Cyber security for operational technology

The boundaries between IT and OT (operational technology) are becoming increasingly blurred as industrial systems become more interconnected and digital. It is essential therefore to consider the cyber security risks associated with both OT and IT systems and to implement the right measures to protect them.

The effects of cyber-attacks on IT are generally economic. The consequences of a successful cyber-attack on OT systems can be much more severe, as they control the critical infrastructure that our society relies on.

Understanding OT

OT refers to the hardware and software systems that are used to control and monitor physical processes in industries such as manufacturing, energy, transport and utilities. Examples of OT systems include:

• supervisory control and data acquisition (SCADA) systems used in power plants to monitor and control the flow of electricity,
• building automation systems used to control heating, ventilation, and air conditioning (HVAC) systems in commercial buildings,
• industrial control systems (ICS) used to control manufacturing processes and assembly lines in factories,
• transport systems, such as traffic control systems used to manage the flow of vehicles on motorways and city streets.

Cyber security

IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data. Information security management systems, such as the one described in ISO/IEC 27001, are designed to protect sensitive data, such as personally identifiable information (PII), intellectual property, or credit card numbers, for example.

OT systems have different needs because they have unique characteristics that differentiate them from traditional IT systems. For example, OT systems often have a long lifecycle, so they may not be updated or replaced as frequently as IT systems.

They also have different performance requirements and are designed to operate in harsh environments. Understanding these characteristics is critical to developing an effective cybersecurity strategy for OT systems.

The IEC 62443 series of standards defines a comprehensive framework for implementing cybersecurity measures in OT environments, covering the entire lifecycle of OT components, from design and development to installation, operation, and maintenance. The standards provide guidance on a range of cyber security issues, including risk assessment, security policies and procedures, network segmentation, access control, incident response and system monitoring.

IEC 62443 takes a risk-based approach to cyber security based on the concept that it is neither efficient nor sustainable to try to protect all assets in equal measure. Instead, users must identify which systems are critical in terms of ensuring continuity and identifying vulnerabilities.

This standards can be purchased from our e-shop.