Intro
In today’s interconnected industrial landscape, ensuring the security of Operational Technology (OT) isn’t just an IT problem - it’s a business imperative. Recently, I had the pleasure of diving deep into OT cybersecurity with Mike Holcomb, a seasoned expert whose practical insights cut through the hype and highlight what really matters for securing our production facilities.
In our conversation, Mike and I explored topics ranging from the evolution of OT security to practical, low-cost measures for protecting your industrial environment. Below, I share the key takeaways from our discussion, along with my own reflections on how you can start building a resilient OT security strategy.
The Evolution of OT Security
The industrial world is built on systems designed decades ago, often using some legacy IT solutions. OT environments utilize isolation and layered defenses to maintain security. Unfortunately, bad actors require only a single point of missconfiguration or human error to compromise the entire facility. As Mike put it, “You’re sitting in the control room, and all the lights are good - you think everything’s fine - but behind the scenes, systems are silently degrading."
Understanding the IT vs. OT Dynamic
One of the most critical differences between IT and OT security lies in their primary objectives.
In IT, confidentiality reigns supreme: encrypt everything and lock down every data packet.
In contrast, OT is all about availability. Whether it’s a power plant or a manufacturing facility, keeping operations running safely and continuously is the top priority.
In simple terms, if an attacker gains access to an OT system, the immediate concern isn’t data theft but rather the potential disruption of essential services.
Layered Defense: Air Gaps, DMZs, and Honeypots
Air Gaps Are a Myth
The “air gap” describes an isolated system with no network connectivity. That is the theory and many people still mistakenly believe that air gaps offer complete security.
In theory, keeping your OT environment completely disconnected from external networks should offer protection. However, as Mike explained, “The air gap never really exists." Real-world examples, such as the compromised nuclear power plant and instances of employees inadvertently bridging the gap (e.g., using a control system laptop to browse Netflix), remind us that true isolation is hard to achieve.
DMZs: A Practical Compromise
A more realistic approach is implementing a Demilitarized Zone (DMZ) between IT and OT networks. By placing a firewall in front of both environments, you create a buffer that slows down attackers, giving you a window to detect and respond to suspicious activity. Think of it like the military DMZ between North and South Korea - an intermediary zone that doesn’t eliminate risk but makes lateral movement much more difficult.
Honeypots for Early Detection
Honeypots are another smart, low-cost tactic. These decoy systems sit quietly within your network, and any unexpected contact with them is a red flag that someone - or something - is probing your defenses. As Mike demonstrated with his own setup simulating a Modbus listener, even a simple honeypot can be an effective early warning system without the need for expensive, specialized solutions.
Encryption in OT: Balancing Speed and Security
Encryption is frequently promoted as a fail-safe solution for cybersecurity. However, in OT, the equation changes. While IT environments thrive on encrypting every data stream to ensure confidentiality, OT systems must prioritize speed and reliability. Mike pointed out that adding encryption can slow down processing - a critical drawback when your main goal is maintaining uninterrupted operations. For many industrial settings, the cost (in performance and complexity) of encrypting every transaction simply isn’t justified by the risk profile.
The Cloud Conundrum in OT
There’s growing interest in connecting OT systems to the cloud, primarily to leverage advanced analytics and predictive maintenance. However, moving critical control systems to the cloud comes with significant risks. A hybrid approach - using edge gateways to send one-way data to the cloud while keeping operational control local - can provide the best of both worlds: enhanced data insights without sacrificing the stability of your operations.
A Pragmatic Checklist for OT Security
For those managing facilities with limited resources and minimal security experience, Mike’s top five recommendations are a great starting point:
Secure the IT-OT Interface:
Ensure that the connection between your IT systems and OT environment is strictly controlled. Ideally, allow only one-way communication from OT to IT to minimize the risk of an external breach propagating into critical control systems.
Maintain an Accurate Asset Register:
Know what devices and systems are on your network. In OT, this means a detailed inventory of every PLC, HMI, and sensor. This foundational step is essential before you can even begin vulnerability management.
Implement Network Segmentation and Firewalls:
Use firewalls to create segmented zones - especially a DMZ between IT and OT. This layered approach can slow down attackers, making it easier to detect anomalies through network security monitoring.
Prioritize Backup and Recovery:
Regularly back up critical system configurations and test your recovery processes. In the OT world, downtime isn’t just a cost issue - it could pose serious safety risks.
Develop an Incident Response Plan:
Know in advance who to call when something goes wrong. Engage with professionals who understand both IT and OT, and establish retainer agreements so that help is available when you need it most.
These steps are designed to lower risk significantly without requiring a massive investment. As Mike emphasized, security in OT isn’t about deploying the flashiest new technology - it’s about implementing common-sense measures that address your most pressing vulnerabilities.
Final Thoughts
Securing OT environments requires a balanced mix of technical know-how and practical, hands-on measures. As our conversation with Mike Holcomb revealed, it’s not about buying the most expensive solution or chasing buzzwords like “zero trust.” It’s about understanding the unique challenges of OT, adopting a layered security strategy, and continuously educating yourself and your team.
For those in the OT and industrial IoT space, I encourage you to start with the basics, focus on protecting what truly matters - availability and safety - and share your knowledge with the community. After all, a safer future for our critical infrastructure starts with informed, proactive decision-making.
PS. You can listen to the complete conversation on YouTube.