256:
adjust its OT systems, which has introduced massive challenges in securing them. Approaches known from regular IT are usually replaced or redesigned to align with the OT environment. OT has different priorities and a different infrastructure to protect when compared with IT; typically IT systems are designed around 'Confidentiality, Integrity, Availability' (i.e. keep information safe and correct before allowing a user to access it) whereas OT systems require 'realtime control and functionality change flexibility, availability, integrity, confidentiality' to operate effectively (i.e. present the user with information wherever possible and worry about correctness or confidentiality after).
243:. A principal driver of the adoption of the term was that the nature of operational technology platforms had evolved from bespoke proprietary systems to complex software portfolios that rely on IT infrastructure. This change was termed IT OT convergence. The concept of aligning and integrating the IT and OT systems of industrial companies gained importance as companies realized that physical assets and infrastructure was both managed by OT systems but also generated data for the IT systems running the business. In May 2009 a paper was presented at the 4th World Congress on Engineering Asset Management Athens, Greece outlining the importance of this in the area of asset management
332:
implementation of OT systems. In addition certainly since 2000, 100,000's of buildings have had IoT building management, automation and smart lighting control solutions fitted These solutions have either no proper security or very inadequate security capabilities either designed in or applied. This has recently led to bad actors exploiting such solutions' vulnerabilities with ransomware attacks causing system lock outs, operational failures exposing businesses operating in such buildings to the immense risks to health and safety, operations, brand reputation and financial damage
145:(PLC), as well as dedicated networks and organization units. The built environment, whether commercial or domestic, is increasingly controlled and monitored via 10s, 100s, and 1,000s of Internet of Things (IoT) devices. In this application space, these IoT devices are both interconnected via converged technology edge IoT platforms and or via "cloud" based applications.
173:
Laboratory systems (heterogenous
Instruments with embedded computer systems or often non standardized technical components used in their computer systems) are commonly a borderline case between IT and OT since they mostly clearly don't fit into standard IT scope but also are often not part of OT core
340:
There is a strong focus put on subjects like IT/OT cooperation or IT/OT alignment in the modern industrial setting. It is crucial for the companies to build close cooperation between IT and OT departments, resulting in increased effectiveness in many areas of OT and IT systems alike (such as change
283:
OT often control and monitor important industrial processes, critical infrastructure, and other physical devices. These networks are vital for the proper functioning of various industries, such as manufacturing, power generation, transportation and our society. Most common vulnerabilities and attack
246:
Industrial technology companies such as GE, Hitachi, Honeywell, Siemens, ABB and
Rockwell are the main providers of OT platforms and systems either embedded in equipment or added to them for control, management and monitoring. These industrial technology companies have needed to evolve into software
165:
OT systems can be required to control valves, engines, conveyors and other machines to regulate various process values, such as temperature, pressure, flow, and to monitor them to prevent hazardous conditions. OT systems use various technologies for hardware design and communications protocols, that
222:). More recently IT-standard network protocols are being implemented in OT devices and systems to reduce complexity and increase compatibility with more traditional IT hardware (e.g. TCP/IP); this however has had a demonstrable reduction in security for OT systems, which in the past have relied on
238:
The term operational technology as applied to industrial control systems was first published in a research paper from
Gartner in May 2006 (Steenstrup, Sumic, Spiers, Williams) and presented publicly in September 2006 at the Gartner Energy and Utilities IT Summit. Initially the term was applied to
255:
From the very beginning security of operational technology has relied almost entirely on the standalone nature of OT installations, security by obscurity. At least since 2005 OT systems have become linked to IT systems with the corporate goal of widening an organization's ability to monitor and
331:
Operational technology is widely used in refineries, power plants, nuclear plants, etc. and as such has become a common, crucial element of critical infrastructure systems. Depending on the country there are increasing legal obligations for
Critical Infrastructure operators with regards to the
322:
To protect against these risks, organizations should adopt a proactive, multi-layered security approach, including regular risk assessments, network segmentation, strong authentication, and access controls, as well as continuous monitoring and incident response capabilities.
348:
in the nuclear environment), instead relying on hard-wired control systems to perform such functions; this decision stems from the widely recognized issue with substantiating software (e.g. code may perform marginally differently once compiled). The
169:
Since OT systems often supervise industrial processes, most of the time availability must be sustained. This often means that real time (or near-real time) processing is required, with high rates of reliability and availability.
273:
Critical assets: Because of OT's role in monitoring and controlling critical industrial process, OT systems are very often part of national critical infrastructures. As such they may require enhanced security features as a
149:
are also included in the sphere of operational technology (e.g. smart instrumentation), along with a large subset of scientific data acquisition, control, and computing devices. An OT device could be as small as the
308:
Integration with IT networks: The increasing convergence of IT and OT networks can introduce new vulnerabilities and attack vectors, as vulnerabilities in one network can potentially be exploited to compromise the
263:
OT components are often built without basic IT security requirements being factored in, aiming instead at achieving functional goals. These components may be insecure by design and vulnerable to cyber-attacks.
318:
Lack of cybersecurity awareness and training: Many organizations do not adequately train their employees on the importance of cybersecurity, leading to an increased risk of human error and insider threats.
298:
Insecure communication protocols: Many OT networks use proprietary or legacy communication protocols, which may lack encryption or other security features, making them vulnerable to eavesdropping and data
291:
Lack of segmentation: Inadequate network segmentation can lead to a compromised device in one part of the network, which may allow an attacker to access other parts of the network, increasing the overall
288:
Legacy systems and outdated technology: Many OT networks still rely on older hardware and software that may not have been designed with security in mind, making them more susceptible to cyber attacks.
175:
353:
malware is one example of this, highlighting the potential for disaster should a safety system become infected with malware (whether targeted at that system or accidentally infected).
302:
Limited visibility and monitoring: OT networks often lack comprehensive monitoring and visibility tools, which makes it difficult to detect and respond to potential security incidents.
186:
Historical OT networks utilized proprietary protocols optimized for the required functions, some of which have become adopted as 'standard' industrial communications protocols (e.g.
162:
Systems that process operational data (including electronic, telecommunications, computer systems and technical components) are included under the term operational technology.
295:
Insufficient authentication and access control: Weak authentication mechanisms and access controls can enable unauthorized users to gain access to sensitive systems and data.
457:
266:
Vendor dependency: Due to the general lack of knowledge related to industrial automation, most companies are heavily dependent on their OT vendors. This leads to
582:
523:
443:
315:
Physical security: OT networks involve physical devices and infrastructure that can be susceptible to physical attacks, such as tampering or theft.
472:
312:
Supply chain risks: Compromised hardware or software components in the OT network can introduce vulnerabilities that attackers can exploit.
305:
Insider threats: Malicious insiders or negligent employees can exploit their access to OT networks to cause harm or steal sensitive data.
166:
are unknown in IT. Common problems include supporting legacy systems & devices and numerous vendor architectures and standards.
130:
537:
203:
507:
247:
companies rather than being strictly machine providers. This change impacts their business models which are still evolving
638:
239:
power utility control systems, but over time was adopted by other industrial sectors and used in combination with
46:
The term has become established to demonstrate the technological and functional differences between traditional
66:
610:
142:
658:
624:
551:
134:
78:
126:
51:
219:
487:
107:
596:
412:
154:(ECU) of a car or as large as the distributed control network for a national electricity grid.
47:
223:
138:
27:
8:
151:
101:
97:
517:
458:"The IoT Convergence: How IT and OT Can Work Together to Secure the Internet of Things"
240:
425:
344:
A typical restriction is the refusal to allow OT systems to perform safety functions (
503:
437:
84:
495:
35:
499:
146:
568:
488:"Information and Operational Technologies Nexus for Asset Lifecycle Management"
267:
211:
361:
Operational technology is utilized in many sectors and environments, such as:
652:
597:"The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History"
91:
538:"Industrial Giants Still Struggling To Find New Digital Business Models"
113:
Energy monitoring, security and safety systems for the built environment
199:
195:
31:
350:
227:
215:
174:
definitions. This kind of environment may also be referred to as
423:
259:
Other challenges affecting the security of OT systems include:
207:
191:
72:
39:
485:
54:
environment, the so-called "IT in the non-carpeted areas".
187:
341:
management, incident management and security standards)
583:"Smart Yet Flawed: IoT Device Vulnerabilities Explained"
426:"IT and OT Interaction Gives Rise to New Governance"
34:
that detects or causes a change, through the direct
473:"The Strategy, Value and Risk of IT/OT Convergence"
125:The term usually describes environments containing
87:(CNC) systems, including computerized machine tools
270:, eroding the ability to implement security fixes.
414:"Gartner IT Glossary > Operational Technology"
650:
116:Transportation systems for the built environment
73:Supervisory control and data acquisition systems
226:and the inability to run PC-based malware (see
639:"Mind the Gap - A Roadmap to IT/OT Alignment"
522:: CS1 maint: multiple names: authors list (
442:: CS1 maint: multiple names: authors list (
284:vectors should be addressed, whereof :
62:Examples of operational technology include:
110:both for internal and external applications
326:
230:for a well-known example of this change).
392:Building lighting controls and automation
278:
552:"IT/OT Convergence: Bridging the Divide"
131:supervisory control and data acquisition
38:and/or control of industrial equipment,
651:
569:"Internet of Things Forecast Database"
492:Engineering Asset Lifecycle Management
470:
486:Koronios, Haider, Steenstrup (2010).
424:Steenstrup, Sumic, Spiers, Williams.
611:"Gartner Glossary: IT/ OT Alignment"
625:"5 TIPS TO IMPROVE IT/OT ALIGNMENT"
90:Scientific equipment (e.g. digital
13:
389:Building management and automation
14:
670:
176:industrial information technology
631:
617:
603:
589:
16:Category of computer technology
575:
561:
544:
530:
479:
464:
450:
417:
406:
143:programmable logic controllers
67:Programmable logic controllers
1:
399:
395:Mining and mineral processing
335:
120:
500:10.1007/978-0-85729-320-6_13
181:
7:
250:
102:building automation systems
79:Distributed control systems
57:
10:
675:
383:Scientific experimentation
356:
233:
157:
135:distributed control system
127:industrial control systems
98:Building Management System
85:Computer numerical control
52:industrial control systems
371:Chemicals manufacturing
327:Critical infrastructure
471:Steenstrup, Kristian.
386:Critical manufacturing
279:Common vulnerabilities
48:information technology
42:, processes and events
20:Operational technology
139:remote terminal units
494:. pp. 112–119.
659:Control engineering
368:Power and utilities
152:engine control unit
509:978-0-85729-321-3
133:(SCADA) systems,
108:Lighting controls
50:(IT) systems and
666:
643:
642:
635:
629:
628:
621:
615:
614:
607:
601:
600:
593:
587:
586:
579:
573:
572:
565:
559:
558:
556:
548:
542:
541:
534:
528:
527:
521:
513:
483:
477:
476:
468:
462:
461:
454:
448:
447:
441:
433:
421:
415:
410:
377:Waste management
147:Embedded Systems
674:
673:
669:
668:
667:
665:
664:
663:
649:
648:
647:
646:
637:
636:
632:
623:
622:
618:
609:
608:
604:
595:
594:
590:
581:
580:
576:
567:
566:
562:
554:
550:
549:
545:
536:
535:
531:
515:
514:
510:
484:
480:
469:
465:
456:
455:
451:
435:
434:
422:
418:
411:
407:
402:
374:Water treatment
359:
338:
329:
281:
253:
236:
184:
160:
129:(ICS), such as
123:
60:
17:
12:
11:
5:
672:
662:
661:
645:
644:
630:
616:
602:
588:
574:
560:
543:
529:
508:
478:
463:
449:
416:
404:
403:
401:
398:
397:
396:
393:
390:
387:
384:
381:
380:Transportation
378:
375:
372:
369:
366:
358:
355:
337:
334:
328:
325:
320:
319:
316:
313:
310:
306:
303:
300:
296:
293:
289:
280:
277:
276:
275:
271:
268:vendor lock-in
264:
252:
249:
235:
232:
183:
180:
159:
156:
122:
119:
118:
117:
114:
111:
105:
95:
88:
82:
76:
70:
59:
56:
15:
9:
6:
4:
3:
2:
671:
660:
657:
656:
654:
640:
634:
626:
620:
612:
606:
598:
592:
584:
578:
570:
564:
553:
547:
539:
533:
525:
519:
511:
505:
501:
497:
493:
489:
482:
474:
467:
459:
453:
445:
439:
431:
427:
420:
413:
409:
405:
394:
391:
388:
385:
382:
379:
376:
373:
370:
367:
364:
363:
362:
354:
352:
347:
342:
333:
324:
317:
314:
311:
307:
304:
301:
297:
294:
290:
287:
286:
285:
272:
269:
265:
262:
261:
260:
257:
248:
244:
242:
231:
229:
225:
221:
217:
213:
209:
205:
201:
197:
193:
189:
179:
177:
171:
167:
163:
155:
153:
148:
144:
140:
136:
132:
128:
115:
112:
109:
106:
103:
99:
96:
93:
92:oscilloscopes
89:
86:
83:
80:
77:
74:
71:
68:
65:
64:
63:
55:
53:
49:
45:
41:
37:
33:
29:
25:
21:
633:
619:
605:
591:
577:
563:
546:
532:
491:
481:
466:
452:
429:
419:
408:
360:
346:particularly
345:
343:
339:
330:
321:
282:
258:
254:
245:
237:
185:
172:
168:
164:
161:
124:
61:
43:
23:
19:
18:
365:Oil and gas
400:References
336:Governance
299:tampering.
141:(RTU) and
121:Technology
100:(BMS) and
36:monitoring
518:cite book
182:Protocols
653:Category
438:cite web
251:Security
224:air gaps
200:LonWorks
196:Profibus
58:Examples
32:software
28:hardware
430:Gartner
357:Sectors
351:Stuxnet
274:result.
234:Origins
228:Stuxnet
216:EnOcean
178:(IIT).
158:Systems
137:(DCS),
75:(SCADA)
506:
309:other.
220:OPC-UA
208:BACnet
192:Modbus
69:(PLCs)
40:assets
555:(PDF)
292:risk.
104:(BAS)
81:(DCS)
26:) is
524:link
504:ISBN
444:link
218:and
204:DALI
188:DNP3
30:and
496:doi
241:IoT
212:KNX
655::
520:}}
516:{{
502:.
490:.
440:}}
436:{{
428:.
214:,
210:,
206:,
202:,
198:,
194:,
190:,
24:OT
641:.
627:.
613:.
599:.
585:.
571:.
557:.
540:.
526:)
512:.
498::
475:.
460:.
446:)
432:.
94:)
44:.
22:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.