Skip to main content

Policy Governance & Control

Policies are the primary mechanism through which operational intent is translated into monitoring and protection behaviour within the First Watch® platform. They define:

  • What behaviour is acceptable
  • What must be observed and recorded
  • What may be restricted or enforced
  • Under which conditions actions are permitted

Policy governance is intentionally designed to be structured, auditable, and aligned with operational approval processes, rather than ad hoc or implicit.

Policies are not technical rules alone — they represent documented operational decisions.

What Policies Control in Practice

Policies allow organisations to define and control behaviour across three core domains.

Application Execution and Endpoint Behaviour

Policies can define:

  • Which applications are allowed to execute on specific systems
  • Which executables are explicitly whitelisted
  • Which tools are restricted or blocked (e.g., PowerShell, scripting engines, unknown binaries)
  • When execution is permitted (e.g., only during maintenance windows)
  • Whether unauthorised execution is logged or actively prevented

Operationally, this enables clear visibility into who is running what and when, prevention of unauthorised software installation, restriction of native operating system tools commonly used in malicious activity, and controlled use of engineering software on approved systems.

Application control policies significantly reduce the risk of misuse, ransomware execution, and unauthorised tooling while preserving legitimate engineering workflows.

Communication and Network Behaviour

Policies can define:

  • Which systems are allowed to communicate with PLCs
  • Which communication paths are permitted between zones
  • Which protocols and command types are acceptable
  • Whether communication is monitored only or selectively restricted
  • When communication is allowed (e.g., engineering access windows)

This enables organisations to control who can talk to which controller, under what conditions communication is acceptable, whether behaviour deviates from expected patterns, and whether technically valid but operationally inappropriate traffic is detected.

Policies can operate in monitoring mode (detect and alert) or in active protection mode (restrict or block according to approved rules).

Change and Configuration Control

Policies can govern:

  • When changes to assets are allowed
  • Which users may perform modifications
  • Whether systems are placed into protected states outside approved windows
  • Whether configuration changes generate alarms
  • Whether unauthorised changes are prevented

This supports structured change management and prevents accidental or unauthorised modifications.

Policy Structure: Templates and Composed Policies

Policy governance begins with the creation of policy templates.

Policy templates are reusable building blocks that describe specific logic, such as:

  • Monitoring a defined type of change
  • Detecting execution of unauthorised tools
  • Observing PLC communication patterns
  • Restricting actions outside approved operational windows

Templates allow organisations to capture validated logic once and apply it consistently across environments.

Final operational policies are composed by combining one or more templates. This approach:

  • Ensures consistency across sites and systems
  • Reduces configuration errors
  • Simplifies review and approval
  • Supports scalable deployment

Policy Scope and Application

Policies may be applied at different scopes:

  • Individual assets — e.g., a critical PLC
  • Individual agents — e.g., a specific engineering workstation
  • Logical groups — e.g., SCADA servers, PLC zones, remote access systems

This allows policy application to reflect asset criticality, operational role, and site-specific risk tolerance.

Monitoring and Active Protection Policies

Policies may serve different operational purposes.

Monitoring-Focused Policies

These:

  • Observe and record defined behaviour
  • Generate events and alarms
  • Provide visibility and evidence
  • Allow validation before enforcement

Active Protection Policies

These:

  • Enforce defined behavioural boundaries
  • Prevent unauthorised execution or communication
  • Restrict changes outside approved conditions
  • Support real-time protection of critical assets

Operationally, organisations typically introduce monitoring policies first, validate behaviour, and then selectively enable enforcement once confidence and approval are established.

Scheduled Enforcement and Temporary Overrides

Policies may include:

  • Scheduled enforcement windows
  • Controlled maintenance periods
  • Temporary, auditable overrides

Temporary overrides allow authorised personnel to enable specific actions for a defined period, perform approved engineering work, and automatically revert to a protected state after expiration.

All overrides are traceable and documented.

Policy Governance and Accountability

Effective policy governance requires:

  • Formal review and approval of policies affecting critical assets
  • Clear ownership of policy intent and scope
  • Defined responsibility for monitoring and enforcement decisions
  • Periodic review of policy effectiveness

All policy changes, deployments, and overrides are recorded to ensure full traceability.

The platform enforces policies as defined. However, policy design and approval remain human responsibilities. This ensures that controls support operational objectives rather than conflict with them.

Policies translate organisational intent into structured, enforceable behavioural controls. Through application control, communication governance, and change management rules, the First Watch® platform enables disciplined, scalable, and auditable control of industrial environments.

By combining monitoring and active protection within a structured governance model, organisations can progressively strengthen security without compromising operational stability or engineering authority.