OT and ICS security

What is OT vs ICS vs SCADA vs IIoT?

What is operational technology (OT)?

OT is hardware and software that can detect or cause changes to the physical world by controlling or monitoring equipment, processes, and events. OT covers a variety of solutions, including valves, pumps, drives, sensors, machines, robots, and industrial control systems. These solutions are used to run operations in manufacturing plants, power grids, water utilities, oil and gas, transportation, and other industries.

What is an industrial control system (ICS)?

An ICS manages, automates, and controls physical processes in industrial operations. An ICS directs OT assets according to logic executed by remote terminal units (RTU), intelligent electronic devices (IED), programmable logic controllers (PLC), safety instrumented systems (SIS), distributed control systems (DCS), or supervisory control and data acquisition (SCADA), for instance.

What is the industrial Internet of Things (IIoT)?

IIoT refers to IoT solutions designed to meet the needs of industrial operations and specific constraints of harsh environments where heat, dust, moisture, or vibrations can be an issue. IIoT solutions are used to collect, monitor, and analyze data from industrial operations for better troubleshooting and maintenance capabilities, increased efficiencies, lower costs, and improved safety and security.

What is industrial IoT? >

What is ICS security?

ICS security protects controllers and OT assets from cyberthreats and helps to ensure continuity, integrity, and safety of operations in industrial networks and critical infrastructures. ICS security, OT security, and industrial IoT security are different terms that serve the same goals—protecting industrial automation devices and operational networks from cyber threats.

Why is OT security important?

Industrial control systems and operational technologies are all around us: in water, gas, and electricity distribution networks; running power plants and critical infrastructures; automating production lines in factories; and operating in transportation infrastructures like roadways intersections and railways systems. Cyberattacks to industrial networks and critical infrastructures can have a wide range of far-reaching impacts on an organization, its customers, and the public. Consequences include operations disruptions (which can result in a halt of production as well as revenue losses), damage to installations, injuries to workers, environmental disasters, regulatory compliance issues, and civil or criminal liabilities.

What are the challenges of OT cybersecurity?

ICS and OT assets used to be isolated from the rest of the enterprise and the internet. As organizations digitize operations and deploy Industry 4.0 technologies, they need seamless communications between IT, cloud, and operational networks, exposing ICS and OT assets to grave cyberthreats.

Lack of visibility

Some OT assets were installed years or decades ago and are defenseless against malicious traffic like DDoS and vulnerability exploits. What’s worse, most organizations don’t have a comprehensive, up-to-date inventory of OT assets to protect, so it can be difficult to assess risks like critical vulnerabilities, exposure to internet traffic, and misconfigurations that could let a bad actor gain access.

Lack of control

Industrial networks are often unsegmented, so it is easy for attackers to move laterally without being noticed and for malicious traffic to spread across the entire environment. Remote access is widely used, often with cellular gateways or software that IT teams don’t control. The security tools that IT uses to protect the enterprise cannot analyze communication protocols used by ICS and OT assets, so threats are particularly difficult to detect.

Lack of collaboration

In many organizations, the chief information security officer (CISO) and IT teams share accountability for cybersecurity, but they rarely have the expertise of operational and process control technologies. OT teams are sometimes tempted to hang a “keep out” sign on their networks, but a lack of trust and collaboration between OT and IT departments can have a devastating impact on an organization’s security.

How is OT security different from IT security?

IT cybersecurity and OT cybersecurity have a lot in common, like the needs to protect against malware, prevent malicious traffic, control access to resources, and mitigate vulnerabilities. But the physical nature of OT environments creates specificities that need to be considered in building an operational technology security strategy.

OT teams prioritize availability over confidentiality.

In the IT world, confidentiality, integrity, and availability of data are critical. While data theft is feared in OT, priority is given to maintaining production uptime. Think about the impacts of shutting down a power grid, turning off traffic lights, or closing a pipeline. Rebooting a computer or disconnecting a suspicious device can be common practices in IT but in OT can create major risks to the physical world and significant revenue losses to organizations.

OT assets have different lifecycles.

The lifecycles of OT systems (15 to 30 years or more) are much longer than those of IT systems (3 to 5 years). Sometimes, assets are so old that security patches are not available. When patches are available, installing them isn’t easy. Assets are part of business-critical processes and are rarely—or never—stopped. The procedures that IT has been using safely in their environment simply don’t work in OT.

Normal behaviors can be cyberattacks.

While malware intrusions are the most common threats to OT environments, more sophisticated attacks can consist of changing basic parameters to the industrial process so that it can’t run normally. Detecting changes to the industrial process means decoding industrial network traffic and having a clear understanding what normal should be in order to determine the legitimacy of commands being sent.

OT assets use specific communication protocols.

Identifying OT assets, understanding their behaviors, and detecting anomalies require decoding packet payloads and analyzing communication contents. Decoding protocols such as Modbus, S7, Profinet, EtherNet/IP, CIP, NTCIP, CC-Link, IEC104/101/61850, DNP3, and OPC is key to secure industrial networks and critical infrastructures. IT security solutions don’t usually have these capabilities and need OT security tools for visibility into operational environments.

What is the Purdue model for ICS security?

The Purdue Enterprise Reference Architecture (PERA) was developed by the Purdue Laboratory for Applied Industrial Control (PLAIC) of Purdue University in the 1990s. It was later integrated into the ANSI/ISA-95 international standard from the International Society of Automation (ISA).

The Purdue model is a framework for segmenting industrial control system (ICS) networks from corporate enterprise networks and organizing systems according to their roles in the industrial network:

• Level 0 (process zone): contains devices that interact with the physical world (sensors, actuators, machines).
• Level 1 (control zone): contains intelligent devices that send commands to level 0 devices; includes programmable logic controllers (PLC), remote terminal units (RTU), intelligent electronic devices (IED), and safety instrumented systems (SIS).
• Level 2 (supervisory zone): contains systems that control and monitor the physical process, like distributed control systems (DCS), supervisory control and data acquisition (SCADA), and human machine interfaces (HMI).
• Level 3 (operations zone): acts like the data center of the operational network, hosting systems in charge of orchestrating the industrial process; includes manufacturing execution systems (MES) and data historians.
• Levels 4 and 5 (enterprise zone): comprise the traditional IT enterprise network, where business systems such as enterprise resource planning (ERP) and email servers are located, including user computers and related functions.

Although the model describes six functional levels, it separates the industrial support operations into three main areas:

1. The enterprise zone (levels 4 and 5) includes IT-controlled environments, including corporate data centers, LAN, WAN, and business application hosting.
2. The industrial demilitarized zone (IDMZ) is the buffer between the critical environments or production systems and the enterprise network. All shared services between the industrial zone and the enterprise zone are at the IDMZ.
3. The industrial security zone (levels 0 to 3) contains critical operations systems including the cell/area zone, where communication is frequent and on a low-latency or real-time basis.

What are OT cybersecurity standards?

NIST Cybersecurity Framework (CSF)

The Cybersecurity Framework (CSF) is a set of cybersecurity best practices and recommendations from the National Institute of Standards and Technology (NIST). It uses a simple model with five key functions to help you structure your approach: identify, protect, detect, respond, and recover.

Read NIST Cybersecurity Framework white paper (PDF) >

NIST SP 800-82

NIST Special Publication 800-82, Guide to Operational Technology (OT) Security, gives an in-depth overview of OT and covers typical system topologies, common threats and vulnerabilities, and security countermeasures to tackle associated risks.

Read NIST OT security guide (PDF) >

ISA99/IEC 62443

The International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) worked together to build a series of OT security standards known as ISA99 and IEC 62443. This series defines methodologies to assess risks, develop secure components, design a secure industrial network architecture, and measure the maturity level for each security requirement.

Read ISA/IEC-62443-3-3 white paper >

NERC CIP

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) reporting and audit compliance program helps power utility operators in the United States and adjacent countries to achieve system-level cybersecurity.

Read NERC CIP Compliance white paper >

EU NIS/NIS2 Directive

The Network and Information Security (NIS) Directive is a cybersecurity legislation enforced across all European Union member states. Its goal is to boost the security and resilience of critical infrastructures and lists security requirements, reporting obligations, and stringent supervisory measures.

Read NIS2 compliance white paper (PDF)

What are OT security best practices?

Because operational networks are based on IT technologies, OT security requires the same cybersecurity solutions as IT networks do, like perimeter security, endpoint protection, multifactor authentication (MFA), and team training. Specific measures must be enforced to support the particular nature of OT environments. Cisco Industrial Threat Defense, Cisco’s OT security solution, can help you strengthen your OT security posture.

Restrict communications between IT and OT domains

The first step in the journey to OT security is to restrict logical access to the OT network. A common setup method is an IDMZ network with firewalls that prevent network traffic from passing directly between the corporate and OT networks. The IDMZ firewall is the first line of defense that attackers meet when trying to breach the network and is the enforcement point for least-privilege access for legitimate services to cross the border in a secure way.

Explore Cisco Secure Firewall >

Maintain a detailed inventory of OT assets

You can’t secure what you don’t know. Maintaining a detailed inventory of operational technology assets is a prerequisite to an OT security program. Visibility into the OT environment helps in identifying risks like software vulnerabilities, unknown assets, IDMZ leaks, and unnecessary communications activities. It helps organizations to understand the difference between attacks and transient conditions or normal operations of the OT network.

Explore Cisco Cyber Vision >

Segment OT networks into smaller zones of trust

Many industrial networks have grown over the years to become large, flat, layer-2 networks. It’s now critical to restrict communications between assets to prevent attacks from spreading and disrupting the entire production infrastructure. The ISA/IEC-62443 security standards recommend that systems be separated into groups called "zones" that communicate with each other through channels called "conduits."

Using firewalls for zone segmentation requires deploying dedicated security appliances, changing network wiring, and maintaining firewall rules. Fortunately, you can use software segmentation to enforce security policies and create secure zones across the industrial network without having to deploy and maintain dedicated security appliances.

Explore Cisco Identity Services Engine (ISE) >

Enforce zero-trust remote access to OT assets

Remote access is key to managing and troubleshooting OT assets without time-consuming and costly site visits. In many organizations, machine builders, maintenance contractors, or the operations teams themselves have installed cellular gateways or remote access software that IT does not control. On the other hand, virtual private networks (VPNs) installed in the IDMZ require the maintenance of complex firewall rules and can’t access devices behind NAT boundaries.

Zero-trust network access (ZTNA) solutions are gaining increased attention to help organizations to reduce cyber risks. ZTNA is a secure remote access service that verifies users and grants access only to specific resources according to identity and context policies. It starts with a default deny posture and adaptively offers the appropriate trust required at the time. But in OT environments, ZTNA needs to be distributed to simplify deployment at scale and provide access to all assets.

Explore Cisco Secure Equipment Access (SEA) >

Give security teams a global vision across IT and OT

In addition to identifying and protecting OT assets, OT security needs to detect and respond to cybersecurity events. OT security is often managed in a silo, preventing security analysts from seeing the global threat landscape that the organization is facing. Security operations teams need solutions allowing them to easily investigate observables across the IT and OT domains, and launch remediation workflows to prevent a threat from crossing domains.

Explore Cisco XDR >

Be ready for the worst

The ideal cybersecurity response starts before an emergency does. Training employees in cybersecurity best practices should happen regularly in all organizations. Getting your OT security ready also means testing your defense, building playbooks, and running tabletop exercises.

Explore Cisco Talos Incident Response services >