Knowledge Center / NIST 800-82
NIST · Global

NIST SP 800-82 (OT Security)

Guide to securing operational technology and control systems.

Introduction: Securing Operational Technology with NIST SP 800-82

NIST Special Publication 800-82, formally titled 'Guide to Operational Technology (OT) Security', is the definitive United States federal guidance for securing the industrial and cyber-physical systems that run critical infrastructure. Now in its Revision 3 (published September 2023), the guide expanded its historical focus from Industrial Control Systems (ICS) to the broader universe of Operational Technology, encompassing Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Programmable Logic Controllers (PLCs), Building Automation Systems (BAS), Physical Access Control Systems (PACS), Safety Instrumented Systems (SIS), and the Industrial Internet of Things (IIoT). Where enterprise IT security prioritises confidentiality, OT security inverts the priority stack toward availability, integrity and safety, because a compromised control system can injure people, damage physical plant, and disrupt essential services such as electricity, water, oil and gas, manufacturing and transportation.

This deep-dive is written for two audiences simultaneously: the assessor or auditor who must verify that an OT environment has implemented appropriate safeguards, and the CISO, OT security lead or plant engineer who must design, deploy and operate those safeguards. NIST 800-82 is guidance rather than a certifiable standard, but it is frequently invoked as the reference baseline in regulated sectors (electric utilities under NERC CIP, water utilities under the AWIA, chemical facilities under CFATS legacy expectations, and federal agencies operating OT). It provides an OT-specific overlay of the security controls catalogued in NIST SP 800-53 Revision 5 and aligns tightly with the NIST Cybersecurity Framework (CSF).

The stakes are unusually concrete in OT. A misconfigured firewall rule in an enterprise IT network might leak data; the equivalent failure in an OT network can allow an adversary to manipulate a set-point, disable a protective relay, or spoof sensor readings so that operators react to a false picture of the physical process. Real-world incidents - the 2015 and 2016 attacks on the Ukrainian power grid, the TRITON/TRISIS malware that targeted a petrochemical safety instrumented system in 2017, the Colonial Pipeline ransomware event in 2021, and the 2021 attempt to alter chemical dosing at a Florida water treatment facility - have hardened regulatory and insurer expectations. NIST 800-82 Revision 3 was written against this backdrop, explicitly recognising that ransomware and IT-originated intrusions now routinely spill into OT, and that the historical 'air gap' assumption is, in most facilities, a myth. Assessors should therefore treat IT/OT interconnection as the default finding to disprove, not the exception to hunt for.

A recurring theme throughout the publication is the CIA-versus-AIC inversion. In corporate IT the priority order is typically Confidentiality, Integrity, Availability. In OT the order is inverted toward Availability and Integrity, with an overarching consideration - Safety - that sits above all three. A control that is best practice in IT (for example, an automatic account lockout after several failed logons, or forced patch-and-reboot cycles) can be actively hazardous in OT if it locks an operator out of a console during an upset condition or reboots a controller mid-process. NIST 800-82 legitimises compensating controls - segmentation, continuous monitoring, physical protection and documented manual procedures - precisely so that security is achieved without introducing new safety or availability risk.

Copyright and source note
NIST Special Publication 800-82 Revision 3 is a work of the U.S. Government and is generally in the public domain within the United States; it may be freely reproduced. Nonetheless, this CyberSigma guide is original explanatory and audit content authored by our assessors. It paraphrases and interprets the publication and does not reproduce NIST's text verbatim. Where NIST 800-82 references control catalogues from SP 800-53 Rev 5, the CSF, and third-party standards such as ISA/IEC 62443, those sources carry their own licensing terms and should be consulted directly for authoritative control text. Always work from the current official NIST publication for compliance decisions.

What is NIST SP 800-82

NIST SP 800-82 is a comprehensive guidance document that helps organisations understand OT, identify the unique characteristics and risks of OT environments, and select and tailor security controls to protect them without compromising operational reliability or safety. It does not prescribe a rigid pass/fail scheme; instead it provides a risk-based methodology and an OT-specific overlay that maps the general-purpose controls of SP 800-53 Rev 5 onto the realities of control systems. The document deliberately acknowledges that traditional IT security practices - frequent patching, aggressive scanning, automatic account lockouts, mandatory reboots - can be dangerous or impossible in environments where a PLC controls a turbine or a chemical reaction and cannot tolerate latency, interruption or unexpected behaviour.

How OT differs from IT - the constraints that shape every control decision

An assessor cannot evaluate an OT environment fairly without internalising why OT is different. NIST 800-82 devotes substantial narrative to these distinctions because they justify the tailoring in the overlay. The following characteristics recur across nearly every finding and remediation decision.

AttributeIT environmentOT environment
Primary objectiveConfidentiality of dataAvailability and integrity of the physical process, above all Safety.
PerformanceHigh throughput; some jitter tolerableDeterministic, real-time; latency and jitter can trip a process.
Asset lifespan3-5 years10-30 years; legacy protocols and unsupported operating systems common.
PatchingFrequent, often automaticInfrequent; requires outage windows, vendor validation and safety review.
AvailabilityReboots and downtime routine24x7 continuous; unplanned downtime can be catastrophic or costly.
Change managementAgile, frequentRigorous management-of-change; changes can affect safety cases.
TestingScanning and pen-testing routine on live systemsActive scanning can crash fragile devices; test benches preferred.
Physical impact of failureData lossEquipment damage, environmental release, injury or loss of life.

These constraints are why NIST 800-82 favours passive over active techniques, compensating controls over forced technical enforcement, and consequence-driven risk analysis over data-classification-driven analysis. Every deviation from an IT-normal control should be traceable to one of these attributes and documented in the control tailoring worksheet, so that the residual risk is a conscious, authorised decision rather than an accident.

Evolution and revision history

EditionYearScope and key change
Rev 12011Guide to Industrial Control Systems (ICS) Security; established the ICS overlay of SP 800-53 controls.
Rev 22015Updated overlay, added guidance on newer threats, aligned with SP 800-53 Rev 4.
Rev 32023Retitled to 'Guide to Operational Technology (OT) Security'; broadened scope beyond ICS to all OT (BAS, PACS, IIoT, SIS); aligned to SP 800-53 Rev 5 and the NIST CSF; introduced an updated OT overlay and applied risk management using SP 800-37 (RMF) and SP 800-30/39.

How NIST 800-82 relates to other NIST documents

  • NIST CSF (Cybersecurity Framework): 800-82 uses the CSF Functions (Identify, Protect, Detect, Respond, Recover; Govern added in CSF 2.0) as an organising lens for OT risk.
  • NIST SP 800-53 Rev 5: the master catalogue of security and privacy controls; 800-82 provides the OT overlay (tailoring guidance and supplemental OT-specific enhancements) for these control families.
  • NIST SP 800-37 (Risk Management Framework): the seven-step RMF (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) is the lifecycle 800-82 recommends for OT.
  • NIST SP 800-30 / 800-39: risk assessment methodology and organisation-wide risk management, applied to OT consequence analysis.
  • NIST SP 800-61 / 800-184: incident handling and cyber resiliency (recovery) guidance referenced for OT response and recovery.

Who must comply / scope of applicability

NIST 800-82 is voluntary guidance, but its practical reach is broad. U.S. federal agencies operating OT are effectively bound to it through FISMA and OMB direction, and it is the de facto baseline that regulators, insurers and prime contractors expect operators of critical infrastructure to follow. The following table summarises who typically applies NIST 800-82 and why.

Organisation typeApplicability driver
U.S. federal agencies with OT (e.g. energy, water, facilities)Mandatory via FISMA / OMB A-130; 800-53 controls apply, 800-82 provides OT tailoring.
Electric utilities (bulk power)NERC CIP is the binding standard; 800-82 used as supporting engineering guidance and gap reference.
Water and wastewater utilitiesAWIA risk & resilience assessments; EPA and CISA reference 800-82 as good practice.
Oil, gas and pipelinesTSA Security Directives (pipeline) reference NIST frameworks; 800-82 informs OT control selection.
Chemical and process manufacturingCFATS legacy RBPS expectations and insurer requirements align to 800-82 / IEC 62443.
Discrete manufacturing / IIoT operatorsContractual (DFARS/CMMC for defence supply chain), customer and insurer requirements.
Building owners / smart facilitiesBAS and PACS security; 800-82 Rev 3 explicitly extends to building automation.
Federal contractors and integratorsFlow-down of federal OT security requirements via contract.

OT asset classes in scope

  • SCADA systems (wide-area telemetry and control).
  • Distributed Control Systems (DCS) in continuous process plants.
  • Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Intelligent Electronic Devices (IEDs).
  • Human-Machine Interfaces (HMIs), engineering workstations and historians.
  • Safety Instrumented Systems (SIS) and Safety Instrumented Functions (SIF).
  • Building Automation Systems (BAS/BMS) - HVAC, lighting, energy management.
  • Physical Access Control Systems (PACS) and CCTV.
  • Industrial Internet of Things (IIoT) sensors, gateways and edge devices.

Structure of NIST SP 800-82 Rev 3

The publication is organised into a narrative that first characterises OT, then applies risk management, and finally delivers the OT overlay against the SP 800-53 Rev 5 control families. Understanding this structure is essential to navigating an assessment, because the enumeration of obligations in Section 5 of this guide follows the 20 control families of SP 800-53 as tailored by the OT overlay.

Structural elementContent and purpose
Sections 1-2: OT overviewDefines OT, describes SCADA/DCS/PLC/BAS/IIoT, contrasts OT vs IT (availability-first, safety, real-time constraints, long lifecycles).
Section 3: OT risk managementApplies the RMF (SP 800-37) and risk assessment (SP 800-30) to OT; consequence-driven, safety-integrated risk analysis.
Section 4: OT security architectureNetwork segmentation, the Purdue Reference Model / zones and conduits, DMZs, boundary protection, defence-in-depth.
Section 5: Applying the CSF to OTUses the CSF Functions (Govern, Identify, Protect, Detect, Respond, Recover) to frame OT security outcomes.
Section 6 / Appendices: OT overlayThe tailored SP 800-53 Rev 5 control baseline for OT - the 20 control families with OT-specific tailoring, supplemental guidance and enhancements.
AppendicesThreat/vulnerability sources, mapping tables, acronyms and references to ISA/IEC 62443 and CSF.

The 20 SP 800-53 Rev 5 control families used by the OT overlay

IDControl family
ACAccess Control
ATAwareness and Training
AUAudit and Accountability
CAAssessment, Authorization, and Monitoring
CMConfiguration Management
CPContingency Planning
IAIdentification and Authentication
IRIncident Response
MAMaintenance
MPMedia Protection
PEPhysical and Environmental Protection
PLPlanning
PMProgram Management
PSPersonnel Security
PTPII Processing and Transparency
RARisk Assessment
SASystem and Services Acquisition
SCSystem and Communications Protection
SISystem and Information Integrity
SRSupply Chain Risk Management

The Purdue Reference Model and zones-and-conduits architecture

NIST 800-82 organises OT network architecture around a layered reference model derived from the Purdue Enterprise Reference Architecture and the ISA/IEC 62443 zones-and-conduits concept. Understanding these levels is prerequisite to assessing the SC (System and Communications Protection) family, because segmentation findings are expressed in terms of which levels are separated and how traffic crosses between them. A conduit is the controlled communication path between zones, and a zone is a grouping of assets sharing common security requirements.

LevelPurdue layer and typical assets
Level 0Physical process - field instruments, sensors and actuators.
Level 1Basic control - PLCs, RTUs, IEDs and safety instrumented systems (often a separate zone).
Level 2Area supervisory control - HMIs, SCADA servers, engineering workstations.
Level 3Site operations - historians, production management, local domain services.
Level 3.5Industrial DMZ (OT DMZ) - the buffer zone brokering all IT-to-OT traffic; jump hosts, patch/AV proxies, data replication.
Level 4Site business / IT - ERP, email, enterprise applications.
Level 5Enterprise / corporate and external connectivity.

Master assessment checklist - the OT overlay control families

This is the core of any NIST 800-82 assessment. Each control family below is enumerated with the OT-specific matters an assessor must verify and the typical evidence to be collected. The tailoring reflects the OT overlay's central themes: availability and safety take precedence, IT-style automated enforcement must not endanger the process, and compensating controls (segmentation, monitoring, manual procedures) are legitimate where technical enforcement on legacy devices is impossible. No control family is skipped. For each family, remember the assessor's cardinal rule: where a baseline control is not technically implementable on a legacy OT device, the acceptable outcomes are either a documented compensating control or a formally authorised risk acceptance - never a silent gap.

AC - Access Control

What to verifyTypical evidence
Least-privilege and role-based access applied to HMIs, engineering workstations, historians and remote-access paths.Access matrices, RBAC configuration, role definitions per system.
Remote access to OT is brokered, MFA-protected and time-limited; no direct vendor tunnels into Level 1/2.Jump-host/remote-access architecture, VPN and MFA configuration, session logs.
Account lockout tuned so it cannot lock out a safety-critical operator during an incident (compensating monitoring instead).Account policy settings, documented safety exception rationale.
Session management, unsuccessful-logon handling and least-functionality on operator consoles.Console configuration, screen-lock and re-authentication settings.

AT - Awareness and Training

What to verifyTypical evidence
Role-based OT security training for engineers, operators and integrators, distinct from generic IT awareness.Training curriculum, attendance records, competency assessments.
Safety-and-security integration so staff understand cyber events with physical consequences.Combined HSE/cyber training materials, tabletop records.
Vendor and contractor personnel trained on site OT security rules before access.Contractor onboarding checklists, signed acknowledgements.

AU - Audit and Accountability

What to verifyTypical evidence
Security-relevant events logged on HMIs, servers, historians and network devices without degrading real-time performance.Logging configuration, audit event lists, performance impact assessment.
Time synchronisation across OT for reliable event correlation (NTP hierarchy, GPS source).NTP/time-source design, drift monitoring records.
Logs forwarded to a protected collector/SIEM in the OT DMZ; retention meets regulatory needs.Log-forwarding architecture, retention policy, SIEM dashboards.
Audit log review and alerting procedures defined and exercised.Review logs, alert runbooks, sample investigations.

CA - Assessment, Authorization, and Monitoring

What to verifyTypical evidence
Each OT system is authorised to operate (ATO) with documented risk acceptance by an accountable authority.Authorization packages, risk-acceptance memos, POA&Ms.
Security assessments use passive/non-intrusive techniques on live OT; active scanning restricted to maintenance windows or test benches.Assessment plans, scanning policy, change tickets.
Continuous monitoring strategy covers OT assets and boundary devices.ConMon plan, monitoring coverage map.
Plans of Action and Milestones (POA&M) track and remediate findings.POA&M register with owners and dates.

CM - Configuration Management

What to verifyTypical evidence
Authoritative asset inventory of all OT devices including firmware/PLC logic versions.Asset register, automated discovery output, baseline documents.
Secure baseline configurations defined; deviations detected and controlled.Golden configurations, drift-detection reports.
Change control integrates engineering change management with security review and safety review.Change management procedure, MOC records, approvals.
Least-functionality: unnecessary services, ports and default credentials removed on OT devices where feasible.Hardening standards, configuration audit results.

CP - Contingency Planning

What to verifyTypical evidence
OT-specific contingency and recovery plans exist with defined RTO/RPO for control functions.Contingency plan, BIA, RTO/RPO definitions.
Backups of PLC logic, HMI projects, configurations and historians are tested and stored offline/immutable.Backup schedule, restoration test records, offline copy evidence.
Manual/degraded operating procedures allow safe operation if control systems fail.Fail-safe operating procedures, operator drill records.
Alternate control and spares strategy for critical devices.Spares inventory, alternate site/plan documentation.

IA - Identification and Authentication

What to verifyTypical evidence
Individual user authentication where technically feasible; shared/operational accounts governed by compensating controls and logging.Account inventory, shared-account justification and monitoring.
MFA for remote and privileged OT access.MFA configuration and enforcement evidence.
Device authentication for network-connected OT where supported; management of legacy devices lacking auth.Device auth config, legacy-device risk register.
Credential and secrets management (no hard-coded/default passwords in service).Password vault records, default-credential remediation log.

IR - Incident Response

What to verifyTypical evidence
OT incident response plan integrated with safety/emergency response and enterprise CSIRT.IR plan, escalation matrix, integration with HSE.
Detection, containment and eradication procedures that avoid unsafe shutdowns; decision authority for trip/no-trip.Runbooks, containment playbooks, authority matrix.
Regulatory/sector reporting obligations mapped (e.g. CISA, sector regulator, CIRCIA when in force).Reporting procedure, notification templates, contact list.
Exercises and tabletops conducted with OT scenarios and lessons learned tracked.Exercise reports, after-action reviews.

MA - Maintenance

What to verifyTypical evidence
Controlled, logged maintenance including remote vendor maintenance sessions with supervision.Maintenance logs, remote-session recordings/approvals.
Maintenance tools and portable media scanned and controlled before OT connection.Media control policy, sanitisation/scan records.
Patch and firmware updates tested and applied via risk-based schedule with rollback plans.Patch policy, test evidence, deferred-patch risk register.

MP - Media Protection

What to verifyTypical evidence
Removable media use restricted, scanned at a sanitisation station, and logged.USB/media policy, kiosk logs, port-control config.
Backup and configuration media stored, labelled and sanitised/destroyed securely.Media handling procedure, destruction certificates.

PE - Physical and Environmental Protection

What to verifyTypical evidence
Physical access to control rooms, RTU/PLC cabinets, network cabinets and field devices is restricted and logged.Access control records, cabinet locks, visitor logs.
Environmental controls (power, HVAC, fire suppression) protect OT availability.UPS/generator records, environmental monitoring.
Tamper detection and protection of remote/field assets.Tamper-seal inspections, remote-site security assessments.

PL - Planning

What to verifyTypical evidence
OT system security plans (SSP) document boundaries, controls and tailoring rationale.System Security Plans, control tailoring worksheets.
Concept of operations and rules of behaviour defined for OT users.ConOps, rules-of-behaviour acknowledgements.
Security architecture documented (zones, conduits, data flows).Network diagrams, data-flow diagrams, Purdue model mapping.

PM - Program Management

What to verifyTypical evidence
An enterprise OT security programme with executive sponsorship, governance and defined roles.Programme charter, governance minutes, org chart.
Risk management strategy and enterprise risk register include OT/cyber-physical risk.Risk strategy, enterprise risk register.
Adequate resourcing, KPIs and continuous improvement of the OT programme.Budget records, metrics reports, improvement plans.

PS - Personnel Security

What to verifyTypical evidence
Screening for personnel and contractors with OT access commensurate with risk.Screening records, background-check policy.
Timely access revocation on transfer/termination for OT accounts and physical access.Offboarding checklists, access-removal tickets.
Third-party/integrator personnel agreements include OT security obligations.Contracts, NDAs, access agreements.

PT - PII Processing and Transparency

What to verifyTypical evidence
Where OT/BAS/PACS process personal data (badge data, CCTV, occupancy), processing is authorised and minimised.Data inventory, privacy notices, DPIA where applicable.
Consent, purpose limitation and retention applied to any PII collected by OT systems.Retention schedule, access controls on PII stores.

RA - Risk Assessment

What to verifyTypical evidence
OT risk assessments consider safety and physical consequence, not just data loss.Risk assessment reports, consequence/impact analysis.
Vulnerability identification uses passive methods and vendor advisories (e.g. ICS-CERT/CISA advisories).Vulnerability register, advisory tracking, prioritisation.
Threat modelling includes OT-relevant threats (ransomware, insider, supply chain, nation-state).Threat model, adversary scenarios.
Risk responses (accept/mitigate/transfer/avoid) documented and authorised.Risk treatment plan, risk-acceptance records.

SA - System and Services Acquisition

What to verifyTypical evidence
Security requirements embedded in OT procurement and integration contracts (secure-by-design, SBOM).Procurement specs, contract security clauses, SBOMs.
Development, integration and factory/site acceptance testing include security verification.FAT/SAT test plans and results.
Vendor support, end-of-life and secure disposal addressed across the OT lifecycle.Lifecycle plan, EOL register, support agreements.

SC - System and Communications Protection

What to verifyTypical evidence
Network segmentation into zones and conduits (Purdue levels) with an OT DMZ between IT and OT.Network diagrams, firewall rulebase, zone/conduit definitions.
Boundary protection: firewalls, unidirectional gateways/data diodes for high-assurance flows.Boundary device configs, data-diode deployment evidence.
Denial-of-service and integrity protection for control traffic; encryption where it does not break real-time constraints.Traffic protection config, protocol-security assessment.
Wireless and IIoT communications secured and segmented.Wireless security config, IIoT gateway hardening.

SI - System and Information Integrity

What to verifyTypical evidence
OT-aware malware protection and network monitoring (passive IDS/anomaly detection) deployed.IDS/monitoring deployment, detection rule sets, alerts.
Flaw remediation via tested, risk-based patching with compensating controls for unpatchable devices.Patch register, compensating-control documentation.
Integrity verification of firmware, logic and configuration; detection of unauthorised changes.Integrity monitoring reports, change-detection alerts.
Vulnerability advisory monitoring and timely response for OT products.Advisory subscription, response records.

SR - Supply Chain Risk Management

What to verifyTypical evidence
OT supply chain risk management plan covers vendors, integrators, firmware and components.SCRM plan, supplier risk assessments.
SBOM collection and component vulnerability tracking for OT products.SBOM inventory, component vulnerability mapping.
Provenance, tamper-evidence and secure delivery for critical OT hardware/software.Chain-of-custody records, tamper checks, secure-update verification.

OT threat sources and attack vectors to test against

A credible assessment maps controls to the threats they are meant to counter. NIST 800-82 catalogues adversarial and non-adversarial threat sources; the following are the vectors an OT assessment should keep front of mind when evaluating each control family.

Threat / vectorOT relevance
IT-to-OT ransomware spilloverMost common real-world OT disruptor; propagates from Level 4 into unsegmented OT (SC, CM, CP).
Compromised remote/vendor accessPersistent tunnels and shared credentials give adversaries a direct path (AC, IA, MA).
Supply chain / firmware tamperingMalicious or vulnerable components and updates reach controllers (SR, SA, SI).
Insider and human errorMisconfiguration, unsafe changes, malicious insiders (PS, CM, AU).
Nation-state ICS-specific malwareTargeted logic/safety manipulation (e.g. TRITON, Industroyer) (SI, SC, IR).
Removable mediaUSB-borne malware bridging air gaps (MP, SI).
Legacy protocol abuseUnauthenticated Modbus/DNP3 command injection and spoofing (SC, IA).

Scoping, materiality and tiering

NIST 800-82 applies the SP 800-37 RMF and SP 800-60 impact categorisation, but with an OT twist: impact is driven by safety and physical consequence, not solely by confidentiality/integrity/availability of data. Scoping determines which assets fall inside the OT security boundary and how strongly controls are applied. A defensible scope statement names the authorization boundary explicitly, identifies every interconnection to lower-trust networks, and records which safety functions must be protected regardless of cost. Getting the boundary wrong is the most consequential early error: too narrow and critical interconnections escape scrutiny; too broad and the assessment dilutes effort across low-consequence assets while high-consequence controllers go under-examined.

Impact categorisation (FIPS 199 applied to OT)

Impact levelOT interpretation
HighLoss could cause severe/catastrophic effect: injury or loss of life, major environmental release, loss of essential service, significant physical damage.
ModerateLoss could cause serious adverse effect: significant service degradation, notable equipment damage, regulatory breach.
LowLoss causes limited adverse effect: minor disruption recoverable through routine means.

For OT, availability and integrity are almost always rated Moderate or High even where confidentiality is Low, because unavailability or manipulation of control functions directly threatens safety and continuity. The overall system impact is the high-water mark across the three objectives, and safety consequence can override the data-centric rating entirely.

Materiality in OT is best expressed through consequence analysis rather than data value. CyberSigma runs a crown-jewel workshop with engineering and safety staff to identify the handful of control and safety functions whose loss or manipulation would be intolerable - a reactor trip defeated, a grid protection relay disabled, a pipeline pressure control spoofed. These functions receive the highest control rigour (dedicated zones, unidirectional gateways for outbound data, independent monitoring), and their protection is treated as non-negotiable even when broader budget is constrained. Lower-consequence assets can accept more residual risk, provided that acceptance is documented and authorised. This consequence-first tiering is what allows a finite security budget to be spent where a failure would actually hurt.

Scoping decisions

  • Define the authorization boundary: which controllers, workstations, networks and field devices constitute the OT system.
  • Identify crown-jewel processes and safety-critical functions (SIS/SIF) for enhanced protection.
  • Determine IT/OT interconnection points requiring DMZ and boundary controls.
  • Apply control tailoring: mark controls Not Applicable only with documented rationale; add OT-specific compensating controls where technical enforcement is infeasible.

Implementation approach - phased programme

CyberSigma implements NIST 800-82 as a phased programme aligned to the RMF. Each phase has defined activities and deliverables.

Phase 1 - Prepare and govern

  • Activities: establish OT security governance and roles; define risk tolerance; identify stakeholders across engineering, IT, safety and operations; set the programme charter.
  • Deliverables: OT security programme charter, governance model, risk management strategy, stakeholder RACI.

Phase 2 - Identify and categorise

  • Activities: build the OT asset inventory (passive discovery), map data flows and network zones, categorise systems by safety/consequence impact.
  • Deliverables: asset register, network and data-flow diagrams, Purdue/zone-conduit model, impact categorisation.

Phase 3 - Assess risk and select controls

  • Activities: perform OT risk assessment (SP 800-30), select the tailored OT overlay baseline, document control tailoring and compensating controls.
  • Deliverables: risk assessment report, System Security Plan, control tailoring worksheet.

Phase 4 - Implement controls and architecture

  • Activities: deploy segmentation and OT DMZ, harden devices, implement remote-access brokering and MFA, deploy passive monitoring, establish backups and hardening baselines.
  • Deliverables: segmentation build, hardening standards applied, monitoring platform live, tested backups.

Phase 5 - Assess and authorise

  • Activities: conduct control assessment using non-intrusive methods, document findings in POA&M, obtain authorisation to operate with formal risk acceptance.
  • Deliverables: assessment report, POA&M, authorization decision (ATO).

Phase 6 - Monitor and improve

  • Activities: continuous monitoring, advisory tracking, incident exercises, periodic reassessment, metrics-driven improvement.
  • Deliverables: ConMon reports, exercise after-action reviews, updated risk register, KPI dashboards.

Each phase should culminate in a formal gate review. The programme is deliberately iterative: the RMF is a lifecycle, not a project with an end date. Findings from Phase 6 monitoring feed back into Phase 3 risk assessment, and material changes to the plant (new lines, new interconnections, vendor changes) re-trigger categorisation and control selection. CyberSigma typically runs an initial assessment-and-quick-wins sprint (segmentation gaps, remote-access hardening, credential clean-up and backup validation) in parallel with the longer-horizon architecture and authorisation work, so that the highest-consequence exposures are reduced within the first weeks rather than waiting for the full programme to mature.

Maturity and tiering model

NIST 800-82 leverages the NIST CSF Implementation Tiers to express how rigorous and integrated an organisation's OT risk management is. The tiers are not a maturity scorecard in the CMMI sense but describe the degree of formality, integration and adaptiveness of the cyber risk programme. They are assessed across the CSF Functions and are useful both as a current-state baseline and as a target-state ambition agreed with executive leadership. Most industrial operators begin engagements at Tier 1 or low Tier 2 and target Tier 3 as a realistic, defensible goal, reserving Tier 4 for the most critical or heavily regulated sites.

TierCharacteristics for OT
Tier 1 - PartialAd hoc, reactive OT security; risk not formalised; limited awareness of OT-specific risk; little IT/OT coordination.
Tier 2 - Risk InformedRisk practices approved but not organisation-wide; some OT risk awareness and prioritisation; segmentation and monitoring emerging.
Tier 3 - RepeatableFormal, organisation-wide OT risk policy; consistent controls; regular updates; defined IT/OT/safety collaboration and continuous monitoring.
Tier 4 - AdaptiveContinuous improvement using lessons learned and predictive indicators; OT risk embedded in enterprise risk and culture; active threat-informed defence and supply-chain assurance.

CyberSigma applies the same OT overlay logic to sector-specific control-family enhancements. For example, in electric utilities the SC and AC families are read alongside NERC CIP-005 (electronic security perimeters) and CIP-007 (system security management); in water utilities the CP and IR families align with AWIA emergency response planning; and in process industries the CP and SI families are read alongside the functional safety lifecycle of IEC 61511. Wherever a sector-mandatory standard exists, it takes precedence as the binding obligation and 800-82 supplies the engineering depth and the gap-analysis reference. The assessor's job is to reconcile the two so the operator is not doing duplicate work: a single control implementation should satisfy the 800-82 overlay, the sector standard and the operator's insurance requirements simultaneously, evidenced once.

Assessment and audit approach

  1. Define scope and authorization boundary: agree the OT systems, zones and interconnections to be assessed and the impact categorisation.
  2. Collect documentation: obtain SSPs, network diagrams, asset inventories, policies, prior assessments and POA&Ms.
  3. Passive discovery and validation: use non-intrusive tools and interviews to validate the asset inventory and data flows without disturbing operations.
  4. Control-family assessment: evaluate each of the 20 SP 800-53 families against the OT overlay using the master checklist, gathering evidence per control.
  5. Architecture review: assess segmentation, OT DMZ, boundary protection, remote access and monitoring against zones-and-conduits principles.
  6. Consequence and safety analysis: verify that risk assessment integrates safety and physical impact and that safety functions are protected.
  7. Testing (bounded): perform any active testing only on test benches or during authorised maintenance windows; otherwise rely on passive evidence.
  8. Findings and risk rating: record gaps with likelihood/consequence ratings and map to control families and CSF Functions.
  9. POA&M and remediation roadmap: produce prioritised remediation with owners, timelines and compensating controls.
  10. Authorisation and reporting: present the assessment report and support the risk-acceptance / authorisation decision, and define continuous monitoring.

Evidence request list

  • Governance and programme: OT security policy, programme charter, governance minutes, risk management strategy, roles/RACI.
  • Asset and architecture: OT asset inventory with firmware versions, network and data-flow diagrams, Purdue/zone-conduit mapping, firewall rulebase.
  • Risk and authorisation: risk assessment reports, impact categorisation, System Security Plans, control tailoring worksheets, ATO packages, POA&Ms.
  • Access and identity: RBAC matrices, remote-access architecture, MFA configuration, account inventory, shared-account justifications.
  • Configuration and change: hardening baselines, drift-detection reports, change/MOC records, patch and firmware policies and logs.
  • Monitoring and logging: logging configuration, SIEM/IDS deployment, time-sync design, alert runbooks, sample investigations.
  • Contingency and backup: contingency/recovery plans, RTO/RPO, backup schedules, restoration test records, manual operating procedures.
  • Incident response: OT IR plan, escalation matrix, exercise/tabletop reports, regulatory reporting procedures.
  • Physical and personnel: physical access logs, cabinet/room controls, screening and offboarding records, contractor agreements.
  • Supply chain: SCRM plan, supplier risk assessments, SBOMs, secure-delivery/tamper evidence, FAT/SAT results.

Roles and responsibilities

RoleResponsibility
Executive sponsor / CISOOwns OT security strategy, risk tolerance and resourcing; accountable for programme outcomes.
OT security lead / ICS security managerRuns the OT security programme; coordinates assessments, controls and remediation.
Plant / control engineersOwn device configuration, safety functions and operational constraints; validate that controls do not endanger the process.
IT security / SOCProvide monitoring, SIEM, identity and incident-response capability extended into the OT DMZ.
Safety / HSE leadEnsures cyber controls and incident response integrate with functional safety and emergency response.
Authorising Official (AO)Formally accepts residual risk and grants authorisation to operate.
Vendors / integratorsDeliver secure-by-design systems, SBOMs, and comply with site OT security rules.
Internal audit / assessorIndependently verifies control implementation and evidence.

KPIs and metrics to track

Metrics turn an OT security programme from an annual audit exercise into a managed capability. NIST 800-82 stresses continuous monitoring, and the KPIs below give executive leadership and the authorising official a defensible, trend-based view of residual risk. They should be reported on a consistent cadence, baselined at programme start, and tied to remediation ownership so that a deteriorating metric triggers action rather than a footnote.

  • OT asset inventory completeness (% of devices discovered and baselined).
  • Network segmentation coverage (% of OT behind an enforced boundary / OT DMZ).
  • Percentage of remote OT access brokered through jump hosts with MFA.
  • Patch/firmware currency and mean time to remediate critical OT advisories (with compensating-control coverage for unpatchable devices).
  • Backup success rate and mean time to recover control functions (tested RTO/RPO adherence).
  • Passive monitoring coverage (% of OT zones under anomaly/IDS visibility) and mean time to detect.
  • Number and severity of open POA&M items and ageing.
  • Incident and near-miss counts, mean time to respond, and exercise participation.
  • Default-credential elimination rate and privileged-account reduction.
  • CSF Implementation Tier trajectory across Identify/Protect/Detect/Respond/Recover/Govern.

Readiness checklist

  • OT security governance, charter and executive sponsorship established.
  • Complete OT asset inventory with firmware versions maintained.
  • Network segmented into zones and conduits with an enforced OT DMZ.
  • Impact categorisation completed with safety/consequence integrated.
  • System Security Plans and control tailoring documented for each OT system.
  • Remote access brokered via jump hosts with MFA and session logging.
  • Secure baselines and hardening applied; default credentials removed where feasible.
  • Risk-based patch/firmware process with compensating controls for unpatchable devices.
  • Passive monitoring / OT-aware IDS deployed with alerting to a protected collector.
  • Backups of PLC logic, HMI projects and configurations tested and stored offline.
  • Manual/degraded operating procedures documented and drilled.
  • OT incident response plan integrated with safety and enterprise CSIRT and exercised.
  • Supply chain risk management with SBOMs and secure delivery in place.
  • POA&M maintained and authorisation to operate obtained with documented risk acceptance.

Common gaps and findings

Across CyberSigma OT assessments a consistent set of findings recurs, and they cluster around the same root causes: incomplete visibility, eroded segmentation, unmanaged access and untested recovery. The list below is what an experienced OT assessor expects to encounter and should proactively test for. Each is expressed so that a remediation owner can act on it, and each maps back to one or more control families in the master checklist above.

  • Incomplete or stale OT asset inventory - unknown devices and firmware versions.
  • Flat networks with no OT DMZ; IT and OT bridged, allowing lateral movement (a common ransomware pathway).
  • Unmanaged vendor remote access - persistent tunnels, shared credentials, no MFA or session recording.
  • Default and hard-coded credentials still active on PLCs, HMIs and IIoT devices.
  • No tested backups of PLC logic and configurations; recovery assumptions unvalidated.
  • Unpatched, end-of-life devices without documented compensating controls.
  • Absent or IT-only incident response that ignores safe-shutdown and safety authority decisions.
  • Active vulnerability scanning run against live OT, causing device faults or trips.
  • Logging and time synchronisation gaps preventing reliable event correlation.
  • Supply chain blind spots - no SBOMs, no component vulnerability tracking, unverified updates.

Incident reporting obligations relevant to OT operators

Although NIST 800-82 is not itself a reporting regime, OT operators almost always sit inside one or more mandatory reporting frameworks. The IR family assessment must confirm that these obligations are mapped, that thresholds are understood, and that notification timelines can realistically be met. The specific obligations depend on sector and jurisdiction; the table below summarises the regimes CyberSigma most often reconciles against an 800-82 programme.

RegimeReporting obligation / timeline
CIRCIA (US, CISA)For covered critical-infrastructure entities: report covered cyber incidents within 72 hours and ransom payments within 24 hours (final rule implementation pending).
TSA Pipeline / Rail Security DirectivesReport cybersecurity incidents to CISA within 24 hours; maintain incident response and recovery plans.
NERC CIP-008Report reportable cyber security incidents to E-ISAC and CISA within defined timelines for the bulk electric system.
EPA / AWIA (water)Risk and resilience assessments and emergency response plans; incident coordination with EPA/CISA.
EU NIS2 (for EU exposure)Early warning within 24 hours, incident notification within 72 hours, final report within one month.
Sector regulators / insurersContractual and policy-driven notification, often 24-72 hours; verify against your cover terms.

NIST 800-82 mapped to other frameworks

FrameworkRelationship to NIST 800-82
NIST CSF 2.0800-82 uses the CSF Functions (Govern/Identify/Protect/Detect/Respond/Recover) as its organising outcomes for OT.
NIST SP 800-53 Rev 5800-82 is the OT overlay/tailoring of the 800-53 control catalogue (the 20 families enumerated above).
ISA/IEC 62443Deeply aligned; 800-82 references zones and conduits and the security levels (SL 1-4) and foundational requirements of 62443.
NERC CIPSector-mandatory for bulk electric; 800-82 serves as supporting engineering guidance and gap reference.
ISO/IEC 27001 / 27019Management-system and energy-sector control alignment; 800-82 controls map to Annex A themes with OT context.
NIST SP 800-161OT supply chain (SR family) aligns with the C-SCRM practices and three-tier approach of 800-161.
CISA Cross-Sector Cybersecurity Performance Goals (CPGs)800-82 controls support and exceed the baseline CPGs for critical infrastructure.
EU NIS2 DirectiveFor operators with EU exposure, 800-82 controls support NIS2 risk-management and incident-reporting obligations (24h early warning, 72h notification).
How CyberSigma helps
CyberSigma brings CERT-In empanelled and PCI QSA rigour to OT security engagements built on NIST SP 800-82 Rev 3. We conduct non-intrusive OT discovery and asset inventory, design zones-and-conduits segmentation with an OT DMZ, tailor the SP 800-53 OT overlay to your safety and availability constraints, and deliver a gap assessment mapped to the CSF and ISA/IEC 62443. Our team implements remote-access brokering, passive OT monitoring, tested backup and recovery, and OT-integrated incident response, then supports your authorisation-to-operate and continuous monitoring. Whether you operate under NERC CIP, TSA directives, AWIA, NIS2 or a customer mandate, we help you move from Partial to Adaptive maturity without endangering the process. Contact CyberSigma to scope an OT security assessment aligned to NIST 800-82.

Frequently asked questions

How does 800-82 relate to IEC 62443?
They are complementary — 800-82 tailors NIST 800-53 for OT, while IEC 62443 provides the OT/IACS reference architecture and requirements; both are commonly used together.
Official documents

Need help with NIST 800-82?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.