Operational Technology (OT) systems control and monitor industrial processes, infrastructure, and physical devices; AND face significant risks including cybersecurity threats, legacy system vulnerabilities, and inadequate network segmentation.
Known OT Risks – These are well-documented, observable, and generally understood risks that can be identified and planned for, e.g., Cybersecurity, Connectivity – poor segmentation, etc.
Unknown OT Risks – These are emerging, hidden, or not yet fully understood risks-often harder to quantify but potentially more damaging, e.g., zero-day threats, 3rd party risk, IT/OT Convergence, etc. These includes unidentified & disconnected technology enabled OT assets
- Both known and unknown OT risks demand a layered defense strategy that combines technical controls, governance, and visibility.
IT vs OT Risk Focus: CIA vs AIC
- IT Security primarily focuses on Confidentiality, Integrity, and Availability (CIA)-protecting data privacy and accuracy while ensuring systems are accessible when needed.
- OT Security, however, prioritizes Availability, Integrity, and Confidentiality (AIC)-because keeping operational systems running safely and continuously is critical, even more so than confidentiality.
In OT environments, system uptime and safety take precedence to avoid physical damage, safety risks, or operational downtime.
| Aspect | IT Security (CIA) | OT Security (AIC) |
|---|---|---|
| Primary Concern | Confidentiality | Availability |
| System Updates | Regular patches and updates are prioritized | Updates carefully managed to avoid downtime |
| Access Control | Strict access control to protect data | Controlled access to prevent operational disruptions |
| Incident Response | Quick containment of breaches to protect information | Maintaining operational continuity and safety during incidents |
| Risk Tolerance | Moderate- Some downtime acceptable for security | Very low - Downtime can affect physical processes and safety |
| System Lifecycle | Shorter life cycles with frequent hardware and software updates | Long life cycles with legacy systems that are difficult to update |
- Fortify the basics – SUCOP ITGC (OTGC)
- Security Strategy – Network segmentation, redundancy and real-time monitoring
- Monitor accesses of 3rd party vendors and OEM providers – See 3rd Party Risk.
- KEY – Emphasize physical access control in conjunction with logical access mechanisms to manufacturing-industrial sites, production equipment and operational devices – See Physical Security SUCOP.