IT Security versus Industrial Cybersecurity

IT (Information Technology) security aims to protect the information handled by organizations, the transactional systems that manage this information, the infrastructures that house these systems, and even, after the latest attacks carried out by “cyberterrorist armies,” the nations that group these infrastructures. Focusing on the concept of industrial cybersecurity, this can be defined as the discipline that seeks to protect:

• The information that is handled in OT (Operation Technology) environments, both in industrial sectors and in infrastructures.
• The systems and devices that manage this information (SCADA Servers, Historian Servers, OPC Servers, PLC, RTU, DCS…)
• The industrial plants and infrastructures (generally critical) that house these systems.

Why does the concept of industrial cybersecurity arise? Because the security of industrial plants and infrastructures has been increasingly threatened in recent years with the emergence of different forms of cyberterrorism and cybercrime, with the proliferation of web access to SCADA systems, with the adoption of cloud, mobile, and BYOD (Bring Your Own Device) paradigms, and with the standardization of IT technologies in the industrial field.

Delving deeper into this last point, control or operations (OT) networks and the networks that connect transactional systems (IT) are currently often integrated. This is because both environments need to share information with each other, in real time on many occasions, and also because this information, as well as some process monitoring and control applications, is often required to be accessible from outside the plant. This, which allows the organization to be flexible and quick to act, can become a problem if measures are not taken to ensure that the transit and/or sharing of information is carried out securely.

On the other hand, the use of typically IT technologies (Ethernet, TCP/IP, etc.) means that the industrial environment can be affected by the same vulnerabilities and threats associated with the IT environment, inheriting its weaknesses.

The worst thing is that, on many occasions, the criticality and specificity of the industrial environment does not allow the implementation of the same countermeasures as in a traditional IT environment. In fact, there are clear differences between the IT and OT fields, which justify the need to address the development and implementation of specific industrial cybersecurity programs that are aligned with the organization’s IT security policies. These differences are described in the following figure.

Finally, taking into account the idiosyncrasies of the industrial and infrastructure sectors, it is important to highlight that the development and implementation of industrial cybersecurity programs must be carried out considering three pillars: systems, processes, and people.

• Regarding systems, it is advisable to incorporate specific systems related to network segmentation, with the analysis and management of security-related events, etc., into OT environments.
• As for processes, policies, procedures, and programs must be established to help fortify industrial and infrastructure environments.
• Finally, the third pillar, and without a doubt the most complex to manage, people, it is necessary to create multidisciplinary teams (Red Teams) that are capable of identifying possible threats and vulnerabilities, managing the ISMS, and adapting the processes proposed in the regulations and reference documents to each specific plant.