For critical infrastructure security teams
who run a regulated operating layer as a structured record

A critical-infrastructure security workspace built around the workstream record

In-house critical-infrastructure security teams operate at the intersection of the corporate IT estate, the operator-facing web surfaces (outage management, work and asset management, customer information system, geographic information system, asset performance management), the supervisory control layer (EMS, DMS, SCADA, distributed control system), the field device layer (RTUs, PLCs, IEDs, protection relays, smart meters, controllers, signalling controllers), the safety-instrumented layer where applicable, the third-party remote support entry points, the customer-facing portals, and the regulator evidence pack into IEC 62443 zone and conduit security levels, NIST SP 800-82 risk treatment outcomes, NIST CSF 2.0 PR.AA, PR.IR, PR.PS, and DE.CM functions, NIST SP 800-53 SC and AC families, NIS2 Article 21 cyber risk-management measures for essential and important entities, ISO 27001 Annex A controls, ISO 27019 sector-specific energy controls, CISA Cybersecurity Performance Goals, and the NCSC CAF principles where in scope. The work usually carries across an EMS console, a SCADA historian, an OT-aware passive listening tool, a third-party assessor PDF, a NERC compliance binder, a TSA cyber security plan folder, a NIS2 supervisory authority response folder, a regulator correspondence file, a vendor advisory mailbox, and a steering committee deck that gets rebuilt from scratch every cycle. The cost is not the licensing. It is the reconciliation hours each cycle, the residual operating-technology drift between cycles, and the parallel evidence stacks that drift away from the live operating reality.

SecPortal gives critical-infrastructure security teams one workspace for engagement records per workstream, findings management with CVSS 3.1 scoring and owner-of-record across every source, external scanning across 16 modules for the corporate perimeter, authenticated DAST against operator-facing web surfaces with AES-256-GCM encrypted credential storage, bulk finding import for passive OT discovery exports, vendor security advisories, IEC 62443 assessor outputs, NERC CIP audit findings, TSA security directive evidence findings, AWIA assessment findings, third-party penetration test findings, and field walkdown observations, compliance tracking that covers IEC 62443, NIST SP 800-82, NIST CSF 2.0, NIST SP 800-53, NIS2, ISO 27001, ISO 27019, CISA CPGs, and the cross-framework controls in parallel, retesting workflows that survive across planned outage windows, AI-assisted programme reporting, role-based access control with enforced multi-factor authentication, document management for the operating technology architecture diagram, the zone and conduit drawing, the cyber asset register, the remote access register, and the supplier and integrator register, and an append-only activity log that ties the regulator-facing trail together.

SecPortal is not an EMS or DMS, not a SCADA platform, not a distributed control system, not a passive OT discovery or monitoring product, not a protection relay engineering tool, not a substation automation platform, not a NERC CIP CMDB, not a TSA pipeline cyber security plan authoring tool, not a regulator portal, not a SIEM or SOAR, and not a managed detection and response service. It does not push policy to field controllers, does not orchestrate substation automation, does not ingest passive OT telemetry in real time, does not deploy sensors into substations or treatment plants, does not federate SCADA configuration, does not run active scanning that requires inline placement at the control layer, and does not connect natively to Jira, ServiceNow, Slack, SIEM, SOAR, ICS-CERT, the E-ISAC portal, the WaterISAC portal, the ONG-ISAC portal, the Surface Transportation ISAC, or the Communications ISAC. Teams running an EMS, a DMS, a SCADA platform, an OT-aware passive listening tool, a protection relay engineering suite, or an NERC CIP CMDB import the resulting findings into the engagement record so the operating-technology-side findings live alongside the wider security backlog and read against the same regulator-facing evidence pack. Teams that operate without one of those tools still benefit from the consolidated record for corporate-side, operator-portal, and field-walkdown findings.

Capabilities critical-infrastructure security teams use cycle to cycle

How critical-infrastructure security teams run the discipline inside SecPortal

A critical-infrastructure security programme that holds up under audit fieldwork, NERC CIP audit, TSA pipeline security directive review, NIS2 supervisor review, AWIA regulator review, cyber insurance underwriting, customer security questionnaires, and incident post-mortem operates on a small set of disciplines. The zone and conduit drawing, the cyber asset register, the remote access register, the third-party connectivity register, the supplier and integrator register, the regulator response pack, and the audit evidence trail inherit each one rather than carving out a parallel operating model per artefact.

From field walkdown to regulator submission, on one engagement record

The critical-infrastructure security programme loop is open the workstream engagement, run the corporate-side scanner coverage, import the operating-technology-layer findings, map the controls, record the exceptions, route the cross-team work, regenerate the leadership view, and read the recurring cadence. SecPortal runs a single workflow that the control centre operations lead, the SCADA engineer, the field crew supervisor, the cyber asset owner of record, the audit committee, the regulator liaison, and the steering committee can all work against without re-keying state into another tool.

1. 1Open an engagement per critical-infrastructure workstream. Capture the workstream owner, the scope (substation perimeter, EMS or DMS application set, water treatment SCADA zone, gas pipeline RTU cohort, transit signalling segment, telecom core network domain, district heating SCADA zone, third-party remote support entry, NERC CIP cyber asset cohort, IEC 62443 zone and conduit set, TSA pipeline domain, AWIA assessment scope), the applicable framework set (IEC 62443, NIST SP 800-82, NIST CSF 2.0 PR.AA and PR.IR and DE.CM, NIST SP 800-53 SC and AC, NIS2 Article 21, ISO 27001 Annex A, ISO 27019 where energy in scope, CISA CPGs, NCSC CAF where in scope), the in-scope verified domains for corporate-side scanning, the in-scope authenticated DAST targets for operator portals, and the named regulator and audit observers on the engagement record. Attach the operating technology architecture diagram, the zone and conduit drawing, the cyber asset register, the remote access register, and the supplier and integrator register as documents.
2. 2Run corporate-side scanner coverage off the engagement record. External scanning runs across the verified corporate perimeter for the workstream, covering exposed ports against a defensible baseline, TLS configuration on operator and customer portals, security headers, DNS misconfiguration, certificate transparency mining for shadow operator portals, subdomain enumeration for forgotten field office gateways, and tech-stack fingerprinting on corporate-side appliances. Authenticated DAST runs against outage management, work and asset management, customer information system, geographic information system, and operator-facing web surfaces with credentials encrypted at rest with AES-256-GCM. Continuous monitoring runs daily, weekly, biweekly, or monthly so the corporate-side view stays current between regulator-aligned cycles.
3. 3Bring operating-technology-layer findings into the engagement record through bulk finding import rather than active probing. Passive listening tool exports from Nozomi Networks, Claroty, Dragos, Tenable OT Security, or Forescout eyeInspect, vendor security advisories from inverter, RTU, PLC, IED, protection relay, smart meter, gas chromatograph, water treatment chemical dosing pump, signalling controller, and telecom switch vendors, IEC 62443 assessor outputs, NERC CIP audit findings, TSA security directive evidence findings, AWIA assessment findings, third-party penetration test findings, and field walkdown observations import as CSV with custom column mapping. Findings deduplication, prioritisation, and owner-of-record routing read from one record.
4. 4Map findings, scanner output, and engagement records against IEC 62443 zone and conduit targets, NIST SP 800-82 risk treatment outcomes, NIST CSF 2.0 PR.AA, PR.IR, PR.PS, and DE.CM functions, NIST SP 800-53 SC and AC control families, NIS2 Article 21 cyber risk-management measures, ISO 27001 Annex A controls, ISO 27019 sector-specific energy controls where in scope, CISA Cybersecurity Performance Goals practice references, and the NCSC CAF principles where in scope through compliance tracking. The regulator-time evidence packs read from the same engagement records the operations team runs on rather than from a parallel control matrix maintained by hand.
5. 5Capture risk acceptances, exceptions, and compensating control decisions on residual operating technology exposure on the same record as the findings they cover. Legacy field controller exceptions, third-party remote support exceptions, segmentation exceptions waiting on substation refresh, controller firmware exceptions blocked on OEM patch availability, water treatment controller exceptions waiting on planned process shutdown, gas SCADA exceptions waiting on vendor warranty windows, and protection relay exceptions waiting on the next coordination study read as a queue of dated decisions with named approvers and explicit expiry.
6. 6Route the work through role-based access control and multi-factor authentication. Control centre operations leads see the engagements for the workstreams they operate, SCADA engineers read the zone and conduit drawings and the cyber asset register, field crew supervisors read the field walkdown findings, audit observers read the programme posture across the estate without seeing the full operational backlog, regulator liaisons read the regulator-facing evidence packs, and the steering committee reads the leadership view that regenerates on demand.
7. 7Regenerate the leadership view through AI-assisted reporting. Executive summaries, per-workstream status writeups, substation perimeter review narratives, EMS and DMS hardening cycle readouts, segmentation refresh readouts, NERC CIP-007 ports and services audit narratives, TSA security directive evidence summaries, AWIA risk and resilience assessment readouts, NIS2 Article 21 measure summaries, and CISA CPGs self-attestation narratives draft from the live engagement data on demand. The team edits drafts rather than writes the deck from a blank page each regulator cycle.
8. 8Read the recurring programme cadence from the append-only activity log. Every finding update, scan run, document upload, retest run, exception decision, comment, credential rotation, and team change is recorded with the actor, the timestamp, and the action. CSV export keeps the programme trail reproducible at audit fieldwork, NERC CIP audit, TSA cyber security plan review, NIS2 supervisor submission, AWIA review, or cyber insurance underwriting time.

Where the critical-infrastructure view connects to the rest of the workspace

Most in-house critical-infrastructure security functions adopt SecPortal in three phases: bring every workstream onto an engagement record so the zone and conduit drawing, the cyber asset register, the remote access register, the supplier and integrator register, and the live findings live on one record; layer in external scanning, authenticated DAST against operator-facing web surfaces, and bulk finding import for passive OT discovery exports, vendor advisories, assessor outputs, NERC CIP audit findings, TSA security directive evidence, AWIA assessment findings, and field walkdown observations so the operating-technology view runs off the live record rather than from a stack of PDFs; and route the regulator, audit, board, and underwriter cadence through compliance tracking, role-based access control, multi-factor authentication, and AI-assisted reporting so the operations lead, the SCADA engineer, the field crew supervisor, the regulator liaison, and the audit committee all read from the same source the operations team runs on. The relevant capability, workflow, framework, and blog pages explain each phase in detail.

• The engagement record model that anchors every critical-infrastructure workstream is covered on the engagement management feature page, the per-workstream findings repository on the findings management feature page, and the zone and conduit drawing, cyber asset register, remote access register, and supplier and integrator register attachment surface on the document management feature page.
• The external scanning layer that surfaces exposed perimeter ports, weak TLS on operator and customer portals, DNS misconfiguration, security header gaps, certificate transparency findings, subdomain enumeration, and tech-stack fingerprinting on the external scanning feature page, the authenticated DAST layer against operator-facing web surfaces on the authenticated scanning feature page, and the AES-256-GCM encrypted credential vault that authenticated DAST reads from on the encrypted credential storage feature page.
• The bulk finding import layer that consolidates passive OT discovery exports, vendor advisories, IEC 62443 assessor outputs, NERC CIP audit findings, TSA security directive findings, AWIA assessment findings, third-party penetration test findings, and field walkdown observations on the bulk finding import feature page, the eight-field exception decision chain for residual operating-technology exception decisions on the finding overrides feature page, and the multi-framework control mapping a single engagement record rides on the compliance tracking feature page.
• The continuous monitoring schedule the corporate-side scanner cadence runs on, covering daily, weekly, biweekly, and monthly cycles on the continuous monitoring feature page, the retesting workflow that pairs verified-close evidence across planned outage windows to the original finding on the retesting workflows feature page, and the AI-assisted programme reporting layer on the AI reports feature page.
• The IEC 62443 framework anchor for zone and conduit security level evidence on the IEC 62443 framework page, the NIST SP 800-82 framework anchor for industrial control system security on the NIST SP 800-82 framework page, and the NIST CSF 2.0 framework anchor for PR.AA, PR.IR, PR.PS, and DE.CM evidence on the NIST CSF 2.0 framework page.
• The NIS2 framework anchor for Article 21 cyber risk-management measures on the NIS2 framework page, the NIST SP 800-53 framework anchor for SC and AC control family evidence on the NIST SP 800-53 framework page, and the CISA Cybersecurity Performance Goals framework anchor on the CISA CPGs framework page.
• The ISO 27001 framework anchor on the ISO 27001 framework page, the NCSC CAF framework anchor for critical national infrastructure operators on the NCSC CAF framework page, and the CIS Controls v8.1 framework anchor for network infrastructure and monitoring controls on the CIS Controls framework page.
• The remediation tracking workflow the operating-technology backlog reads off on the remediation tracking use case, the vulnerability acceptance and exception management workflow for residual operating-technology exposure on the vulnerability acceptance and exception management use case, and the scanner result triage discipline that operating-technology scanner output flows through on the scanner result triage use case.
• The breach notification and regulator readiness workflow that sits next to the NIS2 Article 23 incident reporting trail on the breach notification and regulator readiness use case, the security leadership reporting workflow for board and audit-committee readouts on the security leadership reporting use case, and the audit fieldwork evidence request fulfillment workflow on the audit fieldwork evidence request fulfillment use case.
• The exposed RDP boundary surface that operating-technology jump hosts often sit behind on the exposed RDP vulnerability page, the SSH configuration baseline surface for Linux-side jump hosts and network appliances on the SSH misconfiguration vulnerability page, and the TLS and SSL misconfiguration surface for operator portals on the TLS and SSL misconfiguration vulnerability page.
• The supporting templates for the operating model live on the vulnerability management policy template, the vulnerability SLA policy template, the security exception register template, and the audit evidence tracker template.
• The ransomware readiness, third-party vendor risk, and incident response threads that pair with the critical-infrastructure programme on the ransomware readiness program guide, the third-party vendor risk assessment guide, and the incident response plan guide.

Where the critical-infrastructure security team role sits next to adjacent personas

Critical-infrastructure security teams run the sector-specific in-house operating discipline that sits between the executive sponsor (the CISO and the chief operating officer), the corporate IT security function (the internal security team), the network operating side (the network security team), the cloud-side operator (the cloud security team), the GRC and compliance evidence owner, the OT and ICS consultancy that delivers the annual assessment, and the manufacturing security function that owns plant-side operating technology rather than utility, water, gas, transit, or telecom operating technology. The critical-infrastructure security team owns the regulated-essential-entity operating layer rather than any one of those adjacent shapes.

If your function spans broader corporate IT security operations rather than the sector-specific operating technology and regulator-aligned audit cycle, the SecPortal for internal security teams page covers vulnerability assessments, incident response, and compliance tracking across business units inside the same workspace, and pairs with the critical-infrastructure-specific workstream when the same security function carries both.

If your function is the network operating layer (firewall ruleset, segmentation matrix, ZTNA broker policy, NAC enforcement, NDR sensor coverage) rather than the operating technology layer specifically, the SecPortal for network security teams page covers the on-prem and hybrid network operating discipline that the corporate-side and operator-portal-side network segments inherit.

If your function is a dedicated vulnerability management programme with scanner consolidation, severity calibration, and SLA tracking as the primary discipline that sits on top of the critical-infrastructure operating layer, the SecPortal for vulnerability management teams page covers the operator-side view of the find-track-fix-verify loop the critical-infrastructure backlog rides on.

If your function pairs with a GRC function that owns the IEC 62443 reassessment cycle, the NERC CIP audit cycle, the TSA pipeline security directive evidence cycle, the AWIA assessment cycle, the NIS2 supervisory authority response, and the cyber insurance renewal pack, the SecPortal for GRC and compliance teams page covers the exception register, evidence currency, and audit support workflow that sits on top of the live finding record.

If your function is the cloud-side operator that runs cloud workloads behind the outage management, customer information, work and asset management, and asset performance management systems rather than the operating technology side, the SecPortal for cloud security teams page covers the cloud-side operating model that pairs to the critical-infrastructure operating layer.

If your function is the sister vertical that runs in-house plant-side operating technology rather than utility, water, gas, transit, or telecom operating technology, the SecPortal for in-house manufacturing security teams page covers the IEC 62443 zone and conduit evidence, the connected product CRA vulnerability handling lifecycle, and the plant change window remediation cadence that pair to the critical-infrastructure operating discipline across many shared frameworks.

If your organisation engages a specialist OT or ICS consultancy to run the annual IEC 62443 assessment, the NIST SP 800-82 risk assessment, the third-party penetration test against the control centre DMZ, the NERC CIP audit support engagement, the TSA pipeline security directive evidence engagement, or the AWIA assessment engagement, the consultancy-side equivalent is documented on the SecPortal for OT and ICS security consultancies page; both sides can operate on a shared workspace through the client portal so the annual engagement deliverable enters the in-house critical-infrastructure backlog as live findings rather than as a filed PDF.

If the critical-infrastructure security team reports up to a chief information security officer, a chief operating officer, a chief technology officer, or a board risk committee who needs the cybersecurity readout on the same record the operators run on, the SecPortal for CISOs and security leaders page covers the programme-level reporting workflow that sits on top of the live finding record without rebuilding a deck every regulator cycle.

SecPortal is built for in-house critical-infrastructure security teams that want one workspace for the baseline-cover-import-map-evidence-report loop on the regulated operating layer: engagement records per workstream, external scanning across 16 modules for the corporate perimeter, authenticated DAST against operator-facing web surfaces, bulk finding import for passive OT discovery exports, vendor advisories, IEC 62443 assessor outputs, NERC CIP audit findings, TSA security directive findings, AWIA assessment findings, third-party penetration test findings, and field walkdown observations, findings management with owner-of-record across every source, the eight-field exception decision chain for residual operating-technology exception decisions, multi-framework compliance tracking that covers IEC 62443, NIST SP 800-82, NIST CSF 2.0, NIST SP 800-53, NIS2 Article 21, ISO 27001, ISO 27019, CISA Cybersecurity Performance Goals, and the NCSC CAF principles in parallel, retesting workflows that survive planned outage windows, AI-assisted programme reporting, role-based access control with enforced multi-factor authentication, document management for the operating technology architecture diagram, the zone and conduit drawing, the cyber asset register, the remote access register, and the supplier and integrator register, encrypted credential storage for the scanner-side credential lifecycle, and an append-only activity log on top. The control centre operations lead reads the zone and conduit drawing and the cyber asset register, the SCADA engineer reads the vendor advisory feed and the regulator response pack, the field crew supervisor reads the field walkdown findings, the regulator liaison reads the regulator-facing evidence pack, the audit committee reads the programme posture, and the critical-infrastructure security team gets back the hours that used to disappear into reconciliation between an EMS console, a SCADA historian, a third-party assessor PDF, a NERC compliance binder, a TSA cyber security plan folder, a NIS2 supervisory authority response folder, and a steering committee deck.