Operational technologies, often referred with the acronym OT, is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.
The industrial context is basic on this definition of OT. This term is often used as a counterpart of information technologies (IT), to refer the technologies that are used in an industrial environment.
Terms that are usually used in OT context
Industrial automation and control systems (IACS).
A Supervisory Control And Data Acquisition (SCADA) is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes.
Distributed Control Systems (DCS) is a computerized control system for a process or plant usually with many control loops, in which autonomous controllers are distributed throughout the system, but there is no central operator supervisory control.
Programmable Logic Controller (PLC) is an industrial computer that has been ruggedized and adapted for the control of manufacturing processes, such as assembly lines, machines, robotic devices, or any activity that requires high reliability, ease of programming, and process fault diagnosis.
Human-Machine Interface (HMI) is a user interface or dashboard that connects a person to a machine, system, or device.
Industrial Control System (ICS) is an electronic control system and associated instrumentation used for industrial process control.
Remote Terminal Unit (RTU)
An Automatic Guided Vehicle (AGV) is a machine that automates internal transportation tasks.
An Autonomous Mobile Robot (AMR) are also machines that moves materials from one place to another, but they are more advanced than AMR. It navigates via maps that its software constructs on-site or via pre-loaded facility drawings.
Industrial Internet of Things (IIoT) are interconnected sensors, instruments, and other devices networked together with computers’ industrial applications, including manufacturing and energy management
Process Control Network (PCN)
Process Monitoring Network (PMN)
OT Security
In the CIA triad (confidentiality, integrity and availability), OT focuses on availability while IT focuses on confidentiality and integrity.
OT Security Components
Industrial Demilitarized Zone (iDMZ).
OT Information Security Standards
OT Security frameworks that are featured on this post:
- ISA/IEC 62443
- CCI’s ICMS Guide
- ISA-95
- NIST 800-82
- Purdue Reference Model (PRM)
- Home office’s of Spain Guide on Security Controls on OT Systems
- ARLI-SI
ISA/IEC 62443
ISA/IEC 62443, sometimes referred as ISA 62443 or IEC 62443, is an international series of standards that address cybersecurity for operational technology in automation and control systems. The standard describes both technical and process-related aspects of automation and control systems cybersecurity.
It is issued by the International Electrotechnical Commission (IEC).
It was developed over the American ANSI/ISA-99 or ISA99 and German VDI/VDE 2182.
IEC 62443-4-2 is certifiable.
You can find more information about ISA/IEC 62443 on this external link.
Please note that while ISO/IEC 27001 explains how to get a ISMS (Information Security Management System), ISA/IEC 62443 explains about a ICMS (Industrial Cybersecurity Management System).
CCI’s ICMS Guide
CCI (from the Spanish Centro de Seguridad Industrial) is a non-profit association of enterprises from Spain and Latin America that was created in march 2023.
Aiming Spanish speakers from Spain and Hispanic America, CCI in collaboration with the ISA Spain section issues the “Guía SGCI para el responsable de construir un Sistema de Gestión de la Ciberseguridad Industrial”. You can purchase it from this external link.
SGCI comes from the Spanish “Sistema de Gestión de Ciberseguridad Industrial”, that means ICMS (Industrial Cybersecurity Management System).
There is an annex called “ICMS (Industrial Cybersecurity Management System) requirements” that links controls from the guide to ISO/IEC 27002. You can download it from this external link.
According to the abstract, the controls from CCI’s guide standards are ISA/IEC 62443 controls, but personally I could not verify that.
ISA-95
ANSI/ISA-95, more generally known as ISA-95, is an international standard for developing an automatic interface between enterprise and control systems
It is developed by the non-profit organization International Society of Automation (ISA), formerly known as the Instrument Society of America.
ISA-95 extended the work done for Purdue Reference Model, that is also featured on this post.
You can find more information about ISA 95 on this external link.
Operational technologies, often referred with the acronym OT, is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.
The industrial context is basic on this definition of OT. OT is often used as a counterpart of information technologies (IT), to refer the technologies that are used in an industrial environment.
NIST 800-82
NIST SP 800-82 or NIST 800-82 has the title “Guide to Industrial Control Systems (ICS) Security”. It is issued by the National Institute of Standards and Technology (NIST), that is an agency of the United States Department of Commerce.
As of November 2022, latest version is NIST 800-82 v2 and NIST 800-82 v3 is still a draft.
Purdue Reference Model (PRM)
The Purdue Reference Model (PRM) or Purdue Model is a reference data flow model for Computer-Integrated Manufacturing (CIM).
It is part of Purdue Enterprise Reference Architecture (PERA). It was developed in the late 1980s and early 1990s, and because of this some professionals discuss about its timeliness. It was created at the Purdue University at Indiana, USA.
According to the sources below, PRM was adopted by ANSI/ISA99 and ISA 95.
You can find more information on this external link and this external link.
Home Office of Spain’s Guide on Security Controls on OT Systems
The Oficina de Seguridad Cibernética (OCC), that belongs to the Home Office of Spain (Ministerio de Interior), issues a guide on security controls in OT systems entitled “Guide on Security Controls on OT Systems”. You can download it from this external link., and it is available in English and Spanish.
ARLI-SI
Análisis de Riesgos Ligero de Seguridad Industrial (ARLI-SI) is developed by Spanish public organization INCIBE.
OT Security Guidelines
INCIBE, dependent from the Government of Spain, issued a guide for endpoint protection in OT environment. You can find it on this external link.
OT Security Certifications for Professionals
Find more information about OT Security Certifications for Professionals on this post.
OT Security Media
Industrial Cyber
Industrial Cyber is a journalistic medium based in Canada that provides news about industrial cybersecurity.
OT Security Communities
OT Security Communities:
- LinkedIn group “ICS OT Security IEC62443 Cyber and Physical”
- LinkedIn group “OT Security”
LinkedIn group “ICS OT Security IEC62443 Cyber and Physical”
LinkedIn group”OT Security”
External references
- Univerdad Rey Juan Carlos; “Diferencias entre ciberseguridad IT & OT (URJCx)“; Universidad Rey Juan Carlos (Spanish)
- William Malik; “Bringing Zero Trust to Industrial Control Systems“; RSA Conference
- Mobile Industrial Robots; “AGV vs. AMR – What’s the Difference?“; Mobile Industrial Robots
- ISA/IEC 62443
- INCIBE; “IEC 62443: Evolución de la ISA 99“; INCIBE
- INCIBE; “IEC 62443-4-2“; INCIBE
- INCIBE; “IEC 62443-3-3“; INCIBE