# Operational Technology Cybersecurity Controls

## Endpoint Central helps comply with Operational Technology Cybersecurity Controls

The rapid evolution of Industrial Control Systems (ICS) has brought increased efficiency and automation to critical infrastructure, but it has also opened the door to an ever-growing wave of cyber threats. As these systems become the backbone of industrial operations, safeguarding them is essential to protect critical infrastructures and ensure operational continuity.

Recognizing this, the Operational Technology Cybersecurity Controls was introduced in 2022 to enhance the security of OT/ICS ecosystems. Designed as **an extension of the NCA’s Essential Cybersecurity Controls**, OTCC provides a comprehensive framework to address the unique challenges of industrial cybersecurity.

**NCA's Definitions of Critical Facilities and Industrial Control Systems (ICS):**

*Critical facilities are defined as the facilities where their destruction and/or dysfunction may lead to the disruption or discontinuity of the organization’s operation.*

*Additionally, the term Industrial Control Systems (ICS) includes all devices, systems, or networks used to operate and/or automate industrial processes.*

The Operational Technology Cybersecurity Controls (OTCC) contains:

- 4 Main Domains.
- 23 Subdomains.
- 47 Main Controls.
- 122 Sub controls

In the upcoming sections, we explore how Endpoint Central, ManageEngine’s unified endpoint management and security solution, can assist in building a comprehensive cybersecurity strategy aligned with the Operational Technology Cybersecurity Controls.

## OTCC Controls and How Endpoint Central Helps

| S.No | Operational Technology Cybersecurity Controls | How Endpoint Central helps |
|---|---|---|
| **1-5** | **Cybersecurity in Change Management**<br><br>Cybersecurity requirements within the organization’s OT/ICS change management must be defined, documented, and approved. The cybersecurity requirements must be a key part of the overall requirements of OT/ICS change management.<br><br>Cybersecurity requirements within the organization’s OT/ICS change management lifecycle must be implemented.<br><br>In addition to the ECC controls 1-6-2 and 1-6-3, cybersecurity requirements in OT/ICS change management must include, at a minimum, the following:<br><br>1-5-3-1 Cybersecurity requirements are part of the change management lifecycle.<br>1-5-3-2 Changes are validated in a separate environment prior to implementing the changes on the production environment.<br>1-5-3-3 In the event that OT/ICS devices are replaced with different, but functionally equivalent devices, whether in design, testing, or operation environments, the cybersecurity of the replacement device must be validated prior to being utilized in operational environment.<br>1-5-3-4 Restricted processes for exceptional changes must be implemented.<br>1-5-3-5 Automated configuration and asset change detection mechanisms must be implemented.<br><br>Cybersecurity requirements within the organization’s OT/ICS change management requirements must be reviewed, and their implementation effectiveness is measured and evaluated periodically. | In the event of patching the OT/ICS systems, Endpoint Central has a provision for testing and approving the patches in a test environment before deploying them in production.<br><br>Endpoint Central's [Inventory alerts](https://www.manageengine.com/products/desktop-central/help/inventory/configure_email_alerts_for_inventory.html) allow admins to detect changes in hardware or software used in OT/ICS. |
| **2-1** | **Asset Management**<br><br>To ensure that the organization has an accurate and detailed inventory of OT/ICS assets to support cybersecurity and operational requirements and maintain production uptime, safe operations, confidentiality, integrity, and availability of OT/ICS assets.<br><br>In addition to the controls in ECC subdomain 2-1, cybersecurity requirements for asset management in OT/ICS environment must include, at a minimum:<br><br>2-1-1-1 OT/ICS assets inventory must be developed in electronic format and reviewed periodically.<br>2-1-1-2 An automated solution to collect asset inventory information must be utilized.<br>2-1-1-3 OT/ICS asset inventory must be stored securely.<br>2-1-1-4 Asset owners must be identified and involved throughout the asset inventory lifecycle.<br>2-1-1-5 Criticality rating for all assets must be assigned, documented, and approved.<br><br>With reference to ECC control 2-1-6, requirements must be reviewed and their effectiveness evaluated periodically. | Endpoint Central has [comprehensive asset management](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/asset_management_setup.html) capabilities for hardware and software, listing OT/ICS computers, software, and files across the network.<br><br>ManageEngine ServiceDesk Plus leverages Endpoint Central's agent for asset discovery. For comprehensive asset management with mapping and CMDBs, ServiceDesk Plus can [complete this requirement](https://www.manageengine.com/products/service-desk/it-asset-management/it-inventory-management-software.html) alongside Endpoint Central. |
| **2-3** | **System and Processing Facilities Protection**<br><br>To ensure protection of OT/ICS systems and processing facilities (including workstations, servers, and Safety Instrumented Systems “SIS”) against cyber risks.<br><br>Requirements include advanced protection mechanisms, periodic security reviews and hardening, patching aligned with vendor guidance, least privilege, application whitelisting, segmented management workstations (EWS/HMI), malware scanning of external media, log protection, detection of unauthorized changes, and monitoring of communications.<br><br>With reference to ECC control 2-3-4, requirements must be reviewed and effectiveness evaluated periodically. | Admins can perform [port audits](https://www.manageengine.com/vulnerability-management/audit-ports-in-use.html) to identify anomalous port behavior.<br><br>Endpoint Central helps remediate [zero-day vulnerabilities](https://www.manageengine.com/vulnerability-management/zero-day-vulnerability-mitigation.html) and security [misconfigurations](https://www.manageengine.com/vulnerability-management/misconfiguration/).<br><br>It includes a built-in [next-gen antivirus engine](https://www.manageengine.com/products/desktop-central/nextgen-antivirus.html) (early access) with AI-assisted real-time detection.<br><br>Anti-Ransomware capabilities provide instant, non-erasable backups via Microsoft Volume Shadow Copy Service.<br><br>Peripheral device management blocks or restricts external storage and enables trusted device lists.<br><br>The Application Control module supports [allowlisting and blocklisting](https://www.manageengine.com/application-control/allowlisting-vs-blocklisting.html).<br><br>Endpoint Central enforces least privilege through robust [endpoint privilege management](https://www.manageengine.com/application-control/endpoint-privilege-management.html) with just-in-time access. |
| **2-4** | **Network Security Management**<br><br>To protect OT/ICS networks from cyber risks.<br><br>Requirements include segmentation of OT/ICS environments and zones, SIS segregation, wireless restrictions, controlled communications, secure remote access via DMZ, use of proxies and gateways, patch testing, and documentation of network architecture and topology.<br><br>With reference to ECC control 2-5-4, requirements must be reviewed and effectiveness evaluated periodically. | Endpoint Central's [Custom Group feature](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/creating_custom_groups.html) enables logical segregation of ICS/OT systems.<br><br>Admins can restrict connections to public Wi-Fi or enforce certificate-based connections through [WiFi certificates](https://www.manageengine.com/mobile-device-management/help/certificate_management/mdm_certificate_repository.html) and configure [Wi-Fi profiles](https://www.manageengine.com/products/desktop-central/help/user_configuration/configuring_wifi.html).<br><br>Its network-neutral architecture allows management of isolated ICS/OT systems.<br><br>Patch testing and approval can be performed in a test environment before production deployment. |
| **2-5** | **Mobile Devices Security**<br><br>To protect mobile devices (laptops, handheld configuration devices, network test devices, etc.) and ensure secure handling of sensitive data.<br><br>Requirements include restricting usage, conducting risk assessments, enforcing approval processes, and ensuring compliance with cybersecurity requirements before connecting to OT/ICS environments. | Endpoint Central’s MDM capability helps [streamline updates](https://www.manageengine.com/mobile-device-management/how-to/mdm-android-ios-device-data-encryption.html) for mobile OS and applications.<br><br>It integrates with [Checkpoint Harmony](https://www.manageengine.com/products/desktop-central/check-point-integration.html) for Mobile Threat Defense (MTD).<br><br>Custom groups can restrict mobile devices to OT/ICS environments only.<br><br>Admins can [encrypt Android and iOS devices](https://www.manageengine.com/mobile-device-management/how-to/mdm-android-ios-device-data-encryption.html) and SD cards. |
| **2-6** | **Data and Information Protection**<br><br>To ensure confidentiality, integrity, and availability of organizational data.<br><br>Requirements include protection of data at rest and in transit, DLP mechanisms, secure wiping before decommissioning, and strict controls on data transfers outside production environments.<br><br>With reference to ECC control 2-7-4, requirements must be reviewed and effectiveness evaluated periodically. | Endpoint Central provides robust [data leakage prevention](https://www.manageengine.com/endpoint-dlp/) to detect, classify, and control data transfers via cloud and peripheral devices.<br><br>Admins can perform [remote wipes](https://www.manageengine.com/mobile-device-management/help/security_management/mdm_security_management.html#wipe) to protect corporate data if OT/ICS assets are lost.<br><br>It supports BitLocker management for Windows and FileVault encryption for macOS devices. |
| **2-9** | **Vulnerabilities Management**<br><br>To ensure timely detection and remediation of technical vulnerabilities in OT/ICS environments.<br><br>Requirements include defining vulnerability assessment scope, timely remediation of critical vulnerabilities, and conducting periodic assessments.<br><br>With reference to ECC control 2-10-4, requirements must be reviewed and effectiveness evaluated periodically. | Endpoint Central provides comprehensive vulnerability management with continuous assessment and centralized visibility.<br><br>It includes built-in remediation and [risk-based vulnerability management](https://www.manageengine.com/vulnerability-management/risk-based-vulnerability-management.html), prioritizing vulnerabilities based on CVSS score, CVE impact, patch availability, and more. |