May 13, 2019 By Anshul Garg 4 min read

Over the past several years, companies that operate industrial environments have taken advantage of digital transformation to help them become more competitive in their respective sectors. From the internet of things (IoT) to the industrial internet of things (IIoT) to Industry 4.0, the next industrial revolution is upon us as companies leverage the ability to connect devices that were previously not connected to the internet.

IT components like servers, databases and even cloud services are being brought into operational technology (OT) environments and can introduce various benefits to industrial processes, such as helping organizations improve uptimes, performance, quality and productivity, maintain safety, and help reduce maintenance costs and risk. All these can result in increased profits for organizations that adopt these solutions.

However, as with any digital transformation, there are some challenges that can arise. As OT environments, especially with legacy systems in place, become increasingly connected, they may inherit risks that were previously the domain of the IT environment. As a result, they can become vulnerable to cybersecurity threats and threat actors that may not have affected them in the past.

Learn More About Securing Your OT Environment

Some Definitions First — What Is OT Security?

Operational technology is the use of computerized systems to manage, monitor, and control the physical state of other systems. Gartner defines OT security as the practices and technologies used to protect people, assets and information involved in the monitoring and/or control of physical devices, processes and events.

OT security is fundamentally different from IT security in the sense that IT systems are typically designed around confidentiality, integrity and availability (CIA). But since OT environments are more mission-critical, the objectives in that environment typically follow the priority of availability and integrity, followed by confidentiality, according to the NIST 800-82.

When it comes to OT security, we often refer to securing networks that run industrial environments to help maintain safety and reliability of operations.

Ongoing Convergence

The ongoing convergence between the rugged and noisy plant world and the carpeted corporate IT world is forcing both parts of the organization to learn to speak each other’s language, so to speak, and work together to help secure the evolving organization.

However, what can be confusing sometimes, holding teams back, is terminology being used wrongly or interchangeably in that space.

For example, operational technology, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) are often used interchangeably by many in the industry. So, before digging deeper, let us understand what each of these terms means.

Operational Technology (OT)

Operational technology refers to technologies that are used within industrial operations. Equipment like motors and actuators and machines responsible for making things move or producing something are considered operational technology.

Industrial Control Systems (ICS)

ICS is another type of OT that comprises systems that are used to monitor and control industrial processes. For example, checking that a motor is running at the expected speed, ensuring that the pressure within a pipe is indeed correct, checking that the right temperature is maintained, etc. There could be thousands of ICS devices monitoring industrial processes within a given plant or industrial facility.

SCADA and DCS

Industrial control systems are often consolidated into distributed control systems (DCS) and SCADA systems that provide an easier way for engineers to manage various industrial processes.

SCADA systems are often located in the control room where engineers can use them to observe the status of a system or make system adjustments to manage the process under control. For example, in the case where an OT device is malfunctioning and people in the plant could be injured, the sooner operators known about it, the better. That is where SCADA systems can help by alerting plant and system operators about issues to allow timely remediation.

Let’s take, for example, an HVAC system that maintains plant temperature. This system is an example of OT. The individual thermostats used to monitor/control the temperature would be ICS, and the user interface that can help monitor the temperature and perform additional activities in a click would be an example of a SCADA system.

By extension, OT security, ICS security and SCADA security are all too often used interchangeably by organizations even though they are inherently different and subject to distinct vulnerabilities and attack scenarios. That being said, based on IBM X-Force discussions with industry analysts and experts, we believe it is safe to say that OT security is the broader, more recognized umbrella term for securing all these components.

Malware in the Factory

In recent times, attacks on the industrial sector have been increasing, with malware like Triton, Shamoon and various ransomware attacks aiming to disrupt operations for industrial companies across the globe. Some of the affected industries included oil and gas, energy and utilities, healthcare and life sciences, consumer products, and various verticals in the industrial sector, proving that the industrial sector is no longer exempt from threats that can reach its networks and severely impact operations.

X-Force Red is an autonomous team of veteran hackers within IBM Security hired to break into organizations and uncover risky vulnerabilities that criminal attackers may use for personal gain. According to X-Force Red data collected from our vulnerability database the number of vulnerabilities exposing industrial control systems has increased 83 percent over the past eight years (since 2011).

It therefore stands to reason that organizations transforming their OT environments also need to evolve their security posture to enable innovation and continue to see the benefits of a connected plant, grid or oil rig, to name a few.

Wish to learn more? Join us for a webinar in which industry specialists discuss the challenges and best practices for securing the OT environment.

 

More from Risk Management

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

What Telegram’s recent policy shift means for cyber crime

4 min read - Since its launch in August 2013, Telegram has become the go-to messaging app for privacy-focused users. To start using the app, users can sign up using either their real phone number or an anonymous number purchased from the Fragment blockchain marketplace. In the case of the latter, Telegram cannot be linked to the user’s real phone number or any other personally identifiable information (PII).Telegram has also long been known for its hands-off moderation policy. The platform explicitly stated in its…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today