OT cybersecurity refers to the set of procedures and best practices designed to mitigate and prevent the exploitation of cyber-physical systems and industrial control systems (ICS). Industrial control systems are critical OT assets employed across a wide variety of sectors and services to automate production processes. Critical infrastructure has increasingly integrated digital technologies into its operations. While driving efficiency and innovation, digitalization also increases the risk of cyber incidents disrupting power, water, and other vital services. In addition to control systems, the OT environment is comprised of switches, relays, RTUs, workstations and additional hardware and software that monitors and controls physical devices, processes, and events across various industries.
The importance of ICS and OT security is a function of the unique risk associated with the operation of operational technology. Because of their connection to physical and often critical industrial processes, any disruption or malfunction of OT assets can impact safety, availability and reliability. With the high impact potential, cyber adversaries see OT as high value assets. We continue to see an increase in OT cybersecurity attacks, including the cyberattack on Ukraine's power grid in 2015, the Colonial Pipeline attack which halted fuel transportation, and attempts to compromise water safety at the Oldsmar water treatment facility. These events underscore the growing threats to critical infrastructure worldwide. The public requires critical infrastructure, such as water and energy systems, to operate reliability. Any disruption across this wide network has far reaching consequences, making the availability and resilience of operational technology key for public wellbeing.
Information and Operational Technology serve different purposes. IT cybersecurity concerns enterprise-level equipment used to manage data. OT cybersecurity concerns production level equipment used to manage physical products. These differences lead to unique security environments.
IT security focuses on the CIA triad, which stands for Confidentiality, Integrity, and Availability. OT security has to focus on safety and availability first. While confidentiality of data is important in a corporate setting, OT security deals with the physical world, where any disruption or compromise can lead to immediate physical consequences, potentially affecting human safety and the continuous operation of critical infrastructure.
IT security operators must keep up with quickly evolving equipment, platforms, and applications. The high rate of change means modular networks and routine updates. Furthermore, the value of IT is often linked with data and intellectual property stored within the network. For this reason, IT security’s primary concern is the confidentiality of the data. On the other hand, OT cybersecurity operators maintain systems with legacy equipment because of the high cost of equipment replacement and the slow change of system requirements. This means industrial control systems often contain known vulnerabilities. The value of operational technology, however, is most directly related to the continual and consistent operation of the equipment. Therefore, there are fewer opportunities for system downtime, updates, and equipment replacement. As a result, OT cybersecurity’s primary responsibility is the availability of the industrial control system.
The difference in context also changes the way you need to approach OT security. Due to the critical roles and diversity of device age, make, and type, OT assets are sensitive to traditional IT security practices, which can disrupt operations and put them at risk. While IT and OT security teams share the same end goal of protecting these systems from cyber incident, OT security requires a different approach.
The technological architecture of organizations using operational technology can be organized into five distinct layers. Within industry, this is known as the Purdue Model and provides a method for understanding the distinct functions of technologies at various levels of an organization.
Enterprise Levels (4 - 5)
The Enterprise Network, and Business Planning elements of the network compose levels 5 and 4 respectively. Collectively these are the levels of the corporate office. Routers, servers, personal computers, and printers are all likely to be devices within these layers.
Production Levels (1 - 3)
Levels 3 through 1 constitute the production environment of a given network. Level 3, or Site Control, commonly houses data storage devices (historians) and the central management system (likely an engineering workstation). Here, plant-wide information is simultaneously accessed and warehoused. Level 2, or Area Control, contains more specific control information. This might be the Supervisory Control and Data Acquisition (SCADA) interface for a subcomponent of devices or even the specific Human Machine Interface (HMI) of a single device. Level 1, or Basic Control, refers to the actual distributed control system (DCS) or programable logic control (PLC) that actuates an operational process.
The Purdue Model is helpful in understanding the complexity of modern technological architectures, but is also complicated by the continued rise of the Industrial Internet of Things (IIoT). As information increasingly informs production processes each layer is becoming more intertwined. Therefore, even while the Purdue Model may not reflect the logical typology of network architectures, it does provide a functional map of such systems.
High-profile OT cyberattacks demonstrate that network vulnerabilities exist at each level of network architecture. The Stuxnet worm, uncovered in 2010, was a SCADA exploitation designed to destroy nuclear refiners within Iran. The worm was injected into a closed network via removable media device – likely a USB drive. Once within the enterprise layer the code was able to exploit installation permissions to automatically execute malware. In this case the malware degraded integrity down the network architecture causing specific PLCs to report incorrect information back to area control workstation. This risk could have been mitigated by:
In 2021, a hacker attempted to pollute a Florida public water supply by exploiting the outdated operating system of a particular water plant. The attack began when a personal computer within the network made a visit to an unsecured web address. As a result, the hacker was able to gain network access through the combination of a remote management application and weak password security. After this, the command to pollute the water supply was easily made – though thankfully was observed and reversed by plant personnel. The attack could have been diverted more easily however, had the security operators:
Colonial Pipeline was the victim of a target ransomware attack in 2021 that was facilitated by a compromised virtual private network. The hacker group utilized un-retired credentials to access a legacy virtual private network (VPN). The pipeline had been unaware of the continued existence of the VPN and as a result had not factored it into their security considerations. From this vulnerability, however, the hacker group was able to encrypt corporate systems which directly resulted in system downtime. This loss of accessibility could have been avoided if they had:
In September 2024, Arkansas City, Kansas, was forced to switch its water treatment facility to manual operations after a cyberattack was detected. Local authorities, with Homeland Security and FBI support, are investigating, and enhanced security measures have been put in place.
While the water supply remains safe, residents may experience low water pressure through the weekend as issues with some pumps are addressed. The attack occurred just two days after Water ISAC issued a warning about Russian-linked threats to the water sector.
This incident underscores the need for:
Critical infrastructure operators continue to struggle with blind spots in their OT environments. Trustworthy OT asset data is the bedrock of OT security. You have to know what you have in order to secure. This goes beyond basic inventory - simply knowing what devices are on your network is a good start, but it's not enough to manage risk. You need deeper awareness of details such as software versions, vulnerabilities, patches, firewall rules and PLC key switch positions.
Furthermore, it's important to monitor these details as cyberattacks become more stealthy and sophisticated. For example, threat actors like Volt Typhoon employ "living off the land" (LOTL) attacks, which use legitimate tools already present within the system. These attacks often evade traditional malware detection methods, making it critical to monitor your environment for unusual and unauthorized behaviors. By keeping an eye on granular changes such as modifications to configurations, the creation of new accounts, certain event IDs, or atypical logging activity, operators can detect early warning signs of these stealthy attacks and act before significant damage occurs.
Part of the lack of visibility into OT environments stems from hesitation around active monitoring methods. Some of this is justified when looking at past examples of IT-led exercises implemented active methods that have disrupted OT processes. However, OT asset management has matured greatly over the past two decades, and an integrated data collection, when implemented correctly, is a safe and effective way to manage OT asset assets.
A comprehensive integrated data collection approach should centralize:
As high-profile cyberattacks increase in number and sophistication, private companies today must be prepared to defend against increasingly capable adversaries and even nation-state attacks. This daunting task can be best approached by systematically understanding network architecture and the lessons of past attacks. The non-profit MITRE Corporation has published the MITRE ATT&CK for ICS framework for this precise purpose.
The MITRE ATT&CK for ICS framework acts as a common industry lexicon by describing eleven categories that are important for understanding how adversaries enter, explore, and exploit your network. Adversaries enter and stay within networks through initial access, evasion, persistence, and by inhibiting responses. Adversaries gather information about the compromised network through discovery, collection, and lateral movement within the ICS environment. After gaining access and information, adversaries are able to execute code, manipulate command and control functions and impair process control in order to negatively impact the overall industrial control system.
Understanding the evolving security landscape is now a requirement of sound business practice. Without robust industrial security measures, companies take on significant risk to their safety, profitability, and reputation. Profitability can be decreased from unexpected production downtime, legal costs, and increased insurance costs, among other concerns. Our OT Risk Calculator can provide a customized estimate of each factor to show what a cyberattack could really cost your company.
Furthermore, a cyber incident can quickly shake confidence, resulting in brand and reputational damage which translates into a reduced customer base. As a result, it is increasingly important that security professionals learn how to effectively ask for the proper OT cybersecurity budgeting. Explaining these risks to management and requesting an expanded OT security program will ultimately result in gains across the entire business.
When determining where to further invest in security, there are many standards out there that can help. One of these is the NIST Cybersecurity Framework (CSF), which can provide a simple method for identifying what opportunities exist to optimize your security processes. The NIST CSF is a voluntary set of guidelines that were created to aid the development of business security strategies. The framework is organized around a security cycle: identify, protect, detect, respond, recover. Each stage requires an understanding of the distinct elements of the OT network and the proper people, processes and technologies for effective implementation.
Another popular standard used to design an OT/ICS security program is the ISA/IEC 62443 standard. The ISA/IEC 62443 series of standards offers a flexible framework of security controls that define ICS security techniques, processes, and procedures to aid organizations in mitigation and risk reduction for security vulnerabilities in ICS. Organizations can adopt and enforce security controls that work reliably across devices, networks, and infrastructure based on this single congruous framework.
Within OT environments, specific best practices can be employed to maximize security effectiveness. The first requirement is robust asset management. With a full understanding of the network, it is possible to establish centralized management with effective monitoring techniques. Centralized monitoring will subsequently enable security operators to implement automated vulnerability and anomaly detection abilities. Each of these steps and best practices fundamentally serve to assure that the right data is in the hands of your OT defenders. Understanding your system and knowing how to ask OT security vendors the right questions is the first step in reaching this goal.
Understanding OT cybersecurity can be complicated. The increasing frequency and sophistication of ICS cyberattacks, the rise of the IIoT, and many other factors add to the complexity. Yet, the importance of critical infrastructure is too great to ignore its security. Furthermore, it is now impossible to safely operate an industrial control system as a business without a rigorous OT cybersecurity approach. Industrial Defender offers resources to aid in the search for solutions to each of these issues.
Our OT Security 101 Webinar provides guidance to better understand the security principles of OT cybersecurity. Industrial Defender’s OT Cybersecurity Solutons Buyer’s Guide provides information that can help narrow the search for an ICS security solution. The Defender Sphere is designed to help clarify the various vendors, services, and equipment involved in the operational technology landscape.
By taking advantage of these and additional resources, security professionals can understand industrial control systems and achieve robust OT cybersecurity to support key business interests and safety requirements.