The first IT viruses were developed in the early 1970s and in those days were spread via Floppy Disks and (later) USB sticks. They were originally created by programmers to show off their abilities. With the expansion of the Internet, viruses shifted towards cyber threads which we are all aware of. Cybercrime has now become an international business.
Meanwhile, OT was quite an innocent environment where PLCs, controllers and nodes simply worked together for a certain task. This changed drastically in 2010 with the discovery of the virus Stuxnet. Suddenly it became clear that OT could be at risk too!
Traditionally, OT was an “air-gapped” environment, meaning that it was not connected to external networks or other IT infrastructure. With the growth of the Industrial Internet of Thing (IIoT) or “Industry 4.0” the gap has been closed, and OT networks are widely connected to IT systems and to clouds.
Though IT Incidents are much more frequent, OT Incidents are more destructive. IT incidents often cause loss of data or value, with big impact to victims, but they are recoverable. A security breach in an industrial or infrastructure system can lead to so much more. The recent - but failed - attempts to adjust chemical levels in the water systems in Israel or Florida make clear what the threat towards larger groups, populations or even nations could be.
Bridging the gap technology wise, doesn’t imply the gap has been closed from an organisation or human point of view. OT has fundamentally different functionality compared to general IT and is still generally only known by specialists involved in their industrial applications. Their primary focus is on safety and process continuity. When IT security engineers look at OT systems they see an unknown world as some sort of black box. The components used are often screenless, communicate over industrial protocols never seen on IT networks, lack security tools (e.g. firewalls, antivirus) and are rarely patched.
On the other side, OT is not aware that they have become part of an IT environment. Why they are not aware of this, and how this came about, we will discuss next time.