General terms:

OT
Hardware and software that controls industrial equipment (physical hardware)
Example: In a factory, OT systems might be used to:
• Monitor the temperature and pressure of machinery to prevent breakdowns
• Control the flow of materials on a production line

ICS
A major segment/sector within the operational technology sector.
specialized computer systems that monitor and control essential industrial processes.
Example: It receives input from various instruments (sensors) and uses that
information to control different parts of the orchestra (machines) to create the final
product (manufactured good, generated power, etc.).

Components: An ICS typically involves a network of devices like:

A. Sensors: These gather real-time data on the physical process.
B. Programmable Logic Controllers (PLCs): These are like mini-computers
that analyze sensor data and make basic control decisions.
C. Supervisory Control and Data Acquisition (SCADA) systems: These
provide a central interface for monitoring and controlling the entire process,
often from a remote location.

IioT
IIoT involves using a network of smart devices, sensors, and machines equipped for
communication over the internet.
How it's different from OT: Traditional OT systems are often closed networks, while IIoT
connects industrial devices to a broader internet infrastructure.
 OT, ICS, & SCADA Security
Operational Technology (OT) Security
OT assets are now part of complex networks, exposing them to threats like malware and
ransomware attacks.

Industrial Control System (ICS) Security

Ensure that the system is secured from unauthrized access and data interity .

A compromise in ICS security doesn’t just risk data integrity but can lead to the disruption
of industrial processes, leading to operational downtime, financial losses, and at its
extreme, poses threats to human safety.

Example: attack on florida water supply on ICS

What happend: hackers tried to increase the amount of sodium hydroxide in the water
supply to dangerous levels.
How attacker gained access: The attackers remotely took control of the mouse and the
system using a legitimate application called TeamViewer, commonly used in industrial
settings for remote access.

Example of OT threats:
Malware
How the malware can get to the system ?
• Phishing Attacks -> links can trick employees into installing malware on
workstations that can then access the OT network.
• Infected USB Drives -> (stuxnet) inserting a USB drive containing malware into a
computer connected to the OT network.
• Unsecured Remote Access -> Remote access is often used for maintenance and
monitoring of OT systems.
 OT Levels
Level 0 : Includes the physical components on the “shop-floor” e.g., sensors, motors.
Level 1 : Includes the systems that monitor and send commands to layer 0, such as
Programmable Logic Controllers (PLCs).
Level 2 : Includes the devices that support and manage the processes within the OT
environment, including application/database servers and human input interfaces (HMIs),
that enable humans to monitor and manage the lower layers.
Level 3 : Defines the barrier between the OT and IT where jump servers and patch
deployment servers manage limited user access between environments.
IT vs. OT
 Logs and moitor
logs coming from Operational Technology (OT) systems will vary depending on the type of
OT device and the software it uses. However, some common fields you might encounter
include:

• Timestamp: This records the date and time the event occurred.
• Device ID: Identifies the specific OT device that generated the log entry.
• Event Type: This describes the type of activity that happened, such as "Start-up,"
"Shutdown," "Error," or "Security Event."
• Event Description: Provides more details about the event, potentially including
error codes, specific values measured by sensors, or actions taken by the system.
• User: If the OT system allows user logins, this field might identify the user
associated with the logged event.
• Data Values: For sensors and monitoring systems, logs might include actual data
point values like temperature, pressure, flow rate, etc.
• Configuration Changes: Logs might track changes made to device settings or
configurations.

Where does these logs come from?

• Embedded Software: Many OT devices like PLCs and sensors have built-in
software that tracks system events and operational data. This software generates
logs and stores them on the device itself or transmits them to a central logging
server.
• Operating Systems: Some OT devices run on dedicated operating systems that log
system activity, including startup/shutdown events, resource usage, and potential
errors.
• Applications: Specific software applications used for monitoring and control within
OT systems might generate their own logs. These could track user actions,
configuration changes, or data acquisition details (Nozomi , dragon)
 Systems (nozomi and dragos)
Dragos
• Asset Visibilit : Automatically discover and profile all assets in OT environments
• Risk-Based Vulnerability Management : the only OT cybersecurity solution to deliver
OT-corrected and enriched vulnerability analysis.
• Threat Detection : threat intelligence integrated into the Dragos Platform.

How to response to an OT threat?

Automated incident response playbooks (Like the one offered by Dragos) that can isolate
infected devices, contain the spread of threats, and minimize downtime.