How is OT Cybersecurity Different to IT Cybersecurity?

The distinction between IT cybersecurity and OT cybersecurity primarily lies in their focus and operational contexts. IT (Information Technology) cybersecurity focuses on the protection of information systems, data, and networks, commonly found in business environments. It revolves around safeguarding digital information against unauthorised access, theft, and damage through methods like encryption, firewalls, and intrusion detection systems. Frameworks such as the NIST Cybersecurity Framework and ISO/IEC 27001 are widely used in IT environments to establish comprehensive security policies and manage the risks associated with information technology.

OT (Operational Technology) cybersecurity focuses on the protection of hardware and software systems that monitor and control physical processes, often in industrial settings. OT systems, such as those used in critical infrastructure sectors like water treatment, oil and gas, and power generation, are designed to ensure the safe and reliable operation of industrial processes. Unlike IT systems, OT systems frequently interact with the physical world and thus must consider safety and operational continuity in addition to cybersecurity. The IEC 62443 standard is a notable framework for OT cybersecurity, providing guidelines for securing industrial automation and control systems against cyber threats.

While IT and OT cybersecurity share common goals of protecting assets and data, their approaches diverge due to their different operational contexts. IT cybersecurity emphasises data integrity and confidentiality, while OT cybersecurity prioritises operational continuity and safety. Integrating these approaches requires a nuanced understanding of both domains, ensuring that security measures do not compromise the functional requirements of critical infrastructure systems.

So what are some real-life examples of the differences?

• When do you take down a server for an update? In IT it is usually when no one is using it, or low volume or non-critical users such as overnight on a Saturday/Sunday. In OT there is often no off-peak time, but even if there was the process needs to be running to make the business money, so it is usually better to do updates during the day when you have the people around to manage any issues such as manually running plant equipment. I like to suggest 10am on a Tuesday. Having a well-thought-out update process, possibly based on IEC62443-2-3, is critical to keeping the business running!
• Your server has a virus or unauthorised executable runs, what do you do? In IT typically the step could be to isolate the server, but in OT you risk shutting down whatever industrial process is being controlled, and this could mean the business loses money through loss of production or regulatory fines. Having an incident response plan suitable for OT is key to making sure when something happens you don't negatively impact the money-making side of many businesses.
• A recently implemented hardening standard is based on the CIS Benchmarks and requires no local caching of credentials and the compliance dashboards are showing a happy green tick, however the SCADA team are telling us that isn't acceptable. Why not? The first question has to be why wasn't this identified prior to implementation, you did discuss it with the stakeholders right? A common issue is that IT think like IT, which is understandable, but the priority of the SCADA team is usually not the same as the IT team. The SCADA team is tasked to keep the industrial process running under almost any condition. This often means if your Active Directory is down or otherwise unavailable is of little care to the SCADA team as long as the process keeps running, and to keep it running that they probably need to log in. Discussion between the stakeholders is critical, whilst IT often has the luxury to just follow some pre-defined configurations, when it comes to OT you have to be that extra careful.

I can help you with this. IT teams often have the budgets, experience and drive to improve the cybersecurity, and I can sit between IT and OT teams to work out what works best for everyone!

Return to Homepage