Data security in Operational Technology
Patrick Deruytter | 29 November, 2023

With the need for better performance for our operations, we see an increasing integration between digital technologies and our traditional industrial systems. This further integration has instigated a critical concern for the Data security in the Operational Technology (OT) world. OT refers to the hardware and software that controls and monitors physical devices, processes, and infrastructure in industries such as manufacturing, energy, transportation, or utilities. This integration, often referred to as the convergence of IT (Information Technology) and OT, brings numerous benefits but also exposes OT systems to new security risks. To understand the challenges of IT-OT convergence we must understand the ones of data security in the OT world.
Challenges of the OT World
Extended automation in the OT world already exists for a long time (30-40 years), yet the security thinking is not on the level IT systems provide. OT systems have to be interoperable with older and newer models of machines/units or infrastructures, e.g., 10-year-old process trains could be extended with the latest equipment. Back when OT systems and automations were designed Cyber Security was not a primary concern. This may lead to a lack of adequate security measures. The awareness of security and measures became totally different over time.
When we investigate the past of these automation systems the solution to this was to isolate it: segregation. A total isolation of as well the IT as the OT network. This is what we called air gapped systems. This isolating approach used to reduce the security risk. Today powerful data analysis, decision support systems and digital twins are available in the cloud. As such if you want to reach the next level of operational excellence, you can no longer isolate the OT network in the same way today. For extensive data analysis you have to work in the cloud and keeping IT and OT systems segregated has become almost impossible.
Another big risk factor is, that attacks on OT-systems can have consequences in the real world. For example, if the system of an oil production goes down it influences the whole oil field. Over the past years, we have all seen that the smallest disruption in the supply chain will have direct impact to the overall economy and society.

Another aspect are endpoint vulnerabilities. OT-devices are by origin different from IT devices. They have to provide time guarantees, priority management etc. which may require a proprietary software using specific communication protocols. These may not include security features and are not designed for data security. This makes it easy for attackers to exploit OT system and gain unauthorized access. Additionally, there are multiple points of access within the facilities and a high fluctuation of employees and external contractors, who could compromise the system.
Another topic of concern is the software patch management (software updates). For example: you could not just patch a refinery whenever the patch has been issued. Some of the patches could require the reboot of the system. Some production systems have typical runs of 5 to 10 years. When you patch the OT system you have to patch all the interfaces at the same time and ensure the total interoperability of all connected systems. This makes patch management a complex process.
To improve OT infrastructure, we connect more and more with different systems. Some of these OT infrastructures I worked with in the past have more than 150 interfaces which equals 150 weakness points.
Legacy Systems
- Infrastructure with long life cycles
- Designed and deployed before Cyber Security was a primary concern
- Lack of adequate security measures
Vulnerable to modern cyber threats
Endpoint and System Vulnerabilities
- Outdated or proprietary software
- Challenging Patch Management
- Specialized communication protocols
- Missing security features
- Attackers can gain unauthorized access easily
Air Gapped Networks
- Traditionally isolated from the internet and external networks
- Isolated approach reduced security risk
- Today: Increased potential for cyber attacks
Insider Threats
- Multiple Points of Access in Facilities
- High fluctuation of workers and external contractors
- Leak or damage sensitive information directly
Cyber-Physical Risks
- Real world consequences of attacks on OT-systems
- Attacks can cause disruption of physical processes and infrastructure
- Ransomware Attacks can lead to operational shutdowns and significant economic losses
Supply Chain Risks
- Interconnectedness can introduce security risks
- Vulnerability due to compromised third-party components or software
Many industries are subject to specific regulations and standards regarding data security. The regulatory compliance is essential for maintaining the operational continuity. Another factor is to avoid potential legal consequences. If one installation goes down the ripple effect, it has on the whole supply chain and everything that hangs on it is significant.
Recommendations for comprehensive OT Security
The landscape of data security is continually evolving, and new risks and solutions may emerge constantly. Organizations must stay up to date with the latest best practices in OT data security to protect their critical infrastructure effectively.
Risk Assessment
Conducting regular risk assessments to identify Vulnerabilities and threats in the OT environment.
Security Updates & Patch Management
Regularly updating and patching software and devices to address known vulnerabilities
Segmentation
Implementing network segregation and segmenting critical assets from non-critical systems to limit attack surface.
Monitoring & Incident Response
Deploying real-time monitoring tools and an incident response plan to detect and mitigate potential cyber incidents promptly.
Access Control
Enforcing strict access controls and privileges to limit access to sensitive data and systems.
Employee Training
Providing comprehensive cybersecurity trainings for employees and personnel to raise awareness of potential threats and best security practices.
Differences between IT and OT Security
Overall, both OT security and IT security are essential aspects of overall cybersecurity for organizations. As the convergence of IT and OT continues, bridging the gap between the two disciplines becomes crucial to create a comprehensive cybersecurity strategy that protects both digital assets and critical infrastructure.
OT Security
Scope and Focus
- Securing industrial control systems
- Supervisory control and data acquisition systems (SCADA-systems)
- Protection of physical processes and machinery
- Prevention of cyber operational disruptions
- Safety hazards or environmental risks
Technology and Environment
- Securing specialized devices like sensors, programmable logic controllers (PLCs), distributed control systems (DCS), and industrial machinery
- Real-time operations, legacy systems, proprietary protocols
- Focus on reliability and availability
Objectives
- Ensure the continues and safe operation of critical infrastructure processes
- Preventing cyber-physical incidents that can result in operational downtime, equipment damage und physical harm
Risk tolerances
- Often prioritizes safety and reliability over immediate patching and updates due to the potential impact on industrial operations.
- Certain vulnerabilities might remain unpatched for extended periods, leading to a higher tolerance for some risks
Regulatory landscape
- Critical industries infrastructure, such as energy, manufacturing, transportation, and utilities, are subject to specific regulations and standards concerning OT security.
- Compliance requirements often differ from traditional IT security regulation
Skillset and expertise
- OT security professionals require a deep understanding of industrial processes, SCADA systems, ICS protocols, and specific industry challenges.
- They need expertise in securing complex physical systems and mitigating cyber-physical risks.
IT Security
Scope and Focus
- Safeguarding information technology systems, networks, servers, computers and data in business and enterprise environment
- Protect sensitive data, maintain data integrity, ensure confidentiality, and prevent unauthorized access to corporate information
Technology and Environment
- Securing general-purpose computer devices like laptops, desktops, servers, cloud infrastructure, mobile devices, and web applications
- Focus on efficiency, scalability, and data processing
Objectives
- Protect data confidentiality, integrity and availability
- Preventing data breaches, intellectual property theft and other cyber incidents that could lead into financial losses, reputational damage, and compliance issues.
Risk Tolerances
- IT environment typically more dynamic and responsive to immediate threats
- Regular patching, updates, and vulnerability management are common practices in IT Security to reduce the risks of cyber attacks
Regulatory landscape
- Subject to various industry standards and data protection regulations, such as GDPR, HIPAA, and PCI DSS, depending on the nature of the organization's operations and data handlings
Skillset and expertise
- IT security professionals focus on network security, cryptography, endpoint protection, application security, and data security.
- They are adept at addressing traditional cyber threats, such as malware, phishing, and unauthorized access.