How do you evaluate whether a security control is appropriate for a critical infrastructure environment?