic reviews, assessments, and automated checks verify that systems remain aligned to the baseline over time.
• Change management: Deviations or exemptions (for example, on legacy equipment) are documented, risk-assessed, and tracked under formal change control.

Interaction with privacy and data handling requirements

Security baselines often intersect with privacy and regulated data handling baselines. For example, in manufacturing environments that process personal data or sensitive technical data, the security baseline may be constrained by:

• Rules on what can be logged (for example, masking of identifiers in event logs).
• Retention limits for security and system logs that contain personal or sensitive information.
• Access restrictions on monitoring tools, backup systems, and analytics platforms that can view production or quality data tied to individuals.

In practice, security and privacy baselines are defined and maintained together so that protective controls do not conflict with data protection, regulatory, or workforce privacy requirements.

Common confusion

• Security baseline vs. security policy: A policy states high-level intent and principles. A baseline specifies concrete, minimum required settings and controls.
• Security baseline vs. hardening guide: A hardening guide describes how to configure a specific platform securely. A baseline defines what level of security must be achieved across platforms; hardening guides help implement it.
• Security baseline vs. risk assessment: A risk assessment analyzes threats and vulnerabilities. The baseline is one of the control sets used to manage those risks.

In regulated manufacturing, using a clear, documented security baseline supports consistent protection of OT and IT systems, while enabling traceable changes and exceptions across long-lived equipment and mixed-technology environments.