Key Differences: IT vs OT/ICS Security

Covering some of the key differences and approaches regarding Cybersecurity

Quick Note: All opinions are my own and are not related to my current employer.

Following up on my last post about the 2024 SANS ICS Security Summit last month, as promised, here is a quick rundown exploring key differences between IT vs OT/ICS.

First off, some important terms and definitions (there are other terms that people use like “Cyber-Physical”, but generally speaking, most of these things fall under the blanket category of Operational Technology):

Operational Technology (OT)

“Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms.”

Industrial Control Systems (ICS):

“An information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems used to control geographically dispersed assets, as well as distributed control systems and smaller control systems using programmable logic controllers to control localized processes.”

Critical Infrastructure (CI):

“System and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

Key Point

Generally speaking, systems that fall under OT have the ability to interact with the real (physical) world.

What plays a big role in risk regarding OT/ICS is that they often support CI. CISA maintains information about the 16 CI Sectors in the US.

9 of the 16 Critical Infrastructure Sectors (From CISA)

Typical Environments & Systems

• IT:

  • Office environments, data centers, and cloud infrastructure.

  • Systems include servers, desktops, laptops, and mobile devices.

• OT/ICS:

  • Usually designed to operate in industrial environments, such as factories or power plants - locations can often be in the middle of nowhere and hardware needs to be “ruggedized”.

  • Systems include SCADA (Supervisory Control and Data Acquisition), PLCs (Programmable Logic Controllers), and RTU (Remote Terminal Unit).

Priorities

• IT:

  • When looking at traditional IT environments and businesses, the priority from a Cybersecurity prospective is typically focused on data confidentiality and User privacy. A bad day for one of these businesses could mean compromised Credit Card information or other User data like Social Security Numbers.

• OT/ICS:

  • When looking at OT/ICS in a CI environment, the priority is often focused on operational continuity and safety. A bad day could result in loss of life or leaving multitudes of people without power.

Technology Lifespan

• IT:

  • Traditional IT equipment can get out of date quickly - IT refreshes are recommended anywhere from 3-5 years.

• OT/ICS:

  • Most equipment is expected to be in use for 10-20 years, but its not rare to have stuff in the field longer than that.

  .

Security Patches/Vulnerability Scanning

• IT:

  • Monthly patching is the norm. Depending on the maturity of the organization, Critical security patches can be coordinated within 24 hours (or less).

  • Vulnerability Scanning is usually automated and involves active interrogation of systems.

• OT/ICS:

  • Since availability is critical, any system downtime needs to be carefully coordinated. Patch cycles tend to be less frequent, and often times rely 100% on Vendor assistance.

  • Many devices (especially older ones) can’t handle active interrogation or even port scans (think NMAP). Instead, most teams deploy passive scanning solutions - a sensor device will analyze network traffic and identify information about the device based on its network activity.

Incident Response

• IT:

  • Rapid containment and eradication is ideal and increasingly automated.

• OT/ICS:

  • Being too quick to contain (i.e. disconnecting a critical system from the ICS network) has the potential to cause far greater damage than something like ordinary malware. Therefore, it’s important to thoroughly Triage and understand the environment - the last thing anyone wants to do is jeopardize safety.

Protocols

• IT:

  • Common protocols include: HTTPS, DNS, DHCP.

• OT/ICS:

  • Protocols unique to Industrial communications: DNP3, Modbus, BACnet, Ethernet/IP, etc. See this list for more.

Conclusion

The field of OT/ICS Cybersecurity is growing and more expertise is absolutely needed. If anyone reading this wants to talk more about it, feel free to reach out. Thanks for reading!