Product Security Glossary

OT Security

What is OT security?

OT security is the principles and practices that help secure Operational Technology.

What is Operational Technology?

Operational Technology consists of hardware and software that can either detect changes or control changes for processes, events, and physical devices in an enterprise setting. OT is commonly used in in Industrial Control Systems, SCADA Systems, oil and gas production systems, and in critical infrastructure such as power control stations, aviation, and traffic control systems.  In manufacturing facilities, OT can be used to control the robots that assemble products. 

Why do we need OT security?

Early industrial control systems were confined to their own local networks and could only be accessed by a human who would log into a local terminal.  Thus, there was not much need for OT security, since these critical systems couldn’t be reached by outsiders.  Today, many industrial control systems are connected to broader networks, which allow systems to be controlled or monitored from one central location.  Eliminating the need to have locally manned stations on each separate site can cut manpower requirements, and make operations run more efficiently.  Unfortunately, though, this can also make it easier for attackers and intruders to do their dirty deeds. 

It’s bad enough that attackers and intruders can steal sensitive data.  In the world of OT, things can get much worse.  Bad actors can take control of sensitive control units, and interrupt production, cause injury or death to personnel, or damage expensive equipment.  If the industrial control networks are not properly isolated from the rest of the corporate network, an intruder could perform a lateral move into the company’s sensitive servers.  By breaking into a power station, attackers could interrupt the electricity supply to an entire service area.  Proper OT security can help prevent all of this. 

How can we enhance OT security?

Much of OT security is not different from any other complex enterprise security. OT security needs to be designed into the device at the very beginning of the design stage.  Programmers need to adhere to secure programming practices, and secret keys must be stored in a secure area that hackers cannot reach. Proper authentication is needed to ensure that only authorized personnel can log in. Communication must be done with strong encryption protocols, and there must be a mechanism for keeping the software and operating system up to date. Best practices and standards such as the IEC 62443 and the ENISA Good Practices for Security of Internet of Things in the Context of Smart Manufacturing should be followed and complied with.  

The good news is that industrial control networks tend to have less traffic than normal enterprise networks. As much as possible, the OT network should be isolated from the normal enterprise IT network, preferably with a properly configured firewall.  Yet, at the same time, the networks should be integrated so that they can both be controlled by only one security team.  In certain cases, especially for larger and more complex OT networks, it could be helpful to contract with a company that specializes in OT security.