OT Security Is Different, Isn’t IT?

In 2010 suddenly everyone was talking about OT security. Stuxnet had arrived. In 2021, The Colonial Pipeline hack increased the attention on the security of operational technology again. Since then, we have encountered numerous incidents, and the risk of breaches within the OT environment has increased significantly. But why is OT security a separate ‘thing’ in security. What is the difference between OT and IT in the cyber security field?

Let’s start with the basics. IT is about information and OT is about operations, which explains it on a high level. IT exchanges information and OT influences actual machines, or physical processes like our power grids and water treatment industry. If you look at it this way, the potential impact already sounds scary, and security seems paramount.

The Good Old CIA Triad

The CIA triad is confidentiality, integrity, and availability – the  three pillars of our existence as cyber security professionals. While both IT and OT value these tenets, in general we could say that in OT, availability is of utmost importance. Everyday needs like water and electricity are a necessity and we completely rely on its delivery. It's all about ensuring the continuous, reliable operation of physical processes. In IT, availability is also a very important part of the CIA triad, but the priority tends to sway a bit more towards integrity and confidentiality, considering the current extortion wave we want to prevent publication and encryption of (sensitive) data.

The Purdue Model: Bridging IT and OT

When delving into the intricacies of OT and IT security, you'll often encounter the Purdue Model. Developed in the 1990s, this model has become a cornerstone in understanding the layers of industrial control systems (ICS) and how they interact with traditional IT environments. Imagine the Purdue Model as a multi-layered cake. At the top, we have the enterprise zone, your classic IT territory, where business logistics and data handling occur. As we move down, we enter the intriguing world of OT - where physical processes are managed and controlled. The lower layers are where the magic happens: sensors and actuators directly influencing physical processes.

What's fascinating about the Purdue Model is how it highlights the distinct nature of IT and OT, while also showing their interconnectivity. The distinction between the upper and lower levels is apparent, but within levels two and three, there is a mix of assets typically associated with either OT or IT. For example, a SCADA system which is OT focussed could run on a Linux or Windows server which would normally belong to the IT domain. It emphasizes the need to step out of the IT and OT silos and work together. 

The Purdue Model is a vital tool for cybersecurity professionals. It helps us understand where an organization needs to implement security measures effectively, respecting the unique needs of both IT and OT. It's a roadmap for navigating the complex terrain of modern industrial cybersecurity.

^{Source: Gartner (September 2018)}

Different Dynamics

If we dive further and explore what is different, it’s safe to state that in a typical OT environment, things seem to be more stable. There are fewer changes being implemented. There are no end-users browsing the internet and doing every-day office work. This doesn’t mean OT environments are not prone to failure. When new things are introduced on the network, some OT components seem to be very sensitive to traditional security technologies like scanning. Due to that reason, most OT-focused security technologies are passively monitoring the network to prevent collateral damage. 

OT engineers know when you execute a network scan in the OT space you have a potential to impact operations directly. The same engineer may not be able to automatically install the latest patches on all operating systems running in the environment. This has to do with legacy technology in those environments. The reasons for having a legacy system in the OT is actually pretty impressive. A typical OT device called PLC (Programmable Logic Controller) or Industrial Control Systems (ICS) are designed to run for 20 years or more. A lifespan that an IT engineer can only dream of. PLC’s and ICS’s are not designed to be restarted every month after a patch round. Also, a reboot of a PLC could result in downtime for a factory or a critical process. By nature, OT is – compared to IT – more designed on reliability.

Incidents and Response

When you look at incidents, then surely your IT department has a lot more IT incidents than OT. But there is also a big difference in priority. The impact of an OT incident is often huge when it disturbs operational processes. Meanwhile, an IT incident can spawn from a single user who is unable to open a spreadsheet. Due to its dynamics, IT incidents are more prone to false positives. 

With regard to response, OT is often more challenging. Isolating a host or re-imaging, like we often do in IT, is probably not going to be acceptable. OT engineers want to prevent any disturbance in the critical process which can in a worst case scenario even impact human life. A thorough forensic investigation is necessary before any action is carried out to eliminate these risks. Also it requires specialists with knowledge of the specific OT protocols and infrastructure. In the end, a mitigative action will probably have a substantial impact and direct costs when stopping the core business of a company.

(Anomaly) Detection

Since OT infrastructure is more static and predictable, it’s much easier to create a baseline on. For example, network traffic or status codes. Deviations from the baseline are easier to identify and less prone to false positives, while in IT it’s challenging to get your anomaly detection right due to the many changes in behavior by the end users. In OT, there is also more focus on the assets within the network since those should not change considerably compared to a typical IT network. That stable nature creates opportunities to create very specific detection logic which will detect anything out of the ordinary.  

What About MITRE and the Attack Path?

When MITRE first released their Enterprise Matrix, they didn’t focus on OT or ICS as they call it. Due to the increase of interest in OT, MITRE published their ICS matrix in 2020. In their philosophy paper they explain that almost all attacks in OT start within the IT domain. This makes sense.  

Originally OT systems were not supposed to be connected to the internet. Due to the need for remote support and business needs, companies started connecting their OT infrastructure to the IT environment, often separated by firewalls, and sometimes with more advanced solutions like data-diodes to enforce one-way traffic. 

Unfortunately, recent events such as a compromised water utility in the US and scans with tools like SHODAN have shown that a large number of industrial devices are Internet connected.  Many of these devices have also been shown to have known vulnerabilities. Recently, a few breaches were exposed in which the OT environment was directly exposed to the internet. 

Stuxnet is also an example, whereby USB-sticks caused the breach in the air-gapped OT environment without the need to enter through an IT network. 

If we put those examples aside it makes sense to first focus on IT and the most used attack techniques. After reaching a certain maturity on IT security, it makes sense to include OT in your efforts. 

Today, more and more companies reach this level of maturity within their IT domain. Therefore, it might be the right time to expand to OT.

How Can Splunk Help You in OT

You can extend your visibility with the OT Security Add-on for Splunk (blog, app) and the Edge Hub. The OT Security Add-on for Splunk is designed to extend the power of Splunk’s industry leading SIEM to OT environments and provides specific content and detections for OT environments. It is designed to help Splunk customers understand what is happening across their entire organization and not just the IT environment.  

The Edge Hub specifically helps you to expand this visibility down to OT specific data to improve the overall resiliency in the OT and IT space. Splunk also integrates with partner OT-specific solutions which help you to get full visibility into the OT Environment. Using the OT Security Add-on, Edge Hub, and leveraging partner integrations can help you organization work towards resilience of your IT & OT infrastructure.

To learn more about OT and how Splunk can help, we encourage you to get the app on Splunkbase or contact us.