The differences and importance between OT Security and IT Security

OTセキュリティとは?ITセキュリティとの違いや重要性を解説

Operation Technology (OT) security measures and tools are key in the defense of the technology that operates and controls industrial systems. As Digital Transformation (DX) and the Industrial Internet of Things (IIoT) advance, there’s been a concurrent rise in internet-connected OT systems, leading to increased vulnerabilities to cyberattacks. OT security measures are essential to prevent the unauthorized access and manipulation of OT systems and the damages totalling in the hundreds of millions of dollars that come with them—especially in the manufacturing and infrastructure industries.

In this article, we’ll explain what OT security is, outline its differences with IT security, and lay out steps and key points for successful OT security measures.

1. What is OT Security?

OT Security refers to the measures taken to ensure the safe operation of OT control systems.

Operational Technology (OT) refers to the tools and programs that operate and control industrial systems, and Industrial Control Systems (ICS) used in the manufacturing, power, oil, gas, and infrastructure industries, are a key part of OT.

OT and IT (Information Technology), while sounding similar, are distinct from one another. Where IT refers to tech related to information processing and management, OT is focused on the operation and control of industrial systems.

1-1.OT Security and IT Security: What’s the difference?

IT and OT differ primarily in their priorities. OT systems cannot be easily shut down, due to how crucial they are to critical infrastructure and how directly they can affect the profitability of companies, so they have a number of differences in their security requirements.

IT SecurityOT Security
Security PriorityEnsuring proper management of information and preventing leaksEnsuring proper management of information and preventing leaks
Security TargetInformationEquipment, products, and continuous service operation
Technical Support Period3-5 years10-20 years
Required AvailabilityRestarts are frequent and don’t interrupt business operationsRestarts are difficult as 24/7 operations is often required
Department Responsible for Operation and ManagementInformation Systems DepartmentOn-site technical department

Source: Information-technology Promotion Agency, Japan (IPA) “Vulnerability Response Guide for Control System Users”

In IT security, the goal is to prevent information leaks, unauthorized access, malware infections, and other security breaches that negatively affect the safe operation of information systems. Vulnerability scans during operation, regular patches, and OS updates are highly recommended, and as the internet is the main vector for malware and unauthorized access, systemic barriers are essential.

Conversely, OT security requires that control systems never stop operating, making tasks like scanning, patching, and OS management difficult to accomplish while the system is operating.

2. Why is OT Security so important?

Recent years have seen the rise of the threat of cyber attacks in OT environments, making OT security even more important. Companies must manage security effectively to prevent serious incidents.

2-1. Interconnectedness of control systems due to DX and IIoT

As DX and the IIoT advance, more OT systems are being connected to internal LANs and external networks.

Additionally, to enhance efficiency and reduce costs, there is a growing trend of adopting general-purpose operating systems.

Facilities using OT systems, like factories, historically haven’t had to worry much about security measures. Traditional OT systems operated with proprietary protocols in a closed structure that did not anticipate internet connectivity, and devices that don’t connect to the internet are relatively resistant to hacking. What’s more, many OT systems operated on proprietary systems and didn’t use general-purpose systems like Windows or Linux. In short, their systems were too unique for hackers to worry about designing strategies to infiltrate them.

External connections open the door to malicious, third-party intrusion. General-purpose operating systems certainly offer flexibility and useability benefits, but bring with them widely known vulnerabilities that pose significant challenges. Without regular updates, they become a prime target for cyber attacks.

Like IT systems, thorough security measures are essential for OT systems.

2-2. Risk of operational disruption and major accidents due to cyber attacks

Cyber attacks on OT networks in facilities like factories and plants can disrupt management and control, leading to production line interruptions, defective products, and reduced productivity.

And, in worst-case scenarios, cyber attacks on factory equipment can result in serious accidents involving casualties and equipment damage.

In 2010, Iran’s nuclear program had to shutdown around 8,400 centrifuges when malware was found in a nuclear facility. In 2017, ransomware spread through Japan causing production line stoppages for automakers.

Production line halts of even less than an hour can lead to huge losses, like in the 2005 case of Daimler’s factory stopping for 50 minutes due to malware, leading to roughly 1.7 billion yen in damages.

Source: Information-technology Promotion Agency, Japan (IPA) “Vulnerability Response Guide for Control System Users”

3. Three Steps for Implementing OT Security Measures

In an effort to counter cyber attacks in OT system, the Ministry of Economy, Trade and Industry (METI) has developed guidelines targeting factories.

Source: Ministry of Economy, Trade and Industry “Cyber-Physical Security Measures Guidelines for Factory Systems”

3-1. Step 1: Organizing internal and external requirements, business objectives, and security targets

Understand the current state of your company’s OT security, determine which business areas need to improve their OT security, and allocate resources accordingly.

First, identify and organize external and internal requirements based on factors such as:

【External Requirements】

  • Regulatory requirements related to business operations
  • OT security guidelines defined by the industry
  • Requirements from markets and customers
  • Requirements for using services from other companies

【Internal Requirements】

  • Company’s security policies and business continuity plans (BCP)
  • Status of the company’s OT systems
  • Operation and management of OT systems

Next, list and prioritize all daily OT system operations as high, medium, and low importance. Then, identity components of the control system used in high-priority tasks (e.g., networks, programs, etc). These are the main focus for protection.

After you determine the components in need of the most protection, assign their own respective levels of importance. Organize areas with similar levels of security into zones, like control zones, production management zones, or automated transport zones. Zone division enables an overview of the OT system’s layout.

3-2. Step 2: Formulating Security Measures

With the information from Step 1, create specific, cost-effective security measures.

First, determine security level requirements based on the likelihood of cyber attacks and the potential magnitude of damage for each protected item. OT systems with many connected terminals more prone to attack, or systems that would significantly impact business in the event of an attack, should have higher level security requirements. OT systems not connected to the internet, or those that would have minimal business impact when stopped, require lower security levels.

Second, design specific security measures for the determined security level requirements. For low-security requirement situations, implementing access control to the area the OT system is located may be sufficient, while high-security situations may require measures like enhanced physical security, device operation log visualization, threat detection, risk and vulnerability management, and network monitoring and analysis may be necessary.

3-3.Step 3: Implementing Security Measures and Organizational Review

Once you’ve designed your specific security measures, it’s time to implement them in order of priority. Continuous review of the plan and operational status is necessary after implementation, as internal and external requirements and the larger business environment may change.

Engage the PDCA (Plan-Do-Check-Act) cycle as needed to analyze the status of implemented measures. As issues are identified, make improvements to strengthen security.

4. Key Points for Successful OT Security Measures

IT security is usually managed by an information systems department, but OT security is better overseen by operational personnel in departments like manufacturing. Security measures must be implemented without interrupting operations.

Organizations must take steps like strengthening human resources and establishing a crisis framework to lessen the burden on OT security personnel.

What’s more, there are many reports of intrusion and damage from peripheral devices, like USB sticks and maintenance terminals, in OT security. Conventional security software is inadequate to address such intrusions.

It is essential to introduce tools for anomaly detection, conduct continuous monitoring, and establish an environment where affected devices are immediately isolated from the network when problems occur.

Summary

When designing OT security measures, first understand your company’s internal and external affairs, identify all daily operations using OT systems, and prioritize them by importance. Then, determine the required security level based on the severity of potential damages from cyber attacks and susceptibility to such attacks. Decide on measures according to the security level requirements, and continuously review and improve upon plans and operational conditions.

Peripheral devices like USB drives and maintenance terminals make up many cyber attacks on OT systems, making the Zero Trust model a vital aspect of any security posture. Affected devices must be isolated from the network immediately upon the detection of abnormal behavior.

SYSCOM GLOBAL SOLUTIONS has formed a strategic partnership with Nozomi Networks, a leading company in OT and IoT security, to offer managed services for cutting-edge security solutions for industrial control systems (ICS). Nozomi Networks provides asset visibility, threat detection, risk and vulnerability management, network monitoring, and advanced analytics leveraging AI across various industries including manufacturing, pharmaceuticals, oil and gas, mining, and public utilities.

Strategic Partnership with Nozomi Networks, a Specialist in OT/IoT Security

Additionally, SYSCOM offers OT security assessments tailored to critical infrastructure and manufacturing industries.

OT Security Assessment