Sign in Subscribe
9 min read

Beyond IT: A Deep Dive into Operational Technology Cybersecurity

Beyond IT: A Deep Dive into Operational Technology Cybersecurity

TL;DR

  • IT vs. OT: IT systems focus on data, whereas OT systems focus on physical processes and safety.
  • ICS Overview: Industrial Control Systems (ICS) manage critical infrastructure, requiring specialized protocols and security approaches.
  • Network Forensics: Vital for detecting intrusions without disrupting operations, often requiring specialized tools and knowledge of OT-specific protocols (e.g., Modbus, DNP3).
  • System Forensics: In-depth analysis of ICS endpoints, with careful handling to avoid system downtime.
  • Alerts & Threat Intelligence: Customized alerts for ICS intrusions can leverage data from specialized CTI providers (e.g., Dragos, Nozomi).
  • Research & Tools: Building parsers and integrating ICS protocols into SIEM solutions (e.g., MALCOM, [Dragos Platform](https://www.dragos.com/)) requires deep domain knowledge and specialized frameworks.

1. Introduction

Operational Technology (OT) is the backbone that powers many critical infrastructures—ranging from energy grids and manufacturing plants to water treatment facilities and transportation systems. Defending OT infrastructure is crucial because these systems control real-world physical processes that, if compromised, can lead to massive disruptions, financial loss, and even threats to human life. As more OT devices become interconnected with corporate IT networks and the cloud, the attack surface expands, making robust cybersecurity measures a priority.

Real-world incidents underscore the severity of OT-targeted attacks. One of the most devastating examples was the 2015 cyberattack on the Ukrainian power grid, which resulted in widespread outages affecting hundreds of thousands of people. This breach highlighted how adversaries could manipulate ICS/SCADA systems to trigger equipment failures and disrupt power distribution.

Information Technology (IT) and Operational Technology (OT) environments are converging rapidly, driven by the Industrial Internet of Things (IIoT) and the increasing digitization of manufacturing, energy, and other critical sectors. With this convergence comes an urgent need to understand the unique cybersecurity considerations of OT networks, which are very different from traditional IT environments.

In this blog post, we will explore the key differences between IT and OT from a cybersecurity perspective, introduce the concept of Industrial Control Systems (ICS), outline best practices for conducting network and system forensics in ICS/OT environments, and discuss how threat intelligence and specialized SIEM solutions help safeguard critical systems.

2. IT vs. OT: Key Distinctions

  1. Primary Focus
    • IT: Protecting confidentiality, integrity, and availability of data.
    • OT: Maintaining safety, operational continuity, and reliability of physical processes.
  2. Operational Requirements
    • IT: Systems can often be rebooted or taken offline for maintenance, patches, and updates.
    • OT: Systems typically need to run 24/7; downtime could result in safety hazards, production losses, or even endanger human life.
  3. Time Sensitivity
    • IT: Network latency and small delays are often acceptable.
    • OT: Real-time responsiveness is crucial; any delay can severely impact process control.
  4. Technology Lifecycles
    • IT: Faster refresh cycles.
    • OT: Equipment can remain operational for decades, often running legacy software with limited vendor support.
  5. Security Priorities
    • IT: Threats often revolve around malware, ransomware, data exfiltration, and phishing.
    • OT: Threats could disrupt physical operations (e.g., manipulation of valves, pumps, robotic arms), leading to potential safety and reliability issues.

3. What Are ICS Systems?

Industrial Control Systems (ICS) encompass a range of control systems used to monitor and operate industrial processes. They include:

  • Supervisory Control and Data Acquisition (SCADA): Centralized systems controlling geographically dispersed assets (e.g., pipelines, water treatment facilities).
  • Distributed Control Systems (DCS): Found in manufacturing plants, refineries, and other industrial settings.
  • Programmable Logic Controllers (PLC): Ruggedized computers used to automate simple or complex control tasks (e.g., controlling conveyor belts, and mixing chemicals).
  • Remote Terminal Units (RTU): Field devices often used in SCADA systems to communicate sensor data back to central control.

Where Are OT Systems Commonly Found?

  • Locks and Dams: Systems controlling water flow and lock operations.
  • Manufacturing Plants: Assembly lines, robotics, and process controls.
  • Airport Baggage Systems: Automated conveyors and sorting systems.
  • HVAC Systems: Climate control in large buildings or specialized environments.
  • Emergency Services: Dispatch systems, traffic control, 911 infrastructure.
  • Critical Infrastructure: Power generation, water treatment, transportation networks.

ICS environments typically use specialized communication protocols different from those in IT networks. These protocols (e.g., Modbus, DNP3) were not always designed with security in mind and may lack encryption or authentication mechanisms, making them attractive targets for adversaries.

Source: NIST SP 800-82 Revision 2, Guide to Industrial Control Systems (ICS) Security

4. OSI Model vs. Purdue Model

In addition to understanding IT vs. OT differences, it's valuable to compare the standard OSI (Open Systems Interconnection) networking model to the Purdue Model commonly referenced in industrial control system (ICS) security.

OSI Model:

  • Consists of seven layers (Physical, Data Link, Network, Transport, Session, Presentation, Application). It’s a universal framework for understanding how data flows from one point to another in a network.
  • Primarily used in IT networks to describe communication protocols, troubleshooting steps, and design considerations.
  • Emphasizes the flow and encapsulation of data from the physical medium all the way up to end-user applications.

Purdue Model:

  • Often referred to as the Purdue Enterprise Reference Architecture (PERA), it defines different levels (Level 0 through Level 5) within industrial networks.
  • Used extensively in OT environments to segregate systems by function and criticality—ranging from enterprise-level operations (Level 4–5) down to process control (Level 2) and actual instrumentation (Level 0).
  • Helps ensure robust network segmentation and security controls for ICS/SCADA systems, keeping mission-critical processes isolated while still allowing safe data exchange across layers.

Key Comparisons:

  1. Purpose:
    • OSI Model: Defines how data moves through networks conceptually for interoperability and standardization across vendors.
    • Purdue Model: Defines hierarchical segmentation of ICS networks to protect critical operations and control processes.
  2. Focus:
    • OSI Model: Concentrates on technical layers and protocol functions.
    • Purdue Model: Concentrates on functional zones (business, DMZ, control, etc.) and security boundaries.
  3. Applicability:
    • OSI Model: Broadly applicable to nearly any digital communication scenario, from corporate networks to cloud environments.
    • Purdue Model: Specific to industrial control environments, though it can be adapted to modern IIoT/Industry 4.0 architectures.

By understanding both the OSI and Purdue models, IT and OT teams can align their strategies to protect industrial networks more effectively. The OSI model can guide protocol-level security, while the Purdue model ensures proper architectural segmentation to minimize risks in critical operations.

5. Common and Obscure Protocols Used in ICS/OT

  1. Modbus
    • One of the oldest and most widely used ICS protocols. Operates on a master/slave or client/server model.
    • Historically unencrypted, meaning sensitive commands and sensor data can be intercepted or manipulated.
  2. DNP3 (Distributed Network Protocol)
    • Commonly used in water, electric, and other utilities.
    • Introduced Secure DNP3 with authentication and message integrity, but not all deployments have migrated to the secure version.
  3. Profinet/Profibus
    • Developed by Siemens, used heavily in manufacturing environments.
    • Profinet runs over Ethernet, presenting additional attack surfaces if not properly secured.
  4. IEC 60870-5-104
    • Used mostly in electrical transmission and distribution.
    • Similar to DNP3 in usage but different in format and frame structure.
  5. BACnet
    • Found in building automation systems (HVAC, lighting).
    • Gaining more attention from attackers, especially in large commercial facilities.
  6. Obscure or Proprietary Protocols
    • Some vendors implement proprietary extensions or custom protocols that are rarely documented externally.
    • Adversaries can exploit the lack of public security information or known detection signatures.
Source: SANS ICS410 ICS/SCADA Essentials

6. Network Forensics in ICS/OT Environments

Performing network forensics in ICS/OT environments requires extra caution because any intrusive activity or downtime can disrupt critical operations. Here are key considerations:

  1. Passive Monitoring
    • Use network taps or span ports to capture traffic without introducing latency or risking packet loss.
    • Specialized sensors like MALCOM (Modbus Analysis & Logging for Cybersecurity) can parse ICS protocols in real time.
  2. Protocol-Specific Parsing
    • Tools like Wireshark have ICS protocol decoders (e.g., Modbus, DNP3) but may require community plugins for newer or less common protocols.
    • Ensure default decoders are updated; custom dissectors might be needed for proprietary or obscure protocols.
  3. Minimal Disruption
    • Plan forensic captures during scheduled maintenance windows if possible.
    • Ensure forensic sensors are tested in a lab environment to guarantee no negative impact on critical control loops.
  4. Chain of Custody
    • ICS environments might involve legal or compliance implications if a breach occurs.
    • Maintain rigorous logs and timestamps for all collected evidence.
Source: ICS-CERT Recommended Practices

7. System Forensics in ICS/OT

System forensics in an ICS environment focuses on devices such as PLCs, RTUs, HMIs (Human-Machine Interfaces), and workstations running SCADA software. Key best practices:

  1. Snapshot/Imaging
    • Many ICS devices run custom or legacy operating systems. If feasible, create full system images or use specialized ICS imaging tools.
    • Firmware Extraction: Some advanced forensics approaches require extracting firmware for reverse engineering or artifact analysis.
  2. Memory Analysis
    • Tools like Volatility can help with memory dumps on Windows or Linux systems that manage ICS data.
    • For proprietary RTU/PLC memory analysis, vendors or third-party specialists may provide dedicated tools.
  3. Log Collection
    • ICS software (e.g., SCADA servers, and HMI applications) generates logs that can reveal suspicious commands or unauthorized logins.
    • Consolidating logs in a central repository or SIEM (Security Information and Event Management) platform helps correlation.
  4. Preserving Evidence
    • ICS forensics must follow the same chain-of-custody principles as any legal or compliance-based investigation.
    • Document every step—who accessed devices, what was copied, and when.

8. Building Alerts for ICS Intrusions

Designing effective intrusion detection and alerts in ICS environments involves a mix of known threat behaviors and specialized protocol signatures.

  1. Baseline Normal Network Activity
    • ICS traffic patterns are usually static; build anomaly-based detection by learning "normal" operational baselines.
    • Alert on sudden changes in traffic volume, unusual device-to-device communication, or out-of-sequence control commands.
  2. Leverage MITRE ATT&CK for ICS
    • The MITRE ATT&CK framework for ICS outlines tactics, techniques, and procedures (TTPs) used by adversaries.
    • Create specific detection rules for known TTPs such as lateral movement in OT networks or manipulation of control logic.
  3. Protocol-Specific IDS/IPS Rules
    • Use open-source tools like Snort or Suricata with custom rule sets tailored for Modbus, DNP3, or other ICS protocols.
    • Many ICS security vendors provide pre-built rule packs.
  4. Integration with SIEM
    • Forward all relevant logs, including Windows event logs, HMI application logs, and network captures, into a SIEM that supports ICS protocols.
    • Configure dashboards and alerts that highlight ICS-specific anomalies (e.g., unexpected PLC reprogramming).

9. Cyber Threat Intelligence for ICS/OT

Several companies specialize in ICS/OT-focused cyber threat intelligence (CTI). Their data feeds and reports help analysts recognize and respond to adversaries targeting industrial processes.

  1. Dragos
    • Offers a platform for ICS network monitoring, threat detection, and incident response.
    • Publishes regular threat intelligence reports on ICS-specific threats.
  2. Nozomi Networks
    • Provides network visibility, threat detection, and asset inventory solutions for OT environments.
    • Employs AI-driven analysis for anomaly detection.
  3. FireEye Mandiant
    • Known for advanced threat intelligence; offers ICS-focused services post-acquisition of ICS security expertise.
    • Provides IR support tailored to critical infrastructure incidents.

These CTI vendors enable analysts to perform defensive forensics by providing context on known threat actors, TTPs, and IoCs (Indicators of Compromise) relevant to OT systems.

Source: [Dragos Threat Intelligence]\) Source: [Nozomi Networks Solutions](https://www.nozominetworks.com/)

10. Research & Development for ICS/OT Parsers

ICS protocols are often proprietary or insufficiently documented, making parser development challenging. Steps in the research process include:

  1. Protocol Reverse Engineering
    • Capture traffic samples in a testbed environment or from real-world ICS networks.
    • Identify message structures, function codes, and proprietary extensions.
  2. Vendor Collaboration
    • Some vendors provide protocol documentation under NDA.
    • Collaborate with ICS OEMs to obtain deep insights into how their devices communicate.
  3. Open-Source Communities
    • Projects like Wireshark support ICS protocol dissectors. Contributing to these projects helps advance the collective knowledge base.
    • ICS security communities often share partial protocol documentation or tips on decoding proprietary messages.

11. SIEM Solutions for ICS/OT

Traditional SIEMs like Splunk or IBM QRadar can ingest ICS logs, but may require custom parsers or add-ons. Specialized SIEM solutions or monitoring platforms cater specifically to ICS/OT environments:

  1. MALCOM (Modbus Analysis & Logging for Cybersecurity)
    • Focuses on Modbus parsing, logging, and anomaly detection.
    • Often used in labs or small to medium ICS environments.
  2. [Dragos Platform](https://www.dragos.com/)
    • Comprehensive solution with native ICS protocol support and integrated threat intelligence.
    • Offers automated detection playbooks tailored to ICS TTPs.
  3. Claroty xDome** / Secure Remote Access**
    • Provides deep visibility into ICS assets and comms.
    • Integrates with existing SIEMs or can act as a standalone analytics solution.
  4. Tenable for OT
    • Offers visibility into OT assets and network traffic, helping identify vulnerabilities in industrial environments.
    • Integrates with broader Tenable solutions for unified security management.
  5. Security Onion
    • An open-source platform for threat hunting, log analysis, and intrusion detection.
    • Can be extended to ICS/OT use cases with customized protocol parsers and integrations, providing additional visibility into industrial networks.

When choosing a SIEM or ICS monitoring platform, ensure it can parse the protocols used in your environment, integrate with asset inventory tools, and has minimal impact on network performance.

12. Conclusion

Securing ICS/OT environments demands a specialized approach that accounts for industrial systems' physical processes, unique protocols, and continuous uptime requirements. From careful network and system forensics to deploying tailored alerts and leveraging ICS-focused threat intelligence, the ultimate goal is maintaining safety, reliability, and resilience in critical infrastructures. As IT-OT convergence accelerates, organizations must invest in the right tools, research, and partnerships to defend against evolving cyber threats.

References

  1. NIST SP 800-82 Revision 2, Guide to Industrial Control Systems (ICS) Security
    - https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
  2. SANS ICS410 ICS/SCADA Essentials
    - https://www.sans.org/cyber-security-courses/ics-scada-essentials/
  3. ICS-CERT Recommended Practices
    - https://www.cisa.gov/uscert/ics
  4. Dragos Threat Intelligence
    - https://www.dragos.com/threat-intelligence/
  5. Nozomi Networks Solutions
    - https://www.nozominetworks.com/
  6. Wireshark (ICS Protocol Dissector)
    - https://www.wireshark.org/
  7. MALCOM
    - https://cisagov.github.io/Malcolm/

By understanding the interplay between IT and OT, and deploying robust network and system forensics, organizations can better protect their industrial operations from ever-evolving cyber threats.

Published by:

Tiere Williams

Member discussion