If cybercrime was a country, it would be the third largest economy in the world after the USA and China, said the World Economic Forum.
In their quest for adequate protection, most organizations are addressing security for information technology (IT) rather than operational technology (OT). Can methodologies and best practices we usually apply to IT be replicated to OT? Actually, we should pay some attention as the two domains are distinct and have different security requirements.
As we know, IT refers to the use of computer technology for managing information, while OT refers to the use of technology in managing physical processes, such as manufacturing, transportation, and energy production. While IT systems are designed to protect data and information, OT systems are designed to interact with the physical environment.
ISO27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to manage sensitive company information, such as financial data, intellectual property, and personal data by outlining a set of policies, procedures, and controls to manage risks to information security. The focus of ISO27001 is maintaining the so-called CIA of information, that means Confidentiality (information is accessible to authorized users only), Integrity (information is complete and correct), and Availability (systems responsible for delivering, storing, and processing information are accessible when required by authorized users). We can also add two other important elements, specifically Authenticity (information is genuine) and Non-Repudiation (the sender of a message cannot later deny having sent it and the recipient cannot deny having received it).
As for OT, let’s consider a different standard: ISA/IEC 62443 is about cybersecurity in Industrial Automation and Control Systems (IACS) and provides a framework for securing the control systems used in manufacturing, transportation, and energy production. Tailored to the unique requirements of IACS, the focus of ISA/IEC 62443 is the opposite order of IT – that’s maintaining the AIC of the physical assets and processes: Availability, Integrity, and Confidentiality.
This different focus has a relevant impact on the evaluation of the risks, threats, and security assessment. For instance, IT systems are more vulnerable to hacking, malware, and social engineering attacks, while OT systems are more vulnerable to physical attacks, such as tampering, sabotage, and theft.
Security assessments should therefore be conducted in different ways, using active scanning for IT, which means that interactions with the systems are possible, and passive scanning for OT environments, which means interactions with the systems are not allowed. In OT human safety should always be prioritized.