Why Do IT and OT Risk Management Require Different Approaches?
When it comes to cybersecurity, IT and OT environments follow very different rules, which means that risk management in OT is not just a copy of IT practices, but a discipline of its own. Watch cybersecurity expert Jaron Stammler as he explains the key differences between IT and OT risk management and shares how organizations can better protect their critical operations.
Q&A with Jaron Stammler
What makes vulnerability management in OT different from IT?
While many vulnerabilities—like denial of service, SQL injection, or improper input validation—are technically similar in IT and OT, the consequences in OT are often more severe. OT systems are directly tied to physical processes. For example, in glass production, if a conveyor belt or oven stops, the glass hardens and production halts, potentially requiring manual intervention with tools like hammers. So, the impact is not just digital—it’s physical and operational.
How do you assess the severity of vulnerabilities in OT environments?
The CVSS score is a good starting point, but it doesn’t tell the whole story. You need to consider the physical process connected to the asset. A vulnerability in a PLC controlling a water plant might be more critical than the same vulnerability in a less essential system. The context and interdependencies matter a lot.
What challenges arise from legacy systems in OT?
Many OT systems are decades old—some over 40 years—and still in use. These machines are robust but often unsupported, with no patches available. Sometimes, the original manufacturer no longer exists. In such cases, you must identify these assets, assess their criticality, and decide on protective measures like network isolation or physical access controls.
What are some practical mitigation strategies for unpatchable OT devices?
✔️ Network isolation: Disconnect the device from all networks, even internal ones.
✔️ Physical security: Lock ports, restrict access to rooms, and use access cards.
✔️ Intrusion detection systems (IDS): Monitor traffic for anomalies.
✔️ Allow listing: Only permit known, necessary traffic—especially effective in static OT environments.
What if a device is unknowingly communicating externally (e.g., via a hidden 4G router)?
This happens more often than you'd think. Passive monitoring with IDS can reveal unexpected outbound traffic. It's also crucial to include clear terms in vendor contracts and provide secure remote access options—like jump hosts and DMZs—to avoid unauthorized connections.
What about devices that stop functioning without internet connection?
That’s bad practice, especially in OT. Devices should not halt operations due to connectivity issues. If internet access is necessary, use forward proxies, URL allowlisting, IDS, and deep packet inspection to secure the connection. Segmentation is also key, though not yet widely adopted in OT.
Does OMICRON offer solutions for OT security?
Yes, we provide consulting services—especially in the energy sector—and offer tools like StationGuard Sensor and GridOps for IDS and vulnerability management. These are tailored for OT environments and are easy to deploy.
How should companies handle mobile network connections in OT?
Mobile connectivity is often essential, especially for distributed systems like water or power plants. The best approach is micro-segmentation—implementing small firewalls at the machine or cell level. Even basic stateful inspection firewalls can be effective. If visibility is lacking, deploy IDS to passively detect connections and enforce vendor compliance through contracts.
More
Questions?
- Anything left unanswered?
- Need more information?
- Interested in a StationGuard demo?
Resources
