Operational Technology (OT) is often treated as a subset of IT. After all, the devices that control an industrial facility are just different flavors of computers, but computers, after all. However, in practice, they present some specific challenges that separate them from regular IT deployments.
Using regular IT tools in OT environments leaves teams poorly equipped. They will take longer to perform some maintenance tasks or be unable to identify some security threats.
We’ll explore four factors that differentiate OT from IT, and discuss why OT Security needs specific tools.
OT is Mission-Critical
While stopping any IT infrastructure will considerably impact any business, as the Crowdstrike incident recently reminded us, in OT the impact is bigger by several orders of magnitude.
If a part of a factory stops it will affect the whole production line, dozens of workers will become idle, and it may take several hours to get back online.
While in IT it is relatively cheap to set up a high-availability system or spin up a mirror infrastructure, setting up a backup production line for OT takes too long (up to several months) and is too expensive to have it sitting idle just in case.
Security tools for OT must be especially accurate when alerting. A false positive that would cause you to shut down a facility is a very expensive luxury.
OT has a Physical Plane
Critical equipment inside an office is mostly gathered and locked in a single server room. In comparison, critical equipment in an industrial facility, like PLCs, is widely distributed across the plant.
Knowing the physical location of a device becomes essential in OT to speed up maintenance tasks.
We live in a post-industry digitalization era, ours is the industry 4.0. As a result, there is a myriad of devices and sensors across a production line. All those devices are gathering critical data that must be secured on the devices, and in transit to the central servers to ensure compliance.
OT security tools must support engineers and technicians beyond their control rooms, and into the factory floor.
Management of OT devices is different
Although PLCs are way simpler than regular computers, they have little in common when securing them.
PLC firmware, although simple, has vulnerabilities too, and needs to be kept up to date. We are used to computers upgrading automatically at a given time window, but for PLCs, you need a separate computer to perform a firmware update. You’ll also want to carefully plan the upgrade process across a whole facility to ensure everything keeps working smoothly.
The software running inside a PLC also needs special treatment. Let’s take the Stuxnet worm as an example. It targeted PLCs, changing their programs to destroy the industrial equipment connected to them. To protect against this kind of threat you need, besides a strong real-time detection, a registry of the changes made to your PLCs software, as well as keeping a backup copy of the software.
Finally, there are differences in who performs equipment maintenance. While in an IT environment, the IT team is responsible for all the maintenance tasks, it’s quite common that manufacturers perform some level of maintenance in industrial equipment. Nowadays some of this maintenance is performed remotely, adding yet another entry point to secure.
A security tool specially crafted for OT will bake these idiosyncrasies into its core, offering relevant help instead of “just being there”.
OT has Specific Relevant Context
IT security is designed for computers with full operating systems, where you can install a probe and gather all kinds of data. However, PLCs are too simple for Host-based Intrusion Detection Systems (HIDS).
Instead, with PLCs you follow a black-box approach, observing from the outside and relying on diagnostics information. A security tool for OT must be able to speak the equipment language, across several brands, to retrieve this relevant diagnostics data across all your devices.
You must also consider the device’s status. Is the device offline? Are you running a test in that production line? A vulnerability doesn’t have the same impact if it affects a production device as a mostly offline one. Some alerts that would be critical during production are to be expected while running some tests.
Finally, inventory is vital. Compared to a tight-sealed environment, it’s easier to deploy a malicious device that goes unnoticed in an industrial environment. You cannot trust manual inventories, you need automatic discovery.
Industry has its own regulations
Many general purpose security applies to industry environments, like ISO 27001, the European NIS 2, or the Spanish ENS.
In addition, the industry has its own security models like Purdue, or standards like TISAX.
Supporting these standards and regulations is a must for OT security tools.
Using the Right Tools Gives You Superpowers
When you start using a security tool specifically crafted for OT in your industrial environment, you soon realize everything is easier.
You have the information you need right away, so you perform maintenance tasks faster.
You detect more relevant threats while getting less noise.
You’ll be able to investigate security incidents with more detail, as you’ll be able to correlate relevant insights.
It will feel like you just lifted the handbrake.