5 myths about OT systems – is there any truth to these?

Various myths exist around securing OT systems. In order to guarantee security in physical systems, different rules apply in comparison to the case of purely digital systems. In the following, we will present and clarify five well-known myths with regard to securing OT systems.

5 myths about OT systems – is there any truth to these?

Myth 1: Air Gapping

“Air gapping is the only way to guarantee the security of OT systems.”

Air gapping is a method that supposedly isolates networks completely. In this approach, the respective network is separated from any connection to the Internet or other networks. In practice, this means that the control system for OT is completely isolated from the company network and the Internet.

Reference and “Air Gap” architecture in comparison

However, there are other ways in which attackers can infiltrate the OT network – despite separation:

  • Social engineering (e.g., with phishing, spear phishing)
  • Infected digital storage media (e.g., USB sticks)
  • Hidden service connections (e.g., for service providers and manufacturers)
  • Infected devices of engineers and service technicians (e.g., laptops)
  • Hidden communication with ultrasound frequencies (e.g., via USB port, loudspeakers, headsets, hard drives, fans)

Myth 2: Firewall

“A firewall protects my OT network against attacks from a connected IT network.”

A firewall alone cannot fully protect the OT network. Additional segmentation and monitoring actions have to be implemented within the network.  Moreover, a firewall always has to be set up individually. Configuration errors can generate security gaps.

Myth 3: External Connections

“Except the connection to the company network, there are no external connections.”

An increasing number of providers implement integral backdoors to be able to access and/or control devices remotely. This type of backdoor is sometimes even required as part of their SLA. Therefore, external connections could exist without your direct knowledge.

Myth 4: Operation of systems

“Employees operate OT systems to manage production on a daily basis.”

Operation of production systems is increasingly being outsourced to external providers, some of which are situated in remote locations. This increases the risk of insider threats and makes systems more vulnerable to attacks.

Myth 5: Vendors

“OEM vendors (SCADA vendors) secure their devices sufficiently.”

Contracts often do not include requirements on vendors to ensure that security functions and processes are implemented and updated. The first step toward securing OT effectively is to find a vendor that is trustworthy.

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.