The SANS poster clearly outlines why Industrial Control System (ICS) and Operational Technology (OT) security must be treated differently from traditional IT security. While both domains fall under cybersecurity, their missions, priorities, risk profiles, and operational realities are fundamentally different.
Different Missions: Data vs Physical Processes
The most important distinction is mission.
- IT security focuses on protecting digital data and business applications.
- ICS/OT security focuses on protecting physical processes, human safety, and engineering operations.
IT protects information systems.
ICS protects systems that control electricity grids, water treatment plants, manufacturing lines, pipelines, and other critical infrastructure.
The poster emphasizes that in ICS environments, cybersecurity failures can result in:
- Physical damage
- Environmental impact
- Injury or loss of life
- Regional service disruption
This shifts the security conversation from “data breach” to “physical consequence.”
The Security Triad Is Prioritized Differently
The poster visually compares the CIA triad priorities for IT and ICS:
IT Priority Order:
- Confidentiality
- Integrity
- Availability
ICS/OT Priority Order:
- Safety
- Integrity of engineering commands
- Availability of operational processes
- Confidentiality (lower relative priority)
Confidentiality is still relevant in ICS, but it is not the primary objective. Safety and operational reliability come first.
ICS Environments Have Unique Technical Constraints
The poster identifies several unique considerations for ICS security:
- Nontraditional and proprietary protocols
- Embedded or purpose-built operating systems
- Legacy devices that cannot easily be patched
- Long lifecycle equipment (5–10+ year upgrade cycles)
- Fewer maintenance windows
- Heavy reliance on vendor support
- Outdoor and extreme environments
In contrast, IT environments:
- Use commercial off-the-shelf hardware/software
- Patch frequently
- Upgrade every 2–3 years
- Support large numbers of unpredictable users
These structural differences drive different defensive approaches.
Security Controls Cannot Be “Copy-Pasted” from IT to ICS
One of the poster’s strongest messages is that traditional IT controls cannot be directly applied to ICS without adaptation.
Examples from the poster:
- Network IDS vs IPS
- In IT, intrusion prevention systems (IPS) block traffic.
- In ICS, blocking legitimate control traffic can disrupt physical processes.
- Therefore, ICS environments favor alerting via IDS rather than automated blocking.
- Vulnerability Scanning
- Active scanning is common in IT.
- In ICS, active scanning can crash legacy devices.
- Passive methods are often safer.
- Patching
- IT: monthly, automated patch cycles.
- ICS: infrequent, carefully tested patch windows.
- Patching decisions must consider operational risk and safety impact.
- Endpoint Protection
- IT: signature and behavior-based detection.
- ICS: allowlisting is often more appropriate due to static environments.
The poster repeatedly reinforces that ICS controls must prioritize operational continuity and safety over aggressive automation.
Incident Impact Is Fundamentally Different
The poster contrasts incident impact potential:
- IT Incident Impact:
- Data corruption
- Business system downtime
- Data loss
- ICS Incident Impact:
- Loss of control of physical process
- Critical infrastructure disruption
- Equipment damage
- Safety events
- Potential loss of life
This distinction reframes response strategy. In IT, containment may mean immediate isolation. In ICS, isolation may create unsafe process conditions.
The Purdue Model and Segmentation Are Central
The poster highlights adherence to the Purdue Model (Levels 0–5) for ICS network segmentation.
ICS networks prioritize:
- Strict segmentation from IT
- Enforcement boundaries
- DMZs between IT and OT
- Layered firewall deployment
- Monitoring at choke points
The IT/OT boundary is critical. Direct internet access below Level 4 is discouraged. Remote access requires:
- Multi-factor authentication
- Jump hosts
- Dedicated ICS DMZs
- Strict monitoring
Segmentation is foundational in ICS architecture.
Convergence Requires Blended but Specialized Skillsets
The poster discusses IT/OT convergence in two dimensions:
- Technology convergence
- Security team convergence
While IT and OT teams are increasingly working together, the poster stresses that ICS defenders must be trained in:
- ICS protocols
- Engineering systems
- Safety culture
- Process awareness
- ICS-specific monitoring tools
ICS security requires domain-specific knowledge beyond traditional IT security expertise.
Safety Culture Is Core to ICS Security
A unique section highlights safety culture and training in industrial environments.
ICS environments commonly include:
- Safety drills
- Stop-work protocols
- PPE requirements
- Engineering oversight
- Environmental safeguards
Security actions must align with this safety-first mindset. False positives in ICS are not just inconvenient. They can cause unsafe conditions.
The Future of ICS Security
The poster closes with a strong message:
- IT security practices can inform ICS security.
- But direct replication is dangerous.
- ICS security must be adapted to protect safety and physical assets.
- The community must prioritize reliability and human life.
Continued Reading
