Skip to content

What is OT?

Operational Technology or short OT refers to a broad range of programmable systems and devices that directly or indirectly interact with the physical environment. OT plays an active role across all sectors including manufacturing, energy, transportation, medical, and utilities. In case of indirect interaction, these systems manage other systems or devices that themselves interact with the physical world in a direct way. All of these interactions happen through monitoring and controlling devices, processes, and events.

A very simple example for that could be a thermostat that monitors the temperature in a room. If it senses, that it gets to cold, it turns up the heating thus changes the physical environment around it. Due to this interleaving with the physical world, the term cyber-physical system (CPS) is often used synonymously with OT. While the increased use of CPS is not least due to the increasing convergence of IT, OT and IoT, this mixture of fields can also sometimes make the term blurry.

Types of OT Systems

OT systems come in a wide variety of forms, ranging from:

  • Small 8 to 32 bit microcontrollers embedded in purpose-built devices
  • Programmable logic controllers ("PLC")
  • Multiple sites encompassing control systems like supervisory control and data acquisition ("SCADA")
  • Building automation systems ("BAS")
  • Industrial Automation and Control System ("IACS")
  • Refrigeration control systems
  • Water purification control and safety systems
  • Oil and gas pumping, flow, and processing control systems
  • Physical access control systems
  • Medical devices
  • And many others, as OT systems far outnumber IT systems in use.

Not only are the types of systems and devices diverse, but so are the environments which utilize OT systems. Virtually no modern industry or environment operates without a large set of OT systems in operation.

OT security problems in these industries can have major impacts on the society and surrounding environment. This is also why OT security is of ever-increasing importance, this can be seen in previous attacks using several highly sophisticated pieces of malware that have already affected OT systems, from the notorious Stuxnet in 2010 to power outages in Ukraine due to attack tools such as BlackEnergy or Industroyer.

Stakeholders

To achieve security in OT systems and devices, several stakeholders have to work hand in hand. For example, the standards series for security for OT in automation and control systems IEC 62443 lists the following crucial roles:

  • The asset owner that operates the so-called Industrial Automation and Control System (IACS). IACS is a generic term of IEC 62443 that describes a control system and any complementary hardware and software components that have been installed and configured to operate together.
  • The maintenance service provider that – as the name implies – maintains an IACS.
  • The integration service provider (integrator) that assembles a whole automation solution for a intended environment by combining several components.
  • The product supplier that develops and manufactures components like applications, embedded devices, network components or similar.

OT security challenges are different for these stakeholders, which is also reflected in the different standards of the IEC 62443 series. For example, an operator does not have access to the development process of the specific component and thus cannot implement security measures at the source code level.

On the other hand, the operator more or less can shape the intended environment where the solution is employed and therefor is capable of introducing mitigating measures like strong network segmentation.

As the impact of security failures in OT can be tremendous, there is an increasing number of laws and regulations governing the development and operation of OT systems and devices. Examples are the European NIS2 and the Cyber Resilience Act (CRA), the US EO14028 or the China Cybersecurity Law.