Physical security meets OT

In operational technology (OT) cyber security situations, the purpose is to protect the process and keep it running in high-value applications such as factories, pipelines and jets rather than protecting data.


Several years ago, the key word used by security pundits was "convergence." And, although different marketers came up with variations of what the term meant, the primary definition covered the intersection of physical and logical security.

An example was when physical security systems such as access control devices intersected with information technology (IT) systems such as using the computer system. Convergence occurred when the same ID badge provided access through the front door and onto the company computer system. Both the physical infrastructure and the data infrastructure became more secure through this integration.

Meanwhile, in an industrial setting beyond the front offices and data centers and, often, miles away, were the industrial control systems (ICS) that helped create the organizations' revenues.

Used in industries as diverse as oil and gas, power generation and distribution, healthcare (i.e. MRI's), transportation systems, manufacturing and many others, ICS, by connecting sensors, machines and instruments were creating automated solutions that increased productivity. They could control local operations such as opening and closing valves and breakers, collect data from sensor systems to turn up the heat of furnaces and monitor the local environment for alarm conditions. And, although the basis of these systems is a computer, IT could do little to protect them from attack. And this is still very much the case.

This very fact emphasizes the difference between IT security and operational technology (OT) security. IT security lives in the context of an IT stack with tools from many vendors—networks, servers, storage, apps, and data. It's in a periodically updated ecosystem where most hosts are talking to lots of other hosts and where there are frequent patch cycles—in weeks or, sometimes, days—in response to expected and known cyber threats. IT security basically protects data (information), not machines.

In OT, high-value, well-defined industrial processes—such as in factories, pipelines and jets, which execute across a mix of proprietary devices from different manufacturers—need protection, not data.

Many of the devices and software used in operational environments are 10 to 30 years old. Many were not designed to be connected, have not been patched very often, and were not devised to withstand modern attacks. Surprisingly, many operators don't know what's actually transpiring on their Industrial Internet and, even if hacked, have no knowledge of the assault.

While the primary goal in IT is to protect data, OT security strives to keep the process running. Whether from outside threats, like hackers or state sponsored actors, or inside threats, like human error, in an environment where companies are operating drills, electric grids, MRIs or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities, and transportation systems in which even a couple minutes of downtime can yield tens of thousands of dollars lost.

To gain access into critical infrastructure OT systems, hackers will leverage different physical assets, including those within the enterprise security system itself to potentially infiltrate an OT system.

Physical security and OT intersection

The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. However, patch management is a particularly painful operation in an OT system; organizations don't have the infrastructure for qualifying patches to ensure they do not impact any of the software running on their system and, so, have to depend on their vendors to test and ensure new patches will not impact control of their processes. That takes quite a bit of time.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. Courtesy: ISSSource, Wurldtech Security Technologies

Secondly, many of the security controls that are effective in IT are not effective in OT; they must be adapted to the technical requirements of OT systems.

Lastly, to apply the patch to an OT system usually means the operation must be shut down. Closing down the refinery, production floor or electric grid periodically to add yet another patch is not a remedy that works when minutes of downtime can cost immense amounts of money. To eliminate turning off the operation when patching, hot patches must be delivered to a security solution that resides directly in front of the control unit while the system continues to produce. Since that solution is hardware, we've now found the intersection of physical security and OT cyber security. 

This verifies why physical security professionals should be concerned about critical infrastructure cyber security.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. This content originally appeared on ISSSource. Edited by Chris Vavra, production editor, Control Engineering, CFE Media,

ONLINE extra

- See additional stories from Kube and from ISSSource linked below.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me