Introduction
It has long been recognised that safety within industrial facilities is crucial. Companies that supply robots, machines, production lines, and various types of industrial equipment place significant emphasis on ensuring the safety of operators and users. Human health and life are priceless, and substantial investments are made in solutions designed to protect people from potential harm. Much effort has also gone into establishing standards, regulations, and legislation that mandate the implementation of appropriate safety measures in industrial environments.
Recently, there has been a significant rise in awareness of another type of threat –invisible to the naked eye related to cybersecurity. The trend indicates that industrial devices are becoming increasingly integrated with the world of IT. These devices are being equipped with protocols and solutions typical of traditional IT infrastructure. It is now expected that these devices can be configured through a standard web browser, offer solutions for storing data in SQL and NoSQL databases, and facilitate seamless integration with cloud technologies, enabling remote monitoring and control of facilities from anywhere in the world. However, these new capabilities also increase the risk and expand the potential attack surface for threats that are becoming more frequent and can have severe consequences.
This brief article introduces the broad topic of ICS and OT security. Its goal is to familiarise readers with some of the most important concepts and terms and provide critical resources to help them begin exploring this fascinating field.
What is ICS?
Industrial Control Systems (ICS) are integrated hardware and software systems used to monitor and control industrial processes. These systems are critical components in sectors like manufacturing, energy, water treatment, and transportation. ICS includes various technologies such as Supervisory Control and Data Acquisition (SCADA) systems, and Programmable Logic Controllers (PLC). These systems enable automated operations, data collection, and real-time control, ensuring the efficient and safe functioning of industrial processes.
Figure 1 An example of the Industrial Control System. It contains a SCADA system (usually a server with an advanced visualisation of industrial processes), two PLC controllers and industrial equipment with integrated control units directly controlled by the PLC programs. This is a tiny system – a real system can contain thousands of devices.
What is OT?
Operational Technology (OT) – programmable systems or devices that interact with the physical environment or manage devices that interact with the physical environment. These systems/devices detect or cause a direct change through the monitoring and control of devices, processes, and events. Note that the OT term is broader than the ICS term, and OT includes ICS. Despite industrial control systems, the OT infrastructure can consist of building management systems, fire control systems, and physical access control mechanisms. [1]
Figure 2 The Operational Technology term is broader than the Industrial Control Systems term. The OT includes ICS.
NIST Guide to Operational Technology (OT) Security
The NIST Special Publication 800-82 Revision 3, titled Guide to Operational Technology (OT) Security, provides comprehensive guidelines for securing OT environments, including Industrial Control Systems. This document offers an in-depth overview of the security challenges associated with OT systems. [2]
The guide outlines best practices for implementing robust security measures across OT environments, addressing areas such as risk management, system protection, incident response, and system recovery. It emphasises the need for a defence-in-depth approach, integrating multiple layers of security controls to protect against various threats, from insider threats to sophisticated cyberattacks. It also highlights the importance of collaboration between IT and OT teams to develop cohesive security strategies that account for the unique characteristics of OT systems.
Overall, the guide serves as a key resource for organisations seeking to enhance the security of their OT infrastructure, providing practical recommendations and frameworks for assessing, managing, and mitigating security risks in complex industrial environments.
Note that the document discussed above is a successor document: Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82. [3] The very name of the document indicates that it has been generalized from a topic covering ICS to one covering OT, in line with the observed trend.
The introduction to the document provides a list of security incidents to which OT infrastructure is potentially vulnerable. They are summarised in the table below.
Table 1 Potential security incidents that may affect the OT infrastructure [2]
| Incident Type | Description |
|---|---|
| Blocked or Delayed Information Flow | Disruption in OT operation, resulting in loss of view or control over processes. |
| Unauthorized Changes | Alterations to instructions, commands, or alarm thresholds that could damage equipment, cause environmental harm, or risk human safety. |
| Inaccurate Information to Operators | Misleading data sent to operators, potentially causing inappropriate actions and negative impacts on operations. |
| Modified OT Software or Malware Infection | Changes in OT software or configuration, or malware infections leading to operational disruptions. |
| Equipment Protection System Interference | Tampering with protection systems, risking damage to expensive and hard-to-replace equipment. |
| Safety System Interference | Interference with safety systems, potentially endangering human life. |
On this basis, the goals that should be pursued during the implementation of a secure OT infrastructure from a cybersecurity perspective are formulated. They are also summarised in the table.
Table 2 Security objectives in implementing secure OT environment [2]
| Security Objective | Description |
|---|---|
| Restrict Logical Access | Implement unidirectional gateways, DMZ architectures with firewalls, separate authentication, and layered network topology to control access between corporate and OT networks. |
| Restrict Physical Access | Use physical controls such as locks, card readers, and guards to prevent unauthorized physical access to OT devices and networks. |
| Protect OT Components from Exploitation | Deploy security patches promptly, disable unused ports/services, limit user privileges, track audit trails, and use security tools like antivirus and file integrity checks. |
| Restrict Unauthorized Data Modification | Protect data in all states (at rest, in transit, in use) and control data flows across network boundaries to prevent unauthorized changes. |
| Detect Security Events and Incidents | Monitor for failed components, unavailable services, and resource exhaustion to identify potential threats before they escalate into incidents. |
| Maintain Functionality in Adverse Conditions | Design systems with redundancy and ensure components fail gracefully to avoid cascading issues; support operational modes from full automation to manual control. |
| Restore and Recover After an Incident | Develop and implement an incident response plan to enable quick system recovery and maintain operational resilience post-incident. |
We encourage you to read the NIST document, of course. Its size may be overwhelming initially, but it is written in a very friendly language and does not require special training in OT security. A person familiar with the basics of industrial facility control issues and the basics of the IT industry should be able to cope with interpreting the document. To gain a general picture related to the field of OT security, this is a perfect place to start, as many sources are based on this document. The first two chapters of the document already contain a lot of helpful information and allow you to understand the key ideas related to OT and ICS security.
ICS MITRE ATT&CK Framework
The ICS MITRE ATT&CK Framework [4] is an extension of the MITRE ATT&CK Framework specifically designed to address the unique challenges of securing Industrial Control Systems. It provides a comprehensive, structured repository of tactics, techniques, and procedures (TTPs) used by adversaries to compromise ICS environments. The framework is tailored to the specific characteristics and requirements of OT systems, considering the safety, reliability, and operational constraints that distinguish them from traditional IT environments.
The ICS MITRE ATT&CK Framework covers various stages of an attack, including initial access, execution, persistence, privilege escalation, defence evasion, and impact. It categorises techniques such as exploiting engineering workstations, manipulating control logic, and disrupting critical processes. By leveraging this framework, organisations can gain a deeper understanding of potential attack vectors and enhance their defensive strategies through proactive threat modelling, detection, and mitigation specific to ICS environments. It serves as a valuable resource for cybersecurity professionals to assess and strengthen the security posture of their industrial operations.
Let’s examine an example of the tactics described within this framework: T0813 Denial of Control. Each tactic has a unique identification (in this case, T0813) and name. The tactic is defined as follows:
Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss but not necessarily in a desired state. [4]
Under the description, you will find a Procedure Examples section, which lists real-life examples of incidents in which attackers used these tactics. For example, the tactic discussed in this case was used during an attack on the Ukrainian power grid in 2015. The next section contains a description of procedures that can mitigate the risk of attack. Mitigations are also classified and given identifiers.
We encourage you to familiarise yourself with the various tactics. These descriptions reflect the types of attacks used by attackers in real-world scenarios. Reviewing these tactics, as well as reading up on mitigation, can give you plenty of ideas for making your infrastructure more secure.
Summary
The field of ICS and OT security is still relatively young but has seen a marked boom in the last decade. Certainly, more resources will be invested in this industry. Awareness of the risks in this field is growing, which is a good thing. Highly developed ICS and OT security is one of the guarantees of a secure future.
Bibliography
[1] NIST, “operational technology,” [Online]. Available: https://csrc.nist.gov/glossary/term/operational_technology.
[2] NIST, “Guide to Operational Technology (OT) Security,” [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf.
[3] NIST, “Guide to Industrial Control Systems (ICS) Security,” [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf.
[4] M. ATTACK, “ICS Techniques,” [Online]. Available: https://attack.mitre.org/techniques/ics/