OT, ICS and SCADA Security: Cyber Attacks on Industrial Control Systems and Defense

Quick answer: OT (Operational Technology) is the systems that control the physical processes of a factory, power plant or water treatment facility, and ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition) are the most common forms of this category. These systems carry out work that has real physical consequences in the world, opening and closing a valve, stopping a production line, or managing a power grid, so a cyber attack here means not just data loss but production stoppage, equipment damage and even a safety risk. The core difference that separates OT security from IT (Information Technology) security is that the priority is not confidentiality but continuity, a production line cannot be stopped within seconds. Industrial control systems were historically designed to be isolated (air gapped), but digital transformation has increasingly connected them to IT networks and the internet, creating an attack surface that did not exist before. Defense is provided by network segmentation (the Purdue model), knowing the security weaknesses of legacy industrial protocols (Modbus, DNP3), building an asset inventory, and setting up a security program aligned with standards like IEC 62443.

A factory's production line or a power facility's control room is a world most people do not associate with cyber security, but it is increasingly becoming one of the most critical targets. We covered the general framework of enterprise firewalls and network security in enterprise firewall selection, NGFW guide and container and modern infrastructure security in container and Kubernetes security. This article addresses an entirely different world, the security of industrial control systems.

The difference between OT, ICS and SCADA

These three terms are often confused, but there is a clear hierarchy among them.

  • OT (Operational Technology). The broadest category. All hardware and software that monitors or controls physical processes, covering everything from a sensor in a factory to turbine control in a power plant.
  • ICS (Industrial Control Systems). A subset of OT, systems that control industrial processes. PLC (Programmable Logic Controller), DCS (Distributed Control System) and SCADA are the core components of ICS.
  • SCADA (Supervisory Control and Data Acquisition). A type of ICS, generally used to monitor and control geographically dispersed infrastructure (a power grid, a water distribution network, a pipeline) from a central point.

Knowing this distinction matters, because each has a somewhat different risk profile, but all share the same basic security principles.

Why it is an entirely different world from IT security

In information technology (IT) security, the priority order is usually confidentiality, integrity and availability, in that order. In the OT world this order is almost reversed, availability and continuity come first, then integrity, and confidentiality last. Stopping a production line for a few hours for a "security update" means a loss of millions in production, and in some facilities stopping it is physically dangerous (an uncontrolled halt of a chemical process or a power plant).

This difference in priority means IT's standard solutions cannot be applied directly to OT. Patching immediately when a vulnerability appears is routine in IT but can cause a production stoppage in OT. Restarting a device is an ordinary operation in IT but means a process is physically interrupted in OT. So OT security requires not copying IT security practices but its own approach.

The design flaw of industrial protocols

Modbus, DNP3 and similar industrial communication protocols were designed decades ago with security never in mind. At the time these systems were assumed to operate entirely isolated (air gapped), an external attacker was never accounted for. As a result, most of these protocols have no authentication and no encryption.

In practice this means, if an attacker gains access to the network once, they can send a command to a device using these legacy protocols without any authentication required. A command like "open this valve" or "stop this motor" to a PLC, if there is access to the network traffic, is usually accepted without passing through any authorization check. This design flaw is still widespread in decades old industrial infrastructure and cannot be changed in the short term, because changing these protocols requires a complete hardware refresh.

Concept IT (information technology) OT (operational technology)
Priority Confidentiality, integrity, availability Availability, integrity, confidentiality
Patching Frequent and fast Rare, carefully planned window
Device lifespan 3 to 5 years 15 to 25 years
Protocol security Modern, encrypted Often unencrypted, unauthenticated
Consequence of an incident Data loss, privacy breach Production stoppage, physical damage, safety risk

Why they are no longer isolated

Industrial control systems were historically designed to operate entirely isolated (air gapped) from the outside world, and for a long time this isolation provided a real security layer. But digital transformation changed this. Needs like remote monitoring, predictive maintenance and efficiency analytics increasingly connected OT systems to the corporate IT network and the internet.

This connectivity creates real business value, an engineer can monitor a facility remotely, a failure can be predicted in advance. But it also opens an old world, designed with security never in mind, to a modern attack surface. An attacker no longer has to physically enter the facility, they can reach the OT network with a pivot from the corporate network. We also covered the general importance of external attack surface and network segmentation in external attack surface and OSINT.

Defense, the Purdue model and network segmentation

The core architecture of OT security is a layered approach known as the Purdue model. This model places clear layers and tightly controlled crossing points between the corporate IT network and the OT network. The idea is simple, an attacker on the corporate network should not be able to directly reach the devices controlling the production line, there must be monitored, limited and observed crossing points between them.

In practice this is achieved with network segmentation. The corporate IT network and the OT network are physically or logically separated, traffic between them passes through a firewall and strict rules. The OT network itself is also layered, for example the supervisory (SCADA) layer is isolated from the direct control (PLC) layer. This segmentation makes it far harder for an attacker, even if they compromise the corporate network, to reach the production process directly.

Defense, asset inventory and visibility

Just as in the IT world, in OT too the one thing you cannot protect is what you do not know exists. Many facilities do not know exactly which devices, which versions and which connections are on their network, because these systems have been added layer by layer over years and there is usually no complete documentation.

Building an OT asset inventory removes this invisibility. Which devices are on the network, which protocols they speak and how they communicate with each other are determined. Without this inventory, when a vulnerability is announced you cannot even know whether it affects you. Also, passively monitoring the traffic on the OT network (active scanning is generally considered risky, because legacy devices can be fragile against unexpected commands) allows unusual behavior to be detected early.

Defense, IEC 62443 and patch management

OT security now has its own international standard, IEC 62443. This standard defines security levels for industrial control systems, zoning and communication channel requirements, and how to set up a security management program. An organization can use this standard as a reference to build a realistic, OT specific security program.

Patch management is a particularly sensitive matter in OT. When a vulnerability appears, instead of patching immediately as in IT, it should first be tested for whether the patch affects the production process, then applied in a planned maintenance window. On some legacy devices a patch does not exist at all, in that case compensating controls, for example isolating that device with an additional network segment, are the only solution.

OT security checklist

An industrial facility can assess its OT security with these items.

  • Do you have a current inventory of all OT/ICS devices on your network?
  • Is there clear segmentation (the Purdue model) between the corporate IT network and the OT network?
  • Is traffic on the OT network monitored, at least passively?
  • Are you aware of the unauthenticated risks of legacy industrial protocols (Modbus, DNP3) and are there compensating controls?
  • Is patch management run through a planned process that considers production continuity?
  • Has a security maturity assessment been done against a standard like IEC 62443?
  • Is remote access to the OT environment provided with strict authentication and limited privilege?
  • Is there an OT security incident response plan, and does it also cover production continuity?

A facility that completes this list acknowledges both the reality of legacy systems and builds defense against modern threats. At DSET we audit industrial control systems with this framework, without disrupting production continuity.

Frequently Asked Questions

If an OT system is never connected to the internet, is it completely safe? It is safer but not completely. A USB drive, a laptop connected for maintenance, or a supplier connection can affect even an isolated system. Physical and process controls are still needed.

Can IT security tools be applied directly to OT systems? Usually no, caution is needed. An active vulnerability scan can crash an old and fragile PLC. OT specific, passive monitoring and careful testing approaches should be preferred.

Can a small manufacturing facility also be a target? Yes. Attackers do not always target large infrastructure, a small facility in the supply chain can be used as a pivot point to reach a bigger target.

Is compliance with IEC 62443 mandatory? It varies by sector and country, in some critical infrastructure sectors it can be a regulatory requirement. Even if not mandatory, IEC 62443 offers a good reference framework and raises OT security maturity.

Sources

To audit your industrial control systems (OT, ICS, SCADA) against cyber threats and build security without disrupting production continuity, contact DSET.