In the world of industrial operations and automation, two acronyms often surface in conversations around process control and cybersecurity: Industrial Control Systems (ICS) and Operational Technologies (OT). This article aims to demystify the differences between ICS and OT, examining their unique characteristics, roles, and the critical importance of each in our increasingly connected and automated industrial landscape. Specifically, we’ll cover how a new revision to NIST 800-82 has moved from ICS to full-blown OT security and best practices.
What Are Industrial Control Systems and Operational Technologies?
Most of us in the world of business and cybersecurity are more than familiar with IT systems. With the ongoing evolution of security threats against industrial infrastructure, we also need to be more generally plugged into the background technologies and systems operating in conjunction with or outside of IT infrastructure. These systems typically help manufacturers or operators in industrial contexts (oil and gas, energy production, etc.) manage physical or hybrid processes.
Within this context, Industrial Control Systems and Operational Technology are terms sometimes used interchangeably, but they represent slightly different concepts.
Industrial Control Systems (ICS)
ICS is a set of devices, controls, and processes that maintain and administer industrial processes, specifically in terms of automation and reporting. ICS comes in a variety of types, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC).
ICS are typically used in industries like power, water, oil, and gas.
Operational Technology (OT)
On the other hand, Operational Technology refers to the hardware and software used to change, monitor or control physical devices, processes, and events in the enterprise. While ICS is a subset of OT, OT also includes other systems, such as building automation and transportation systems.
OT is a broader term and can be considered a superset of ICS. It relates to any technology that manages operations in industries. The technology can range from manufacturing lines to aircraft navigation systems. OT was traditionally separated from Information Technology before the advent of IoT devices.
What is Supervisory Control and Data Acquisition (SCADA)
SCADA is an industrial control system used for gathering and analyzing real-time data. SCADA systems monitor and control a plant or equipment in telecommunications, water and waste control, energy, oil and gas refining, and transportation. SCADA is perhaps one of the most common places where concepts and tools like ICS, OT, and IT all converge in modern industry.
As a form of ICS (and, thus, operational technology), a SCADA system collects information about a process to monitor the process in real-time. This enables operators to detect and correct potential problems before they significantly impact them.
Here’s a basic breakdown of how SCADA works:
- Data Acquisition: Sensors and control relays placed throughout the system gather data on variables like temperature, pressure, flow rate, or any other factors that need to be monitored. These devices are often referred to as field devices.
- Networking: The gathered data is then sent over a network to a central computer, often referred to as the master station or master terminal unit (MTU). The network can be wired, wireless, or a combination of both and span large geographic distances.
- Data Analysis: The central computer analyzes the data, often in real-time, to monitor for any conditions that could be problematic. For example, if a temperature reading in an industrial oven were to exceed a certain threshold, the SCADA system could trigger an alarm.
- Control Actions: Based on the analysis, the SCADA system can send commands back down to the control relays to adjust the system, such as turning on a cooling system if a temperature gets too high. In some cases, these actions can be automated, while in others, they may require human intervention.
The SCADA system is crucial in industries with processes distributed over large geographic areas, such as oil and gas pipelines or water treatment systems. These systems help maintain efficiency, process data for smarter decisions, and communicate system issues to help mitigate downtime.
NIST 800-82 Rev. 2 vs. Rev. 3: Understanding the Key Differences
Regarding securing Industrial Control Systems, the National Institute of Standards and Technology has provided valuable guidance by developing and maintaining Special Publication 800-82.
Traditionally, this publication has focused on creating and maintaining ICSs. However, a new revision is being developed to expand this document to cover the broader spectrum of Operational Technologies. This third revision (or Rev. 3) makes a few significant changes to how NIST expects compliant organizations to handle their ICS/OT infrastructure.
Some of the changes in NIST 800-82 Rev. 3 include the following:
- Expanded Focus on OT Systems: Revision 2 (Rev. 2) primarily focuses on securing ICS, which includes the hardware, software, and network infrastructure used in controlling and monitoring industrial processes. In contrast, Rev. 3 narrows its focus specifically on OT systems, which encompasses a broader range of technologies used in various industries, such as energy, manufacturing, transportation, and more. This shift in focus reflects the evolving landscape of OT systems and the need for targeted security measures.
- Integration with the NIST Cybersecurity Framework: Although Rev. 2 provides valuable security recommendations for ICS, it does not explicitly integrate with the NIST Cybersecurity Framework. Recognizing the importance of a unified approach to cybersecurity, Rev. 3 seamlessly integrates with the NIST Cybersecurity Framework. This integration allows organizations to align their OT security measures with broader cybersecurity best practices, enabling a more comprehensive and effective security strategy.
- Improved Organization and Guidance: While NIST 800-82 Rev. 2 offers valuable insights, some users found navigating and applying the recommendations effectively challenging. Rev. 3 provides improved organization and guidance. It offers a more streamlined and intuitive structure, making it easier for organizations to locate and implement the recommended security measures.
- Clearer References for Implementing Security Measures: In Rev. 2, some users found the references to specific security measures and controls could have been clearer, making it easier to implement them effectively. Rev. 3 more explicitly ties security controls to NIST 800-53 (Rev. 5).
NIST-Compliant ICS and OT Infrastructure with Lazarus Alliance
Whether it is your industrial controls, Operational Technologies, or combined control and IT infrastructure, you’ll want to meet and maintain compliance with NIST standards. In a world with always-present APTs, these security measures cannot be taken lightly.
[wpforms id=”137574″]