OT Cybersecurity: Protecting the Factory From Cyber Attacks
Why OT Security Differs From IT Security
Operational Technology (OT) security protects systems that control physical processes: production lines, control systems, robots, and critical infrastructure. It differs fundamentally from traditional information technology security.
Key Differences
| Aspect | IT Security | OT Security |
|---|---|---|
| Top Priority | Confidentiality | Availability |
| System Updates | Frequent and regular | Rare and cautious |
| System Lifespan | 3-5 years | 15-25 years |
| Impact of Breach | Data loss | Physical safety risk |
| Restarting | Usually acceptable | Can cost thousands of dollars |
| Environment | Air-conditioned offices | Heat, dust, and vibration |
The golden rule of OT security: if a security measure causes production to stop, it is worse than the threat itself.
Common Threats to Industrial Control Systems
Specialized Malware
Malware has evolved to specifically target industrial control systems:
- Stuxnet (2010): Targeted centrifuges by modifying PLC programs
- Triton/TRISIS (2017): Targeted Safety Instrumented Systems (SIS)
- Industroyer (2016): Caused power outages via industrial protocols
Ransomware
Factories have become prime targets for ransomware because every hour of downtime costs significant money, increasing the likelihood of ransom payment.
Supply Chain Attacks
Compromising a software or hardware vendor to inject malicious code that later reaches the factory through official updates.
Insider Threats
A disgruntled employee or external contractor exploiting their access privileges to reach control systems.
Unsecured Remote Access
Weak VPN connections or open remote access tools used for maintenance that create security vulnerabilities.
IEC 62443 Standard: The Security Framework
IEC 62443 is the most comprehensive international standard for Industrial Automation and Control Systems (IACS) security. It covers four areas:
Part 1: General Concepts
- Definition of terminology and fundamental concepts
- Determining required security levels
Part 2: Policies and Procedures
- Security program for the asset owner (factory operator)
- Service provider and integrator requirements
Part 3: System Requirements
- Required security technologies
- Security levels (SL 1 through SL 4)
Part 4: Component Requirements
- Security requirements for control devices (PLC, RTU)
- Secure development lifecycle
Security Levels
- SL 1: Protection against accidental errors
- SL 2: Protection against attacks with simple tools
- SL 3: Protection against sophisticated attacks with advanced tools
- SL 4: Protection against state-sponsored attacks (rarely implemented)
Air-Gapped Networks and Security Zones
Zones and Conduits Concept
IEC 62443 relies on dividing the industrial network into isolated security zones:
- Zone: A group of assets sharing the same security level
- Conduit: A controlled communication path between zones
The Purdue Model
The classic model for segmenting a factory network into levels:
- Level 5: Internet and external networks
- Level 4: Internal IT network (ERP, email)
- Demilitarized Zone (DMZ): The separation point between IT and OT
- Level 3: Operations network (MES, historian)
- Level 2: Supervisory network (SCADA, HMI)
- Level 1: Control network (PLC)
- Level 0: Field devices (sensors, actuators)
Industrial Firewalls
Industrial firewalls differ from IT firewalls by supporting industrial protocols:
- Deep packet inspection for Modbus, OPC-UA, and Ethernet/IP
- Rules allowing only specific commands (read without write, for example)
Best Practices: 10 Golden Rules
- Know Your Assets: Maintain an updated inventory of every device connected to the network
- Segment the Network: Isolate OT from IT using a DMZ
- Control Access: Least privilege permissions for all users
- Monitor Continuously: Log all activities on the industrial network
- Secure Remote Access: VPN with multi-factor authentication
- Update Cautiously: Test updates in an isolated environment first
- Secure Backups: Regular backups of PLC programs and SCADA projects
- Train Employees: Security awareness for machine operators, not just IT staff
- Plan for Response: Clear procedures when a breach occurs
- Test Periodically: Annual penetration testing and security audits
Practical Example: Segmenting a Factory Network Into Secure Zones
Let us apply segmentation principles to a medium-sized food factory:
Current State (Before Segmentation)
- One flat network connecting everything: ERP, security cameras, PLCs, employee devices
- Any infected device can reach control systems
Proposed Design
Zone 1: Corporate IT (SL 1)
- ERP, email, employee devices
- Traditional firewall toward the internet
Zone 2: Industrial DMZ (SL 2)
- Historian server, MES server
- The only exchange point between IT and OT
Zone 3: Operations Network (SL 3)
- SCADA and HMI systems
- Virtual commissioning servers
Zone 4: Control Network (SL 3)
- PLC devices and sensors
- Completely isolated from the internet
Communication Rules
- IT does not reach OT directly (only through DMZ)
- OT never connects to the internet
- Remote access passes through a VPN server in the DMZ with two-factor authentication
- All communications between zones are logged and monitored
Summary
Industrial control system security requires a different mindset from traditional IT security, where availability and safety matter more than confidentiality. Threats continually evolve from specialized malware to ransomware targeting factories. The IEC 62443 standard provides a comprehensive protection framework, and the zones and conduits model organizes the network securely. Start with asset inventory and network segmentation, then gradually apply the golden rules to raise the level of protection.