There are many myths on the subject of OT system security. To guarantee security in physical systems, different rules apply than for purely digital systems. Below, we present and dispel five common myths about securing OT systems.
“Air-gapping is the only way to ensure the security of OT systems”
Air-gapping is reportedly a method for completely isolating networks. For this purpose, the corresponding network is disconnected from the Internet or other networks. In practical terms, this means a control system network for OT that is completely isolated from the corporate network and the Internet.
But there are other ways that attackers can penetrate the OT network, despite isolation:
- Social engineering (e.g., phishing or spearphishing)
- Infected media storage devices (e.g., USB-sticks)
- Hidden service connections (e.g., for service providers and manufacturers)
- Infected devices among engineers and service technicians (e.g., laptops)
- Hidden communication via ultrasonic frequencies (e.g., via USB port, loudspeakers, headsets, hard disks, or fans)
“A firewall protects my OT network from attacks stemming from a linked IT network”
A firewall alone is not enough to fully protect the OT network. Within the network, additional segmentation and monitoring measures must be implemented. In addition, a firewall must always be set up individually. Configuration errors can create security vulnerabilities
“Outside of the connection to the corporate network, there are no external connections”
More and more vendors are implementing hard-coded back doors to remotely access and/or control devices. Such back doors are sometimes even required as part of an SLA4. Therefore, external connections can exist without direct knowledge.
“Employees operate OT equipment to manage production on a day-to-day basis”
The operation of production facilities is increasingly outsourced to external providers, some of which are based in remote locations. That increases the risk of insider threats, and it expands the attack area
“OEM vendors (SCADA vendors) are adequately securing their devices.”
Contracts often do not include requirements that vendors ensure that security features and processes are implemented and kept up to date. The first step of effective OT protection is to find a confidential provider.
Are OT and IoT security issues for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.