04
19 min read · 5 briefings

OT & ICS Security

Where a security failure isn't a data breach — it's a turbine, a floodgate, or a chemical plant behaving badly.

01 When safety outranks confidentiality

Operational Technology (OT) is the hardware and software that monitors and controls physical processes — power grids, water treatment, pipelines, factory lines, building systems. Its subset Industrial Control Systems (ICS) runs the machinery. Securing it requires unlearning IT instincts, because the priorities are inverted.

In IT, the classic triad ranks Confidentiality, Integrity, Availability (CIA) — protecting data first. In OT, the order flips to something closer to Safety, Availability, Integrity, Confidentiality. Nobody dies if a spreadsheet leaks; people can die if a turbine oversifts, a boiler over-pressurizes, or a safety system is tricked. Availability is paramount because these processes often cannot stop — a blast furnace or a municipal water plant does not get a maintenance window like a web server.

This inversion drives everything downstream. You cannot casually reboot to apply a patch. You cannot run an aggressive vulnerability scan that might knock a fragile 20-year-old controller offline. You cannot assume the newest, most secure protocol is available. The defender's job is to protect a physical process and the humans near it, using equipment that was often designed decades before anyone imagined it would touch a network.

Insight The mental shift: in OT, a "denial of service" can mean a denial of physical service — no power, no clean water, no heat. The stakes are kinetic, and that reframes every risk decision.

02 The equipment: SCADA, PLC, RTU, HMI

OT has its own vocabulary of hardware, and knowing the pieces is half the battle.

  • PLC (Programmable Logic Controller): a ruggedized industrial computer that directly controls machinery — reading sensors and driving actuators (open a valve, spin a motor) via its control logic. This is the workhorse at the sharp end.
  • RTU (Remote Terminal Unit): similar in role, typically used for geographically distributed assets (a remote pumping station, a substation), often communicating back over long-distance links.
  • HMI (Human-Machine Interface): the operator's screen — the graphical dashboard showing tank levels, temperatures, and controls that a human uses to supervise the process.
  • SCADA (Supervisory Control and Data Acquisition): the overarching system that gathers data from many PLCs/RTUs across a wide area, presents it on HMIs, and lets operators supervise and issue commands centrally.

A useful way to see it: PLCs and RTUs do the controlling, HMIs let humans watch and steer, and SCADA is the connective supervisory layer tying a dispersed plant or grid together. Attacks can target any layer — but manipulating a PLC's logic or spoofing what the HMI shows an operator are among the most consequential.

Pro tip Many attacks blind the operator by feeding the HMI normal-looking values while the real process runs amok — exactly what Stuxnet did. Trust in the HMI is itself something defenders must protect.

03 Insecure-by-design protocols

The protocols that move OT commands were designed in an era of isolated, trusted networks, for reliability and determinism — not security. Most have no authentication and no encryption whatsoever.

Modbus, published by Modicon in 1979, is the archetype. It is simple, ubiquitous, and utterly trusting: any device that can reach a Modbus endpoint (commonly TCP port 502) can read or write registers and coils — meaning it can command actuators — with no credentials at all. There is no concept of "who are you?" A packet is a packet, and the PLC obeys.

DNP3 (Distributed Network Protocol), common in North American electric and water utilities, is more feature-rich but was likewise born without security; a Secure Authentication extension (DNP3-SA) was bolted on later and is unevenly deployed. Other protocols in this family include the IEC 60870-5 series and PROFINET.

Watch out Because these protocols authenticate nothing, an attacker with network access to the OT segment often does not need an exploit at all — they can simply speak the protocol and issue legitimate-looking commands. The 2016 Ukraine grid attack did exactly this. Network access is the compromise.

This is precisely why segmentation, not patching, is the primary OT defense: if attackers cannot reach the protocol, its lack of authentication no longer matters.

04 The Purdue model and segmentation

The reference architecture for OT security is the Purdue Enterprise Reference Architecture, which organizes an industrial environment into hierarchical levels and, crucially, defines where to segment.

LevelWhat lives there
Level 0Physical process — sensors and actuators
Level 1Basic control — PLCs, RTUs
Level 2Supervisory — HMIs, SCADA
Level 3Site operations — historians, engineering workstations
Level 3.5The industrial DMZ — the guarded border
Levels 4-5Enterprise IT and business networks

The central prescription is a hardened boundary — the IT/OT DMZ at Level 3.5 — so that enterprise IT never talks directly to control systems. Data brokers, jump hosts, and patch repositories sit in the DMZ; nothing crosses without passing through it. Two supporting pieces matter: historians, databases that log time-series process data (often needed by IT for analytics, which is why they are a tempting bridge and are frequently placed in the DMZ), and Safety Instrumented Systems (SIS).

An SIS is a last line of physical defense — an independent controller (e.g., a Triconex) whose only job is to bring the process to a safe state if dangerous conditions arise. SIS are meant to be isolated from the control network precisely because they are what stands between a malfunction and a catastrophe.

05 Real incidents and why you can't just patch

OT attacks are not hypothetical, and a handful of named events define the field:

  • Stuxnet (discovered 2010): a joint US–Israel operation that targeted Siemens S7 PLCs controlling uranium centrifuges at Iran's Natanz facility. It used multiple zero-days, spread via USB across an air-gapped network, subtly varied centrifuge speeds to destroy them, and replayed recorded normal readings to the operators. The first malware widely acknowledged to cause physical destruction.
  • Ukraine grid, December 2015: attackers (BlackEnergy/Sandworm) used stolen credentials and remote access to open breakers at distribution substations, cutting power to roughly 230,000 people — largely a hands-on-keyboard operation.
  • Ukraine grid, December 2016: the Industroyer/CrashOverride malware automated the attack, speaking grid protocols (IEC 60870-5-101/104, IEC 61850) directly to substation equipment.
  • TRITON/TRISIS (2017): malware that targeted the Safety Instrumented System — Schneider Electric Triconex controllers — at a Saudi petrochemical plant. Attacking the safety layer itself risked disabling the very system meant to prevent an explosion.

Why not simply patch the vulnerabilities away? Because in OT you often can't. Systems run 24/7 with no downtime window; vendor certification may forbid modification; the hardware may be 20+ years old and unsupported; and a bad patch can halt production or endanger safety. So defenders lean on compensating controls — rigorous segmentation, strict access control, protocol-aware monitoring, and removable-media discipline — rather than the patch-fast reflex of IT.

Field Glossary

OT / ICS
Operational Technology is the systems that monitor and control physical processes; Industrial Control Systems are the ICS subset running the machinery (grids, plants, pipelines).
Safety-first priority inversion
In OT the IT CIA triad flips toward Safety, Availability, Integrity, Confidentiality — because failures can cause physical harm and processes often cannot be stopped.
PLC / RTU / HMI / SCADA
PLCs and RTUs directly control machinery; HMIs are operator screens; SCADA is the supervisory system tying dispersed control equipment together over a wide area.
Modbus / DNP3
Foundational OT protocols designed without authentication or encryption. Network reach to them typically equals control, since a device simply obeys well-formed commands.
Purdue model
A reference architecture organizing OT into levels (0 process up to 5 enterprise) and prescribing an IT/OT DMZ (Level 3.5) so enterprise networks never touch control systems directly.
Safety Instrumented System (SIS)
An independent controller whose sole role is to force a process into a safe state under dangerous conditions; TRITON malware notably targeted an SIS.
Historian
A database logging time-series process data. Because IT often wants this data, historians bridge IT and OT and are commonly placed in the industrial DMZ.

Knowledge Check

Field Assessment

0 / 3

01 How do OT security priorities typically differ from IT security priorities?

02 Why can an attacker often manipulate a Modbus-controlled device without any exploit?

03 What made the 2017 TRITON/TRISIS malware especially alarming?

ESC
↑↓ navigate jack in