The need for OT security
Operational Technology (OT) networks are no longer isolated. In a world where everything is connected and automated, a seamless integration of OT and IT is necessary. Why, you wonder? Because it is cost profitable and ensures higher performance, productivity and agility. However, by doing so, it exposes the system to new levels of threats and risks. The industries can no longer rely only on the physical layer of protection. Think about the catastrophic impact of malware as Triton (2017), which allowed hackers to remotely take over and reprogram the plant’s safety instruments. How do we protect ourselves against these incoming attacks?
IT VS OT
Let’s start by taking a look at the differences between an IT environment and that of an OT. The core business of an IT environment is the confidentiality of information, which is not the case for OT systems. The impact of OT system failure is far greater: it could be harmful to humans, nature and everything around it!
That is exactly why the scope of classical international frameworks like ISO-27001, ISO-27002 and ETSI are insufficient to fully protect an OT environment. Even the classical CIA triad (Confidentiality, Integrity and Availability), which is the standard for a cybersecurity approach for any system, has different priorities in an OT vs IT security policy. It makes sense that the main focus in an OT environment is availability. Just imagine having to shut down the production line for a few hours to install a trivial update.
Introducing a new approach: the ARS triad (Availability, Reliability and Safety). We already covered the importance of availability, but reliability and safety are just as important in industrial environments. R&D data must be protected and reliable to guarantee product quality. Last but not least, an industrial company must ensure safety for their employees, customers and the environment.
As mentioned before, the traditional cybersecurity frameworks don’t suffice for OT environments. The new ISA/IEC 62443 framework is a series of standards, divided into 4 parts.
- The first part – General – addresses topics that are common to the entire series. Most important are the concepts and models used throughout the series, as well as the master glossary.
- The second part – Policies and Procedures – describes what is required to define and implement an IACS Cybersecurity management system. It also focuses on how to evaluate the level of security.
- The third part – System – provides an overview of assessments of security measures. It divides the requirements of a system into 7 foundational requirements. Each of these introduces a range of security controls to assess the current security levels of the information system.
- The fourth part – Component – describes the requirements applicable to the development of products.
Want to know more about OT security?
That was it for our first blog on OT security; a short introduction. Interested in more? Keep an eye on our pages to discover the next articles to learn more about OT security, an OT framework and in-depth defense.
In the meantime, don’t hesitate to contact us to find out how we can support and help protect your OT environment.