{"id":3784,"date":"2023-10-30T12:57:39","date_gmt":"2023-10-30T11:57:39","guid":{"rendered":"https:\/\/www.hwgsababa.com\/?p=3784"},"modified":"2025-08-05T14:05:11","modified_gmt":"2025-08-05T12:05:11","slug":"differences-between-ot-and-it-systems","status":"publish","type":"post","link":"https:\/\/www.hwgsababa.com\/en\/differences-between-ot-and-it-systems\/","title":{"rendered":"What are the differences between OT and IT Systems?"},"content":{"rendered":"
[vc_row el_class=”margin_top_100″][vc_column][vc_single_image image=”3695″][\/vc_column][\/vc_row][vc_row el_class=”margin_top_30″][\/vc_row][vc_column][\/vc_column][vc_column_text el_class=”paragrafo”]For those coming from IT, securing ICS systems can be frustrating at the beginning. This is because the technologies used and the ways of working are very different when it comes to OT systems. The objectives pursued in these two areas are also very different. How so? Let’s find out the differences between OT and IT systems.<\/span><\/p>\n

Data protection vs. process protection<\/strong><\/span><\/h3>\n

When securing IT systems, the main focus is on protecting data <\/strong><\/span> – such as intellectual property (IP), credit card numbers, emails and Personal Identifiable Information (PII) – thus trying to prevent hackers from gaining access to what, for a company, may be a great part of its assets.<\/p>\n

This is in sharp contrast to what happens with ICS systems, where the main objective is to protect the process <\/strong><\/span>, as they are designed for continuous processing. In some cases, following an unplanned shutdown of a plant, it can take days, weeks or even months for it to restart, causing significant damage. And it is not just an econimic loss<\/strong><\/span><\/p>\n

Take, for example, an ICS system that controls power generation and distribution, or drinking water and wastewater systems: besides great inconvenience, their breakdown can also have serious consequences on people’s health, as well as deeply impact the society. Without going too far back in time, just think of the 2021 ransomware attack on Colonial Pipeline that halted plant operations for six days, leading to a fuel crisis and increased prices in the eastern U.S.<\/p>\n

Differences between IT and OT systems: Technologies<\/span><\/strong><\/h4>\n

In traditional IT systems, we are used to working with protocols such as TCP, IP, UDP, DNS, DHCP, etc. Most ICS systems use one of over 100 dedicated protocols, some of which are proprietary. The most popular on the market are Modbus, DNP3, ProfiNet\/Profibus, OPC and others.<\/p>\n

ICS systems base its operations on the Programmable Logic Controllers or PLCs. These are used for almost any type of industrial control system, be it production, oil refining, power generation, water treatment, etc. PLCs are comparable to industrial computers, with their own proprietary Operating System. They use programming languages derived from the world of electromechanical logic, such as Ladder Logic, to control sensors, actuators, valves, alarms and other devices. Hacking ICS systems often requires familiarity with the programming of such PLCs.<\/p>\n

\"differences<\/p>\n

Availability requirements<\/strong><\/span><\/h5>\n

Although availability <\/strong><\/span> is one of most important concepts within information security, ICS systems take it to another level. As mentioned above, here the attention is on protecting the process <\/strong><\/span>, rather than the data. For this reason, applying a software patch and rebooting the system may often not be an option, except for discrete time intervals, such as annual or quarterly maintenance shutdowns. This means that operating systems and applications remain unpatched with known vulnerabilities for months or even years. Therefore, SCADA or PLC engineers should carry out adequate compensatory checks to prevent intrusions, unlike an IT security administrator who would be able to apply security patches more frequently.<\/p>\n

\u00a0Differences between IT and OT systems: A different access to components<\/strong><\/span><\/strong><\/h6>\n

With a few exceptions, in traditional IT security, the technical team has direct physical access to system components. In ICS systems, these components may be spread over hundreds or thousands of metres (e.g. pipelines, power grid, etc.), thus making the implementation of security controls even more complicated. For example, remote field stations can become an access point to the entire ICS system.<\/p>\n

Security through obscurity <\/strong><\/span>
\nRecently, especially with the advent of Industry 4.0, many ICS systems have been progressively connected to the Internet via a direct TCP\/IP connection. While the internal communication can still be managed with proprietary networks, remote access allows continuous monitoring by plant managers. However, there are still exceptions, such as some dams and other public infrastructure systems which are still off-line to protect them from the clutches of cyber attackers.<\/p>\n

\"differences<\/p>\n

For years, these systems benefited from security through obscurity<\/strong><\/span>. What does it mean?\u00a0They were somehow safe because few people knew of their existence and even fewer understood their technologies: the protocols used were only known to technicians in the industry who had gained first-hand experience with SCADA, PLCs and HMI terminals.<\/p>\n

This is turning out to be a weak point, as they are being exposed on the network without having the most basic security measures implemented. An example is what happened in 2016, when the independent researcher Karn Ganeshen managed to break into a Schneider Electric building automation system<\/a> by exploiting a 0-day vulnerability and gaining root <\/strong><\/span> access to the server.<\/p>\n

With the advent of reconnaissance tools like Shodan<\/a>,\u00a0 these systems will no longer rely on security through obscurity. The industry is only now beginning to implement modest security measures, but one of the biggest challenges that it\u2019s facing is that many standard IT security products do not provide the same level of protection when it comes to industrial protocols. In most cases, firewalls and IDSs have to be customised to make them compatible and applicable to OT.<\/p>\n

What can we do to protect OT environments<\/a>? <\/strong><\/span><\/h6>\n

Considering the differences between OT and IT systems in terms of different length of system lifecycles, and the sensitivity and safety-relevance of the OT systems and automation tools, the approach to security usually requires a combination of security technologies and services, including:<\/p>\n