There Is No IT vs. OT Cybersecurity - There Is Just Cybersecurity

If you’re relying only on the OT side of the project to handle cybersecurity needs, you should be fired from your company’s cybersecurity department.

Manufacturing, energy, transportation, or critical infrastructure, OT suppliers are absolutely clueless when it comes to cybersecurity. I see this over and over again. So how can we expect OT environments to be secure when suppliers are shipping insecure products?

The Answer? You Need IT Equipment and the IT environment to act as an extra shield!

I mean, it’s almost impressive how bad OT suppliers are:

• Devices with default passwords.
• Hardcoded credentials in firmware.
• Default credentials exposed in publicly available documentation.
• Refusing to patch vulnerabilities unless you do a mental exercise on how the contract forces them to patch their stuff.

And network security? It’s like they just learned about firewalls and data flows yesterday.

IT and OT Must Work Together Or Face the Consequences

The OT infrastructure of today must work hand in glove with the IT infrastructure to implement complex cybersecurity controls. If anyone on your project says otherwise, they are full of "peanut butter."

This is the reality whether you like it or not. Ideally, OT vendors would step up, but there is exactly a 0% chance this will change in the next 10 years. Suppliers DO NOT HAVE MONEY for cybersecurity. If your project doesn’t account for cybersecurity from the start, expect delays and extra costs when you eventually realize you have a security mess to clean up.

Think about it, when’s the last time you saw an industrial control system shipped with a TPM chip or secure boot? When was the last time you saw an OT supplier with a bug bounty program for their hardware? You rarely will. These companies still live in the era of security by obscurity, they think everyone else is stupid and that if they dont report of their vulnerabilities others will think their product is not vulnerable.

Good luck with that, I will prefer an OT supplier with fresh and multiple CVE reports over a supplier with few CVE reports any day.

Real OT Cybersecurity Starts at the IT Level and is planned all the way down to (including) OT levels

In IT, you typically have:

• Network traffic monitoring and anomaly detection.
• Identity and access management (IAM) with multi-factor authentication.
• Frequent security patching and software updates.
• Endpoint detection and response (EDR) for threat detection.
• Secure cloud infrastructure and zero-trust network architecture.
• Strong encryption for data at rest and in transit.

In OT, cybersecurity controls are more focused on:

• Network segmentation and firewalling to protect industrial control networks.
• Allowlisting applications and locking down system configurations.
• Physical security to prevent unauthorized access to control systems.
• Secure remote access with strict authentication measures.
• Real-time monitoring of operational data for signs of tampering.
• Ensuring safety-critical functions are protected from cyber threats.