The Differences Between ICS/OT and IT Security

reduce travel costs and remotely access environments. Today, most MAIN DIFFERENCES BETWEEN ICS/OT AND IT SECURITY with limited or no access to the Internet. As well, IT and ICS have
This SANS industrial control system (ICS) control systems use modern TCP/IP network stacks, modern network
The main differences between
different attack surfaces, and risk profiles.
technologies, and a blend of traditional IT and industrial protocols.
poster offers guidance on defining the However, in many cases legacy systems still exist as part of critical
IT and OT/ICS systems drive External site-to-site encrypted channels are needed for geographically
differing requirements Security dispersed facilities. However, secure authentication of ICS commands
differences between cybersecurity defense subsystems within control systems. In addition, despite its benefits,
across six areas: Incident Safety inside control networks could be put in place after ICS-specific or
automation can bring new types of risks. Response
methodologies, security controls, safety, adapted defenses are established, starting with network architecture,
Cyber passive defenses, and a solid deployment of ICS network security
impacts, skillsets, and the security missions SAFETY CULTURE AND TRAINING Security Skillsets monitoring conducted daily by trained ICS security defenders using ICS
Controls
for ICS/OT (operations technology) Safety training, drills, meetings, and stop-work safety protocols are
protocol aware tools. Enabling encryption inside an ICS network(s)
requires a risk benefit analysis and heavy consideration for cyber
compared to traditional information commonplace in control system environments. Impacts such as Support
System
Designs defense capabilities and impacts to the real-time communication
malfunctioning equipment or a cyber-attack on the control system
technology (IT) security. network can have safety ramifications for facility workers and the
requirements and legacy devices.

environment, as well as the potential to disrupt or destroy physical UNIQUE

engineering assets. As such, many ICS organizations have a strong CONSIDERATIONS IT ICS ICS
Ideal State
INDUSTRIAL CONTROL SYSTEMS UNDERPIN
safety culture. Even access to process control sites typically FOR ICS SECURITY
requires safety training and personal protective equipment as well CONFIDENTIALITY AVAILABILITY INTEGRITY
MODERN SOCIETY as safety training and certification, depending on the job role or Unique Systems – Nontraditional computer systems with industrial and
proprietary protocols.
even just to visit. INTEGRITY INTEGRITY AVAILABILITY
Control systems and critical infrastructure underpin a range of daily
activities that are part of today’s modern world. When we flip on a light Reliance on External Vendor Support – Engineering systems with
switch at home or the office, pump gas into our cars at a gas station, or IMPACT external engineering team support that may require special secure
remote access and monitoring. AVAILABILITY CONFIDENTIALITY CONFIDENTIALITY
pour water from a tap, we are relying on industrial control and critical
infrastructure systems. The complex, interconnected, and PURPOSE Legacy Systems – Devices that may not be suitable for patching or
interdependent mix of both legacy and modern computer systems that firmware updates, or that are only available for patching or firmware
are responsible for supporting the operation and security of everything CONTROLS CYBER ATTACKS IN INFORMATION
updates to internal operating systems at infrequent times.
from oil and gas production to manufacturing and public utilities TECHNOLOGY ENVIRONMENTS
management requires additional considerations for modern cyber SYSTEMS Nontraditional Operating Systems – Purpose-built embedded and/or
proprietary operating systems that are common in control Cyber incidents in traditional IT environments can lead to digital data
defense beyond traditional IT security. corruption, sensitive information breaches, data destruction, and
DATA TYPE environments where many traditional security defenses are not
effective or applicable. business application system downtime.
LEGACY ICS INTERFACES Safety of People – The main goal for control systems is not
Industrial control systems were not always as connected, highly confidentiality, integrity and availability, but rather safety. Then CYBER ATTACKS IN INDUSTRIAL
automated, and complex as they are today. In the past, such systems IT SECURITY AND ICS SECURITY DEFINED integrity to trust operational commands, then availability. ENVIRONMENTS
were designed, built, tested, and deployed for a particular purpose,
Industrial engineering control system assets are often inaccurately Protection of Physical Assets – Control systems use physical Cyber-attacks in ICS environments, or cyber-kinetic attacks, can lead to
enabled the control system to operate in isolation, and ran on
compared to traditional IT assets. IT and ICS systems have different components to change the physical world. Impacts such as a cyber- direct or indirect physical damage to engineering assets, introduce
proprietary protocols. They were designed and operated in an
missions, objectives, and impacts during an incident. They also have attack could result in physical damage, safety implications, environmental impacts, and cause human injury or death.
isolated network away from other networks, including IT business
different devices, including but not limited to embedded operating environmental impacts, and the potential for loss of life.
networks and the Internet.
systems and engineering devices speaking nontraditional industrial
protocols. Adversaries targeting ICS must use different attack tactics
SECURITY TRIAD PRIORITIZATION IT INCIDENT ICS INCIDENT
ICS MODERNIZATION and techniques for access, execution, collection, and persistence to IMPACT POTENTIAL IMPACT POTENTIAL
degrade safety, manipulate control, and damage physical engineering The priority in IT security tends to be data confidentiality, integrity, and
Over the years, advancements of modern network technology and availability. The objective in the ICS is a control system that has Business applications Critical infrastructure
assets or property.
equipment control systems have facilitated a shift from an isolated integrity, availability, and confidentiality that enables operating the unavailable – local to unavailable – possible wide
control environment to a more connected environment. This has IT and ICS systems differ in terms of:
process with confidence and supports safety as its primary goal. This business/organization region disruption or outages
brought several business benefits such as cost savings, and of involves:
IT SECURITY – MOVING AND SECURING DATA
course more external connections ultimately broke the isolated or Digital data corruption Loss of control or
“air-gapped” model, making ICS less isolated and exposed to Traditional IT security focuses on digital data at rest or data in transit • Safe operations manipulation of physical
additional cyber risk. and the pillars of confidentiality, integrity and availability.
• Integrity of the engineering process and commands process
ICS/OT SECURITY – ENABLING AND SECURING PHYSICAL INPUT AND
• Availability of the operational processes and safety systems Digital data loss Personnel safety, loss of life
MODERN ICS ACTIONS
• Confidentiality of sensitive ICS engineering information that may
OT/ICS systems manage, monitor, and control real-time engineering
The enabling of more external connections has allowed for taking exist in the ICS network(s).
systems for physical input values and control output for physical
advantage of the benefits of remote monitoring and control of
actions in the real world. The main priority in OT/ICS is the safety and It is not that confidentiality is not important in ICS, it is just that it has
industrial processes, including using external support personnel to
reliability of operations. far less importance in an industrial environment with so few users and
 Comparison of Security Controls
There’s a wealth of knowledge available to perform IT
defense. However, a “copy and paste” of traditional security
into an ICS could have problematic or even devastating
impacts that results in unsafe conditions. The steps of IT
incident response – Detection & Identification, Containment,
Eradication, Recovery, and Lessons Learned – are still at play
in an ICS. However, there are more steps, and each step
needs to be adapted for the safety and reliability of
operations that prioritize human life and the protection of
physical assets. For example, false positives are not or very
rarely acceptable in the ICS and can cause major unintended
engineering process and safety impacts.
NETWORK INTRUSION VULNERABILITY SCANNING ENCRYPTION ENDPOINT PROTECTION FIREWALLS PATCHING PROTOCOLS
DETECTION & PREVENTION Automated vulnerability scanning Encrypting network traffic between Most modern endpoint protection The proper use of firewalls is Patching operating systems and software Some traditional networking and
Security Control Common IT Action Common ICS/OT Action All network inspection devices in IT is a common and usually remote sites over inherently insecure solutions have signature-based, critical in ICS for the same is an effective security practice that has IT protocols can be seen inside
deployed to make decisions on unintrusive practice. Vulnerability channels can protect both IT and ICS behavioral, or heuristics engines to reasons as in IT. Firewalls can be been commonplace in business networks control system environments used
Endpoint Signatures, heuristics-based – Allowlisting - Alerting ICS traffic should be able to scanning in an ICS network can networks and is a general best assist with threat identification in used for containment in incident for decades. For ICS, there are special for engineering processes, but they
Protection Quarantine files
conduct deep packet analysis and have unpredictable and practice. However, confidentiality IT environments. Signature-based response, as chokepoints for circumstances where patching may not go well beyond common protocols
Firewalls Segment users and servers Segment away from IT, Internet; segment ICS interpret ICS protocols and undesirable effects, especially with inside an ICS is less of a requirement endpoint protection tools may not data collection for Network be feasible or possible. This could be the and can include specific industrial
process zones
commands. As with antivirus aged firmware versions or legacy than it is inside business networks. be trivial to update in an isolated Security Monitoring, and for case with legacy equipment or critical protocols and several proprietary
Network IDS/IPS Intrusion Prevention System – Drop Intrusion Detection System – alert only for solutions on endpoints, false devices simply not designed to Internal ICS network encryption can ICS network. Behavioral threat segmenting network zones and infrastructure systems during peak load protocols as well.
network traffic flagged as suspicious traffic – must have ICS deep- positives can occur in network handle abnormal traffic patterns or result in unintended challenges with prevention tools can cause false properly controlling traffic via of operations. This process continues to
suspicious packet inspection capabilities
inspection as well. Thus, an IDS excessive network connections to little gain. Attention to endpoint positives and disrupt an industrial role-based access control lists. improve across multiple ICS sectors, so Common IT Common ICS/OT
Vulnerability Regular internal, automated, and Tested, passive methods used, run during Protocols Protocols
Scanning active scanning methods are maintenance window, use careful
Intrusion Detection System (IDS) them. Alternative less-invasive processing power, network latency, process and cause unsafe physical For example, they can be used to patching is becoming more of a positive
• SSH • SSH • IEC104
common consideration – active scanning could disrupt for alerting on suspect network methods of vulnerability and bandwidth consumption, conditions. In contrast, allowlisting isolate different control networks and achievable part of preventative
legacy engineering assets • SMB • Telnet • IEC101
traffic on a control network is assessments can be performed by especially in facilities with legacy features for ICS endpoint from each other, the Internet, maintenance for facilities. However,
• SFTP • FTP • HART
Patching Monthly, streamlined process Less frequent, legacy devices may not be more suitable than an Intrusion reviewing asset inventories, equipment, will be needed. In protection can be effective when and corporate business patching must be evaluated much more
• HTTP • SMB • PROFINET
patchable, less patch windows available Prevention System (IPS), as IPS configuration files, and firmware addition, Network Security maintained throughout controlled networks. ICS firewalls should than simply by employing Common
• HTTPS • HTTP • PROFIBUS
solutions block or drop network versions against threat intelligence Monitoring defense capabilities may changes or maintenance windows not allow any direct connections Vulnerability System Scoring (CVSS).
Security Phishing, Internet usage, and data IT security awareness with additional • SMTP • HTTPS • EtherNet/IP
Awareness protections cybersecurity, physical security, engineering traffic that could end up being and vulnerability advisories. With be severely limited if the control in the ICS. Allowlisting does not to or from the Internet. If remote Remember, when evaluating advisories
• 802.11 • DHCP • VSAT
safety specific to OT/ICS legitimate control commands, careful planning and a phased network is encrypted, effectively require signatures or constant access is needed for and vulnerability reports to prioritize
• DHCP • DNS • BGAN
Event Detection Windows event logs, traditional Windows event logs, engineering field devices thus wrongly disrupting the approach, vulnerability assessment blinding defenders. The risk profile updates, which makes security maintenance or support, this patching, a Threat = Capability of the
can be conducted effectively in ICS. for IT is different than for ICS. The risk control maintenance easier in should be implemented with adversary + Intent of the adversary + • DNS • OPC • BACnet
endpoint protection, URL change logs, ICS protocol baselining and control system and risking safety.
inspection, email sandboxing, etc. anomaly detection, ICS network boundary • ICCP • and various
access detection, remote access by vendors to
For example, using a passive of users eavesdropping or sniffing control environments, as such care and with multiple layers Opportunity for the adversary to have an
critical components network traffic analysis is a safer sensitive personal data inside the ICS environments are more static, with such as multi-factor impact. When patching in ICS, always ask • ModbusTCP industrial
proprietary
method than injecting packets onto network is not the same as in a far fewer users compared to IT authentication, extremely strict the question “Do the ICS operational • DNP3
Incident on Asset Containment, patch, re-deploy Fight through attack – maintain safety, protocols
conduct quick triage, contain where feasible, the ICS network to discovery business network and demands a environments. access control, additional needs and safety outweigh the risk of a
monitor operations, completely eradicate on vulnerabilities. different protection approach. monitoring /alerting, the use of potential identified vulnerability within
next maintenance window
jump hosts, and an ICS the control system actually being
demilitarized zone. accessed and successfully exploited?”

ICS AND IT SYSTEM LIFECYCLE DIFFERENCES IT/OT CONVERGENCE SYSTEMS, PROTOCOLS AND ICS NETWORK MAP

Information Technology Industrial Control Systems IT/OT convergence can be broken down into two threads of thought: technology, and resources/teams. External Network Hosts Common Protocols
(Business or Plant Network)
Operating Environment
COVERGENCE OF TECHNOLOGY COVERGENCE OF SECURITY ICS/OT SPECIFIC CYBERSECURITY
Indoor office settings, air-controlled data centers Outdoor Extreme weather conditions, industrial facilities, complex
remote sites Many operations technology
RESOURCES DEFENSE REQUIREMENTS Traditional
Technology & Support environments have been leveraging In recent years, leaders have been Whether in a converged or specific ICS Technology DMZ Applications Common Protocols
traditional operating systems and bringing IT security and ICS security security team, it is imperative that OT/ICS • Common operating systems
Commercial off-the-shelf software Specialized Specialized engineering software
engineering software networking infrastructure to automate teams with their unique security skillsets defenders be trained with ICS-specific
• Common protocols
and improve control system processes together or separating them out. security knowledge, technologies, tools,
Commercial off-the-shelf hardware Specialized Specialized engineering hardware
engineering hardware for decades. These traditional Specifically, they are bringing in IT and procedures. This means training them Supervisory Control Elements Common &
Industrial Protocols
operating systems running OT and security team members to manage to understand the nuances between (Network, Applications, Servers)
Traditional IT protocols IT protocols + Industrial and proprietary protocols
engineering software remain part of ICS traditional security for the business traditional IT and ICS security, the ICS
Lifecycle supporting the control system mission, networks, and ICS security team mission, safety, the engineering process, Engineering Alarm HMI Application
Regular frequent patching
2–3 year upgrade cycles
Less frequent patching, fewer maintenance windows
5–10+ year upgrade cycles
and thus should be properly managed
and protected as ICS/OT assets.
members to protect the control system
networks at all levels of the control
and ICS protocols and active defense
strategies that excel inside control ICS/OT
system for all OT/ICS assets, including environments, which are different from • Adapted operating systems
Dynamic environments Static environments Control Elements Industrial Protocols
nontraditional systems, protocols, and traditional IT security. • Embedded operating systems (PLCs, RTUs, SIS)
Design and Architecture
engineering systems in ICS environments. • Industrial protocols
Abundance of users, in/outbound internet connectivity, Very few operators, little/no Internet connectivity, very restrictive,
focus on user experience focus on process rather than user experience to prioritize safety • Engineering hardware assets
Local HMI

Network segmentation – users, servers Network segmentation adhering to Purdue Levels 0–5, THE ICS SECURITY FUTURE • Specific security controls
or ICS410 Network Architecture Reference Model • Specific incident response Sensors & Actuators IO Fieldbus using
This poster has shown that there are different approaches to IT and ICS security – and that’s okay! While some parts Industrial
Common and well-known systems, more modern technology Systems more unique and legacy components are common • Safety Protocols
of traditional IT security can help guide the community, a direct “copy-paste” of such security is not recommended for
Many users with individual and unpredictive network patterns More static network, system-to-system more predictable network
ICS and will likely cause disruptions and or safety concerns in control system environments. The OT/ICS community
communications
can adapt IT security for OT/ICS where it makes sense, all the while adjusting and prioritizing safety, human life, the OT/ICS ENVIRONMENT
Priority and Mission
reliability of operations, and the protection of physical assets. Remember, “ICS Defense Is Doable!”
Data confidentiality, integrity, availability Safety of people, protection from physical equipment damage,
Latest ICS Security News and Updates Join the Conversation
industrial command integrity, process control system availability of SANS ICS CURRICULUM ics.sans.org @SANSICS
engineering processes
ICS410: ICS/SCADA Security Essentials ICS515: ICS Active Defense & Incident Response Join the SANS ICS Community Forum Thought Leadership
Cyber Attacks Global Industrial Cyber Security Professional (GICSP) GIAC Response and Industrial Defense (GRID) ics-community.sans.org/signup SANS ICS
Smaller adversary groups targeting ICS ICS418: ICS Security Essentials for Managers ICS612: ICS Cyber Security In-Depth Free and Open-source Tools for ICS Insights and Demos
(currently, but increasing to target ICS)
ControlThings.io SANS ICS Security
ICS456: Essentials for NERC Critical Infrastructure Protection
Adversary attack research and exploits kits well known and
publicly available and scalable to general IT networks
Adversaries generally need more time and skill to have
GIAC Critical Infrastructure Protection (GCIP)
ics.sans.org
significate impact ICSPS_ICS-IT_v1.1_12-21
This poster was created by Dean C. Parsons. ©2021 Dean C. Parsons. All Rights Reserved.