Secure Controls Framework
Download The SCF

Embedded Technology (EMB)

Domain Principle

Apply risk-based security, compliance and resilience practices to embedded technologies where compromise or misuse could create operational, safety and/or data protection impacts.

Domain Intent

Organizations develop, deploy, harden, monitor and maintain embedded technologies, including IoT and Operational Technology (OT), with safeguards for hardware, firmware, software, communications, service protocols and safety-related dependencies.

Domain Guide

Industrial control systems, IoT devices and operational technology run software that is often years or decades behind conventional IT security practices. EMB addresses the security, compliance and resilience requirements for these embedded technologies, where compromise doesn't just produce a data breach; it can create physical safety consequences.

 

The SCF's intent for EMB covers hardware, firmware, software, communications protocols and safety-related dependencies. That breadth reflects the actual attack surface of embedded systems. Firmware that can't be updated, default credentials baked into hardware and communication protocols without encryption are all standard findings in OT environments. The domain requires hardening, monitoring and maintenance for these systems with the same rigor applied to conventional IT, even when the systems themselves are less capable of supporting standard security controls.

 

EMB is separate from Endpoint Security (END) because embedded systems present distinct technical constraints and distinct consequence profiles. You can't deploy an EDR agent on a PLC. The security architectures, compensating controls and lifecycle considerations are different enough to require dedicated domain treatment.