OT and Cybersecurity — Part I, Introduction

SOCFortress
6 min readOct 21, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

Operational Technology (OT) environments, which manage industrial systems like manufacturing, energy, and critical infrastructure, face unique cybersecurity challenges. These systems are increasingly connected to IT networks, exposing them to potential cyber threats.

As an example, Industrial control systems (ICS) have historically been isolated and less interconnected. Isolation was one of the things that kept these systems more secure behind air gaps, at the cost of lost coordination and collaboration. This is rapidly changing with the rise of Industry 4.0 with increased interconnectivity and integration of smart technologies like Industrial IoT (IIoT) and cloud computing in modern industrial processes.

Different cybersecurity reports published in 2024 reflect that OT intrusions have spiked since last year. The latest edition of Fortinet’s annual survey of OT professionals looks at trends in attacks and their impacts on organisations, as well as some positive signs that OT security postures are maturing.

Reference used in Part I Introduction: NIST Guide to Operational Technology (OT) Security

OT Overview

Operational technology: range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment).

Examples include:

  • industrial control systems,
  • building automation systems,
  • transportation systems,
  • physical access control systems,
  • physical environment monitoring systems,
  • physical environment measurement systems.

The part of the system primarily concerned with producing an output is referred to as the process. The part of the system primarily concerned with maintaining conformance with specifications is referred to as the controller.

OT-based Systems

OT is used in many industries and infrastructures, including those identified by the Cybersecurity and Infrastructure Security Agency (CISA) as critical infrastructure sectors:

  • Chemical Sector
  • Commercial Facilities Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Defense Industrial Base Sector
  • Emergency Services Sector
  • Energy Sector
  • Food and Agriculture Sector
  • Government Facilities Sector
  • Healthcare and Public Health Sector
  • Nuclear Reactors, Materials, and Waste Sector
    Transportation Systems Sector
  • Water and Wastewater Systems Sector

Comparing OT and IT System Security

The operational and risk differences between IT and OT systems create the need for increased sophistication in applying cybersecurity and operational strategies.

A cross-functional team of control engineers, control system operators, and IT security professionals must work closely to understand the possible implications of the installation, operation, and maintenance of security solutions in conjunction with control system operation.

IT professionals working with OT need to understand the reliability impacts of information security technologies before deployment. Moreover, some of the OSs and applications that run on OT may not operate correctly with commercial-off-the-shelf (COTS) IT cybersecurity solutions because of their unique requirements.

Special considerations when securing OT

  • Timeliness and performance requirements. OT systems are generally time-critical, with the criterion for acceptable levels of delay and jitter dictated by the individual installation. High throughput is typically not essential to OT. In contrast, IT systems typically require high throughput and can withstand some level of delay and jitter.
  • Availability requirements. Many OT processes are continuous in nature. Unexpected outages of systems that control industrial processes are unacceptable. Outages must often be planned and scheduled days or weeks in advance. OT systems often cannot be stopped and started without affecting production. Therefore, typical IT strategies (e.g., rebooting a component) are usually not acceptable for OT due to adverse impacts on the requirements for high availability, reliability, and maintainability.
  • Risk management requirements. In a typical IT system, primary concerns include data confidentiality and integrity. For OT, primary concerns include safety, fault tolerance to prevent the loss of life or endangerment of public health or confidence, regulatory compliance, loss of equipment, loss of intellectual property, or lost or damaged products.
  • Physical effects. Field devices (e.g., PLCs, operator stations, DCS controllers) are directly responsible for controlling physical processes. OT can have complex interactions with physical processes and consequences in the OT domain that can manifest in physical events.
  • System operation. OT OSs and control networks are often quite different from their IT counterparts and require different skill sets, experience, and levels of expertise. Control networks are typically managed by control engineers rather than IT personnel.
  • Resource constraints. OT and their real-time operating systems (RTOSs) are often resource-constrained systems that do not include typical contemporary IT security capabilities. Legacy systems often lack resources that are common on modern IT systems. Many systems may also lack desired features, including encryption capabilities, error logging, and password protection. Indiscriminate use of IT security practices in OT may cause availability and timing disruptions. Communication protocols and media used by OT environments for field device control and intra-processor communication are typically different from IT environments and may be proprietary.
  • Change management. Change management is paramount to maintaining the integrity of both IT and OT systems. Unpatched software represents one of the greatest vulnerabilities to a system. Software updates on IT systems, including security patches, are typically applied in a timely fashion based on appropriate security policies and procedures. Software updates on OT cannot always be implemented on a timely basis. Change management is also applicable to hardware and firmware. The change management process requires careful assessment by OT experts (e.g., control engineers) working in conjunction with security and IT personnel.
  • Managed support. Typical IT systems allow for diversified support styles, perhaps supporting disparate but interconnected technology architectures. For OT, service support is sometimes only available from a single vendor.
  • Component lifetime. Typical IT components have a lifetime on the order of three to five years due to the quick evolution of technology. For OT, where technology has been developed in many cases for specific uses and implementations, the lifetime of the deployed technology is often in the order of 10 to 15 years and sometimes longer.
  • Component location. Most IT components and some OT components are located in business and commercial facilities that are physically accessible by local transportation. Remote locations may be utilised for backup facilities. Distributed OT components may be isolated, remote, and require extensive transportation effort to reach. The component
    location also needs to consider necessary physical and environmental security measures.

Securing OT environments requires a layered, holistic approach that combines network segmentation, strong access control, monitoring, patch management, and staff training. The primary challenge is balancing security with operational continuity, given the mission-critical nature of OT systems.

Endemic risks to OT

OT attacks are on the rise. According to the most recent Global Threat Landscape Report from Fortinet, attacks targeting industrial control systems (ICS) and OT were already trending up in the second half of last year, with half of organisations reporting exploits (energy and utilities were top targets).

Organisations cannot afford to forget that OT systems present extremely attractive targets for attackers. Effective protection requires constant vigilance and resource allocation. A rise in intrusions and worsened impacts of attacks offer a clear sign to maturing organisations that their OT systems are not completely visible within the organisation's central cybersecurity operations.

For certain industry sectors, such as manufacturing, organisations have been more willing to pay requested ransoms, and the amount requested has also been typically higher.

Many regulations, such as the Cybersecurity Incident Disclosure Provision by the U.S. Securities and Exchange Commission, now require timely public announcement of breaches.

OT professionals continue to expand the array of cybersecurity features and protocols they utilise. Internal network segmentation, internal security training and education, and role-based access are the areas that show the most significant growth.

To enhance security measures against intrusions, OT professionals continue to expand the array of cybersecurity measures and technologies they utilise to raise the levels of cybersecurity at their organisations, including:

  • internal network segmentation
  • role-based access controls
  • program features that support internal security training and education.
  • ability to protect network boundaries

What’s next

In the next bog entry we’ll cover main recommendations and best practices for OT environments.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet