What are Mitigating Measures?
Mitigating measures are actions or solutions that reduce risks or make them manageable. In OT environments, they focus on protecting industrial installations, networks and processes against cyber threats, faults and human error.
Mitigating measures are an essential part of Risk Management and often follow from a Cybersecurity Risk Assessment or a Business Impact Analysis.
π§ Types of Mitigating Measures
Mitigating measures are typically divided into three main categories:
1. Technical measures
- Firewalls, Protocol Filtering, network segmentation
- Patch management, anomaly detection, SIEM
- Encryption, Access Control, Zero Trust
- Use of Industrial Firewall, Jump Server, Remote Access with multi-factor authentication
2. Organisational measures
- Information security policy, Incident Response Plan, Contingency Planning
- Security Awareness training and behavioural guidelines
- Change Management, Supplier Security, Audit procedures
3. Physical measures
- Access control to control cabinets, control rooms or server rooms
- PPE, locks, cameras, Lock-out Tag-out (LOTO)
- Emergency stops, UPS, cooling and fire protection
π Examples in an OT context
| Risk | Mitigating measure |
|---|---|
| Ransomware via USB | Disable physical ports, Whitelisting, Security Awareness |
| Unauthorised remote access | VPN with MFA, Jump Server, ACL, Port Security |
| Outdated PLC with vulnerabilities | Network segmentation, Protocol Filtering, physical isolation |
| Network traffic without authentication | Implementation of 802.1X, RADIUS, Least Privilege |
| No detection of attacks | Use of anomaly detection, IDS, SIEM, Logging |
| Reliance on a single connection (single point of failure) | Ring Redundancy, MRP, DLR, High Availability |
π Linkage with security standards
Mitigating measures are directly related to requirements from:
- IEC 62443 β Security Level assignment (SL 1 to SL 4)
- ISO 27001 β Annex A measures (control objectives)
- NIST CSF β βProtectβ, βDetectβ, βRespondβ functions
- NIS2 β Mandatory risk management and appropriate security
β Characteristics of effective measures
An effective mitigating measure is:
- Appropriate to the risk and the environment
- Measurable (e.g. log activity, patch level, response time)
- Manageable (technically and organisationally feasible)
- Embedded in policy and procedures
π In summary
Mitigating measures are essential for managing risks in OT environments. They are technical, organisational or physical in nature and together form a robust defensive strategy.