Operational Technology (OT) Security: How to Reduce Cyber Risk When IT and OT Converge

Operational technology (OT) represents all of the hardware and software to manage, monitor and control physical devices and processes. Some OT examples are distributed control systems (DCSs), programmable logic controllers (PLCs) and human-machine interfaces (HMIs) etc. Industrial control systems have used OT for manufacturing, transportation and utilities since the 1960s.

Unlike information technology (IT), OT in those industries was not originally connected to outside networks. These devices were primarily air-gapped (physical isolation from unsecured networks) for security; however, air-gapping is no longer effective in today’s connected world, and vulnerabilities in an OT system can leave critical infrastructure at risk of sabotage.

Operational technology security includes all the measures you can take to protect your organization’s hardware and software to monitor and manage your physical devices and processes from internal attacks, external attacks or other cyber risks.

Historically, OT involved closed systems. In those closed systems, air-gapping (physical isolation from unsecured networks) was the primary form of security. In today’s highly connected environment, OT security solutions include IT/OT security integration, passive and active threat detection, detailed asset inventory, risk-based vulnerability management and configuration control.

There are a few key differences between IT and OT. Information technology is used to store, manage, process and protect information, while operational technology is used to manage, monitor, and control physical devices and processes. IT generally has a stable environment, with a focus on security, a short lifecycle with frequent updating and standard operating systems. OT, on the other hand, may operate in adverse environmental conditions, with a focus on uptime. It also has a long lifecycle with infrequent updating and proprietary operating systems.

Traditionally, IT and OT have been separate. However, today, IT and OT are more interconnected than ever before, creating new attack surfaces and requiring new cybersecurity measures to protect both.

OT infrastructure refers to physical equipment and processes that operational technology manages, monitors and controls. It is used in a variety of industries including manufacturing, oil and gas, electrical generation and distribution, aviation, maritime and rail, as well as to control critical infrastructure such as emergency services, water treatment plants, electrical grids and traffic management systems. As part of all these industries and services, OT infrastructure is ubiquitous. It includes valves, pumps, switches, generators, pipelines, fans, PLCs, remote terminal units (RTUs), industrial robots and more.

Industrial security management is the processes used to ensure your industrial control systems (ICS) are safe and secure. Security management practices include visibility, security and control elements. Protecting industrial plants involves significantly minimizing potential risks and achieving affordable and minimally disruptive security for all assets, including industrial automation networks. It’s important to design and manage ICS security so it does not conflict with other important requirements such as performance output, uptime, and workforce-friendliness. Securing automation networks is the largest challenge in industrial security management today.

Industrial control system security (ICS) encompasses all of the processes, hardware and software used to keep ICS safe and secure. ICS security solutions include detailed visibility, asset inventory, passive and active threat detection, risk-based vulnerability management and configuration control. Industrial control systems are a main component of operational technology. ICS includes different types of devices, controls, systems and networks that manage industrial processes. Maintaining ICS safety to decrease risks from internal and external threats is key to keeping most kinds of industrial operations up and running.

An air-gap is a physical separation between the OT environment and the rest of the world. No data comes into the OT device from the outside and no data goes out from the OT network.

A supervisory control and data acquisition (SCADA) system is a control system used to communicate with and collect data from industrial machines, sensors and end devices, often at distributed sites. SCADA then transmits data to computers to process it and make it available to operators and other employees. Your staff can use the analyzed information to make important decisions and quickly control virtually any activity that might occur.

OT security is important because without complete visibility and security for both your OT and IT assets you can’t effectively mitigate your overall cyber risk. The industry relies heavily on automation to ensure high efficiency and minimal down time, while meeting exacting engineering standards. This creates unique and evolving risks for industrial and critical infrastructure organizations. Cyberattacks that target OT, or that begin in IT and laterally move into your OT environment, can destroy your operations, change products and put people’s lives at risk. In addition, the modern level of connectivity between operating technology systems and information technology systems increases your attack surface. Gaps in OT security can lead to a breach that can then be used to access your IT system. A successful attack on IT can disrupt more of your operations and put proprietary information at risk.

IT-OT convergence is the intersection of IT and OT devices and systems within the same environment, whether intentional or accidental. The convergence of OT and IT systems can optimize your production processes, encourage innovation and help your organization become more sustainable. However, it can also increase your attack surface by providing more access points for bad actors to enter your network and disrupt operations. Without complete visibility into all of your assets and security threats, you can’t protect your organization from cyber risks.