Why is it relevant to compare IT to OT?
Hello dear reader, my name is Ludwig, I am an OT security specialist at Combitech. In October, the National Security Awareness month, attention is to a great deal on “IT security”, with good reason. However, with an increasing number of devices and appliances being connected, the area of “OT security” also deserves its place in the spotlight. In the following I will cover OT security and highlight the differences between IT and OT, with a focus on cybersecurity.
Written by Ludwig Seitz, OT Security Specialist @ Combitech
What is OT?
Operation Technology (OT) is the hardware and software that monitors and controls physical processes, for example electricity production and distribution, industrial manufacturing, railway operations, building automation, or running a large ship. As you can guess from the use cases, this requires a slightly different approach than your run-of-the-mill office environment would need.
Vive la différence
OT is used to interact with the physical world, while IT interacts with information. The table below shows an overview of what that means in terms of possible incident impacts.
|Event||Possible IT incident impact||Possible OT incident impact|
|Loss of societally critical services.
Example for IT: Widely used digital payment service.
Example for OT: Electrical power.
|Disruptions in some aspects of daily life.
Negative effects on some businesses.
Alternative non-digital solutions must be used.
|Disruptions in all aspects of daily life.
All businesses affected.
Possible environmental effects.
Possible long-term damage to infrastructure.
Difficult to implement alternative solutions.
|Ransomware attack on an organization.||Disruption of business processes, digital data loss.
Financial damages and loss, potentially impacting employees.
Good backups can greatly reduce impact.
|Disruption of production processes.
Possible damage to hardware.
Risk for personnel safety.
Recovery can be very complex even with good backups (start-up times, damage to hardware, etc.).
|Industrial espionage||Loss of intellectual property such as: source code, research & development, customer data, pricing and sales information, company strategy.
||Loss of intellectual property such as: production techniques, processes, recipes, and formulas.|
The differences are also reflected in the security standards. Frameworks such as ISO 27000 often refer to information security, information protection and information classification, while OT-specific frameworks such as ISA/IEC 62443 are more concerned with the availability and integrity of the control systems.
General IT environments will prioritize protection as:
Confidentiality > Integrity > Availability,
whereas an OT environment will typically reverse this to:
Availability > Integrity > Confidentiality, or even Safety > Reliability > Productivity, drawing a completely different picture on the prioritization of security activities.
Another factor adding to the difference between OT and IT is the extended lifecycle of OT equipment. Where IT equipment is typically exchanged within a few years, similar equipment used in OT often has a lifetime requirement of over 20 years. There are several reasons for this, one being that the software and hardware used in OT operate very expensive machinery and therefore follow the lifecycle of those machines. When replacing software or hardware in OT there is always a risk that the newer equipment will not work with the expensive machine it is supposed to operate.
Another reason is that some OT-processes are subject to regulation (e.g., in food and drug production) and therefore production lines must be certified. Changes (such as software updates or hardware replacement) can invalidate these certifications and re-certifying is typically very expensive and time consuming.
Finally, there is an important reason why security is very different in legacy OT compared to IT: Legacy OT systems were designed to operate in isolation or in networks air-gapped from other equipment. Therefore, security was often not considered important, and configuration was traditionally very open.
Legacy and current OT systems are typically tailored systems, even within the same business area, often implementing non-traditional (from an IT perspective) and proprietary network protocols and operating systems, which are purpose-build e.g., for real-time tasks.
Below are selected examples of common IT protocols compared to OT protocols.
- IT Protocols: HTTP, TCP, UDP, IP, WiFi, Bluetooth
- OT Protocols: OPC, Modbus, BACnet, Fox, KNXnet, DNP, DLMS/COSEM, MMS, HART, Wireless HART, ISA 100.11a, Foundation Fieldbus, CIP, PROFINET, FL-net, P-NET, FIP, INTERBUS, CC-Link, Yokogawa Vnet, Toshiba TCnet, EtherCAT, Ethernet Powerlink, EPA, Sercos, Yaskawa MECHATROLINK, CAN
There is no sharp line between IT and OT, though. It is not uncommon for Windows to be the operating system in OT installations, where real-time operations are not required, and IT protocols are becoming more common, especially when IoT solutions are deployed.
Why is it relevant to compare IT to OT?
Digitalization has led to a more connected working environment e.g., through having “historians” (a database and some data processing applications custom-made for collecting and analyzing operational data) interact with the Enterprise Resource Planning (ERP) system, or more recently Manufacturing Execution Systems (MES) that have an even tighter coupling to the ERP.
Furthermore, remote maintenance, IoT monitoring, and data analytics have led to an increased need for interconnection (also called the IT-OT convergence). This means that IT technology is now commonly used in OT and consequently, OT systems are increasingly exposed to IT threats.
Security departments are therefore faced with challenges in finding a shared understanding with OT personnel about what are acceptable risks and what are just old habits that die hard. This culture clash makes it difficult to find the right level of security controls to apply to an OT environment, especially when one wants to re-use as much of the IT security technology, processes, and competences as possible.
Comparison of Security Controls IT vs OT
|Endpoint protection||Signatures, heuristics-based, automatic prevention, machine-learning-based behavior analysis, online cloud-backed
||Whitelisting, detect-only, offline on-prem. Prevention + false positive may block critical process|
|Firewalls||Segment users and servers||Segment OT from IT and Internet, horizontal segmentation -- production zones
|Network monitoring IDS/IPS
||Intrusion prevention, drop traffic flagged as suspicious||Intrusion detection (alert only), Prevention + false positive may block critical process
||Regular process, automated, active scanning common||Mostly passive methods or manual analysis, active scanning can disrupt legacy components
|Patching||Regular streamlined process, force-updated after grace period, automated||Infrequent, irregular process, legacy devices may not be patchable, few patch windows available, roll-back capability essential
|Security awareness||Phishing, Internet usage and data protection
||Physical security, engineering safety|
|Event detection||Event logs, EPP/EDR, URL inspection, email sandboxing, SIEM||Traffic baselining + anomaly detection (OT traffic is comparatively static), detections on network boundaries, event logs on modern equipment.|
Summary / Final remarks
OT systems significantly impacts our daily lives as they run most of our critical infrastructure. Alongside digitalization, comes an increasingly interconnected society, and not many are aware of the number of devices and systems dependent on secure connections. Meanwhile the level of threats against OT systems are increasing. It is therefore very important to gain a better understanding of how these systems can be secured, and how traditional IT security approaches must be adapted to work in the OT world.
- Additional ICS considerations in the mapping of NIST SP 800-82r2 to NIST SP 800-53r4 controls. Appendix G. pages G-14 onwards.
- CIS Controls V7 Implementation Guide for Industrial Controls Systems (cisecurity.org)
- The Differences Between ICS/OT and IT Security Poster | SANS Institute (registration required)