What is Access Control?
Access Control (access management) is the combined set of techniques, processes and rules that determine who may access which systems, applications or physical environments, and under what conditions.
Access Control protects against unauthorised access to data, systems, networks and machinery.
It is an essential component of ISMS, ISO 27001, IEC 62443, Zero Trust and OT security.
🎯 Purpose of Access Control
- Only authorised users gain access to sensitive data or systems
- Reducing the risk of data breaches, sabotage or human error
- Meeting legal requirements and audit obligations
- Supporting segmentation between IT and OT
- Logging and accountability of access actions
🔑 Types of Access Control
| Type | Description |
|---|---|
| Physical Access Control | Who is allowed to enter a given room, server cabinet, control room or factory? |
| Logical Access Control | Access to systems, networks, files and applications |
🔧 Access management methods
| Model | Description |
|---|---|
| RBAC | Role-Based Access Control — permissions based on role/function |
| ABAC | Attribute-Based Access Control — rules based on attributes (time, location) |
| MAC | Mandatory Access Control — predefined levels, the user has no choice |
| DAC | Discretionary Access Control — the owner decides who has access |
| Just-in-Time | Temporary access (e.g. for contractors or suppliers) |
🔐 Access Control in OT environments
- PLC, SCADA, HMI and remote engineering stations are often vulnerable to unauthorised access
- Remote Access via VPN, Jump Server or Bastion Host requires additional control
- RBAC must align with functional groups (e.g. operator, engineer, maintenance)
- IEC 62443-3-3 requires appropriate access protection per zone/conduit
- Audit trails and logs are essential for forensic investigation
🛠 Examples of technical implementation
- Active Directory (AD) with group policies
- Multi-factor authentication (MFA)
- Network-layer access management (NAC, VLAN)
- Firewalls with user-based rules
- Physical access control with badge readers or biometrics
- Time-based access for suppliers or maintenance partners
📊 Access Control vs. Authentication vs. Authorization
| Term | Explanation |
|---|---|
| Authentication | Are you who you claim to be? (e.g. password, MFA) |
| Authorization | Are you permitted to perform this action? (e.g. read, write, modify) |
| Access Control | The combination of policy and technology that governs access |
✅ Benefits of effective Access Control
- Improved cybersecurity
- Better compliance with NIS2, ISO 27001, GMP, GxP, IEC 62443
- Reduced impact during incidents (least privilege)
- Logging of user actions and access
- Safe collaboration with external parties
📌 In summary
Access Control ensures that only the right people, under the right conditions, are granted access to your systems or premises — and forms the foundation of a secure and auditable network.