OT-Security (Operational Technology Security)
Protection of Operational Technology—control systems, PLCs, SCADA, and industrial protocols in manufacturing, energy, water, and transportation. OT security differs fundamentally from traditional IT security: availability takes precedence over confidentiality.
Operational Technology (OT) refers to hardware and software used to monitor and control physical processes: manufacturing facilities, power generation, water supply, oil and gas pipelines, and transportation infrastructure. OT includes SCADA systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC).
The Difference Between IT and OT Security
| Aspect | IT Security | OT Security |
|---|---|---|
| Priority | CIA Triad: Confidentiality first | Availability first – failure can endanger people |
| Systems | Standard hardware, current OS | Proprietary hardware, often Windows XP, no patching |
| Lifecycles | 3–5 years | 15–30 years |
| Patches | Apply immediately | Patch = production shutdown (unplanned shutdown impossible) |
| Standards | ISO 27001, NIST | IEC 62443, NERC CIP |
| Consequences of a failure | Data loss, operational disruption | Physical damage, environmental disaster, loss of life |
OT Attack Scenarios
Industroyer/Crashoverride (Ukraine 2016)
First malware to specifically sabotage energy supply infrastructure. Power outage in Kyiv for ~1 hour. Demonstrated: OT attacks can have physical consequences.
Triton/TRISIS (Saudi Arabia 2017)
Targeted malware against Safety Instrumented Systems (SIS) in a petrochemical plant. SIS are the last line of defense to prevent catastrophic failures. The goal was presumably physical destruction or loss of life.
Colonial Pipeline (USA 2021)
Ransomware attack on a pipeline operator’s IT system. For safety reasons, the OT pipeline was also shut down → fuel shortages in the eastern U.S., state of emergency.
Important: The Colonial Pipeline attack was an IT attack that indirectly affected OT. A true OT attack would have targeted SCADA systems more directly.
Typical OT Vulnerabilities
Outdated Systems Without Updates
Commonly found: Windows XP / Windows 7 (support ended in 2014/2020) without security updates and with known exploits (EternalBlue, BlueKeep). The typical response from OT operators: "We can’t patch—that would halt production"—systems run for years with unpatched vulnerabilities.
No Network Segmentation
Many OT environments are directly connected to IT networks—a historically evolved setup:
Internet → Office network → ERP → SCADA → SPS/PLC (no firewall, no segmentation)
Insecure Protocols
OT protocols were developed for reliability, not security:
- Modbus: No authentication, no encryption
- DNP3: Minimal security mechanisms
- BACnet: Building automation, often accessible via the network
- OPC-UA: Modern, has security features—but often disabled
Remote Access Without Adequate Security
Maintenance access for machine manufacturers: often VPN access with weak passwords, no MFA, persistent connection.
IEC 62443: The OT Security Standard
IEC 62443 is the international framework for industrial cybersecurity:
- IEC 62443-1: General Concepts
- IEC 62443-2: Policies & Procedures (for operators)
- IEC 62443-3: System Requirements
- IEC 62443-4: Component Requirements
Security Levels (SL):
- SL 1: Protection against unintentional or accidental breaches
- SL 2: Protection against intentional breaches using simple means
- SL 3: Protection against sophisticated attacks
- SL 4: Protection against state actors
IEC 62443 is the reference standard for critical infrastructure (KRITIS) in Germany.
OT Security Measures
Purdue Model / ISA-95 Zone Architecture
| Level | Description | Separation Mechanism |
|---|---|---|
| Level 5 | Enterprise/Internet (external) | ↕ Firewall |
| Level 4 | Business Network (ERP, HR) | ↕ DMZ |
| Level 3 | Manufacturing Operations (MES, SCADA) | ↕ Firewall |
| Level 2 | Process Control (DCS, HMI) | ↕ Strict Separation |
| Level 1 | Process Field (PLC, Sensors) | - |
| Level 0 | Physical Process (Machines) | - |
Each level is separated from the next higher level by a firewall or data diode.
Air Gap and Data Diodes
Air Gap: Complete physical separation—no network connection between IT and OT. Data transfer only via USB (with strict controls) or data diode.
Data Diode (Unidirectional Gateway): Data can only flow in one direction (e.g., from OT to IT for monitoring, never back). Hardware-implemented—physically impossible for reverse communication.
OT Hardening
Known PLC hardening measures:
- Disable unused ports
- Change default passwords
- Firmware update (if provided by the manufacturer)
- Limit communication to necessary hosts (whitelist)
- Enable audit logging (if possible)
- Secure physical access (locks, camera surveillance)
Compliance: KRITIS and NIS2
KRITIS Regulation (Germany): Operators of critical infrastructure (energy, water, IT, transportation) must implement state-of-the-art IT security measures and report security incidents to the BSI.
NIS2 Directive Art. 21: Explicit requirements for ICS/SCADA security in KRITIS sectors and critical facilities.
BSI Recommendations: IEC 62443 as an implementation framework, BSI ICS Security Compendium as a guide.
