OT vs IT Security

Operational Technology (OT) and Information Technology (IT) require fundamentally different security approaches. ISO 27019 recognizes these differences and provides guidance tailored to OT environments in the energy sector.

The CIA Triad: Flipped Priorities

IT Security Priority: Confidentiality → Integrity → Availability

• Protect sensitive data from disclosure
• Prevent unauthorized access to information
• System downtime is acceptable for patching
• Example: Banking systems can have maintenance windows

OT Security Priority: Availability → Integrity → Confidentiality

• Keep processes running continuously
• Maintain accurate control commands
• Information often not confidential (voltage readings)
• Example: Power plant cannot stop for updates during peak demand

Key Differences

Convergence Challenges

The Merging Worlds

Modern energy infrastructure increasingly blends IT and OT:

• Smart grid connecting OT to corporate networks
• Cloud-based monitoring and analytics
• Remote access for vendors and engineers
• Mobile apps for field operations

Security Implications

• Attack Surface Expansion: More entry points for attackers
• Skill Gap: IT security teams unfamiliar with OT protocols
• Tool Incompatibility: Security tools designed for IT may disrupt OT
• Conflicting Requirements: IT policies clash with OT needs

OT-Specific Security Challenges

Testing Constraints

Unlike IT where you can test in production-like environments:

• Limited ability to test patches on live systems
• Simulation environments expensive and incomplete
• Testing windows restricted to outages
• Consequences of failure potentially catastrophic

Authentication Limitations

Many OT systems lack modern authentication:

• No multi-factor authentication support
• Shared credentials common
• Password changes disruptive
• Hardware tokens incompatible

Protocol Vulnerabilities

Legacy OT protocols were designed for isolated networks:

• No encryption built into Modbus, DNP3 (original versions)
• No authentication of commands
• Broadcast communications visible to all devices
• Predictable sequences easy to replay

Physical Access

OT devices often in remote, unmanned locations:

• Substations with minimal physical security
• Field devices accessible to attackers
• USB ports and serial connections exposed
• Firmware updates via physical media

ISO 27019 Approach

Adapted Controls

ISO 27019 modifies standard security controls for OT:

• Patching: Risk-based approach with compensating controls
• Anti-malware: Application whitelisting vs signature-based
• Access Control: Zone-based with unidirectional gateways
• Monitoring: Passive network monitoring to avoid disruption

Safety Integration

Unique to OT: security must not compromise safety:

• Safety systems must function during cyber incidents
• Security controls cannot prevent emergency shutdowns
• Incident response must consider physical safety
• Recovery procedures must maintain safe state

Practical Implications for Energy Companies

Organizational Structure

• Separate OT Security Teams: Different skills from IT security
• Operational Input: Control engineers involved in security decisions
• Safety Coordination: Security integrated with safety programs
• Vendor Management: OT vendors included in security program

Technology Choices

• Network Segmentation: Air gaps or data diodes where possible
• Passive Monitoring: Tap-based rather than inline security
• Change Control: Months of planning for security updates
• Redundancy: High availability designs for security systems

Cultural Differences

IT security culture vs OT operations culture:

• IT: "Move fast and break things" → OT: "If it's working, don't touch it"
• IT: Continuous improvement → OT: Proven reliability
• IT: Cloud-first → OT: On-premises preference
• IT: Remote work enabled → OT: Controlled site access

Next Lesson: Navigating the complex regulatory landscape governing energy sector security.