Introduction to the World of OT/ICS (TryHackMe)
Introduction to OT/ICS Cyber Security
Welcome to the world of securing Operational Technology (OT) and Industrial Control Systems (ICS) against cyberattacks!
Most people are familiar with Information Technology (IT) systems, which they interact with daily:
Laptops and workstations for completing spreadsheets, writing documents, and playing games.
Servers that store our files and provide services the business needs to operate.
Websites we visit to do our jobs, learn, buy something, or waste time.
Smartphones that we can do all of these things from, and so much more!
And yet, many are unaware of the hidden world of Operational Technology (OT) and Industrial Control Systems (ICS) that provide the critical services we rely on in our daily lives.
How does cyber security work in a power plant to prevent an attack from causing a blackout?
Do power plants even have computers?
Surely they must, right? But, if they do, how are those computers used to generate electricity?
And how do we protect critical infrastructure, such as power plants, from cyberattacks?
Learning Objectives
In this first room, you will:
Learn the differences between IT and OT/ICS
Be able to explain the basics of how an OT environment works
Understand the main OT systems that are found in critical infrastructure such as power plants, water treatment facilities, and manufacturing plants
See the role human operators play in these types of specialized environments
Comprehend the basics of how cyber security is essential to safe, reliable operations in critical infrastructure
Prerequisites
While there are no formal prerequisites for this room, we do recommend taking the Presecurity path to have a basic understand of various IT concepts that are mentioned in this room.
What is OT/ICS?
Operational Technology (OT)
Operational Technology (OT) is the use of computers to monitor and control physical equipment and processes in the real world.
Such processes could include:
A generator inside a power plant that spins to create electricity.
A conveyor belt that moves parts within a manufacturing plant.
Computers that operate medical equipment such as MRI and CT scanners.
Safety systems that prevent a train from overturning when taking a curve too fast.
Building management systems that control elevators, badged door access, HVAC, and lighting.
Embedded computers in cars control systems such as engine control, Anti-lock Braking Systems (ABS), and Electronic Stability Control (ESC).
Industrial Control Systems (ICS)
Industrial Control Systems (ICS) are a specific type of OT system found in industrial environments.
Industrial environments include:
Power plants
Oil refineries
Steel mills
Food packaging facilities
Pharmaceutical manufacturing
Water treatment plants
Environments such as hospitals and cars are not considered industrial environments. Systems that are used in these environments to monitor and manage physical equipment and processes are only considered OT, not ICS, though you’ll find people often use the term interchangeably.
Supervisory Control and Data Acquisition (SCADA)
Supervisory Control and Data Acquisition (SCADA) is a type of ICS used over a wide-area network to monitor and control remote equipment and processes. Examples of wide-area network connections include 5G cellular connections, microwave radio links, and satellite connections.
SCADA is used to monitor and control equipment in remote environments that can only be reached with WAN technologies, such as:
Electric substations
Offshore oil rigs
Pipeline pumping stations
Offshore wind farms
Remote solar farms
Other terms you might hear that refer to different specific types of OT include Cyber-Physical Systems (CPS), Industrial Automation and Control Systems (IACS) / Automation and Control Systems (ACS).
In this room, the term OT is used to represent all of these other terms, including ICS and SCADA.
Answer the questions below
What does the 'O' in OT stand for? Operational
What does the 'C' in ICS stand for? Control
How Does OT/ICS Work?
What Does OT Do?
OT monitors and controls physical processes and equipment in the real world.
For example, if I have a power plant, the plant itself uses ICS to monitor and control the process of generating electricity. At a water treatment facility, ICS would be used to monitor and control the process of making water safe to drink and delivering it to customers.
Programmable Logic Controllers (PLCs)
OT systems, such as Programmable Logic Controllers (PLCs), the most common type of OT asset deployed today, have both inputs and outputs.
Think of a PLC as a thermostat for an air conditioner you might have at your home or office. This thermostat has a sensor that continually reads the temperature to determine the room temperature. A PLC is programmed with logic so that if the room temperature exceeds the desired temperature, also referred to as the setpoint, it will send a signal to turn on the air conditioning unit.
Inputs
Inputs are pathways that bring data into the PLC from sources such as sensors that monitor conditions in a particular environment. Common types of sensors include, but are not limited to:
Measure the temperature inside a furnace
Measure how full an oil storage tank is
Detect if a dangerous overpressure situation is occurring
Detect changes in vibration patterns to identify physically failing equipment that needs to be replaced
Outputs
Outputs are pathways that allow the system to send signals to physical systems in the real world, such as pumps, valves, and motors. In our example of an air conditioning unit, once the thermostat determines that the room has reached the desired temperature, it sends a signal via an output to turn off the air conditioning unit.
We will discuss PLCs and other OT/ICS assets in greater detail in later rooms.
Answer the questions below
When a PLC needs to send a signal to turn off a motor in the real world, it sends a signal through what type of connection? Output
What source provides the environmental data that inputs feed into a PLC? Sensor
What is OT/ICS Cyber Security?
Where Does Cyber Risk Come From in OT/ICS?
Modern OT/ICS environments leverage traditional IT technologies, such as Ethernet, TCP/IP, cloud-based services, and GenAI, to improve performance and efficiency in plants and factories. While these technologies bring significant business advantages to the environment, each also introduces vulnerabilities that attackers and other types of cyber security risks could exploit.
IT vs. OT Infrastructure Comparison
But it's also important to keep in mind how IT and OT assets, and other infrastructure, are different.
Feature | IT Infrastructure | OT Infrastructure |
Primary Focus | Managing data and information | Managing physical processes and machinery |
Top Priority | Confidentiality | Safety (human & environmental) |
Asset Lifespan | Short (3 - 5 years). Hardware is often replaced | Long (10 - 30+ years). Legacy systems are very common |
Patching | Regular, scheduled updates are standard | Difficult or rare; requires expensive downtime |
Response to Failure | Rebooting is acceptable | Rebooting can cause safety issues or physical damages |
OT assets, such as PLCs, are now assigned IP addresses to connect to the OT network and communicate with other systems. For example, a Human Machine Interface (HMI) is a graphical interface used by human operators to monitor a physical process, which is in turn controlled by a PLC. The human operator uses the HMI not only to visually monitor how the process is operating, but also to make adjustments, such as in response to an alert.
What type of damage could an attacker do if they gained access to a plant network and accessed an HMI?
What Could Happen?
Could they:
Stop power generation to create a blackout?
Poison water in a water treatment facility?
Cause systems to physically break down?
Prevent food from being packaged safely and sent to stores?
All of these types of scenarios can happen, and so many others. In fact, the situations listed above are just a small list of the types of OT/ICS cyber security incidents that have already happened.
Cyber Security is a Necessity in OT/ICS
OT/ICS cyber security is necessary to ensure the safety and availability of OT/ICS environments. As the number of cyber-attacks targeting OT/ICS networks (and the connected IT networks) has nearly doubled each year since the Colonial Pipeline incident(opens in new tab) in 2021, defenders of these specialized environments are woefully underprepared to defend OT against attackers. But it is possible, and it doesn’t have to be hard!
Answer the questions below
What type of system is used by a human operator to interact with a PLC and control a physical process in the real world? Human Machine Interface
Which 2021 incident marked a turning point for OT/ICS security, after which annual cyberattacks against these networks doubled? Colonial Pipeline
Differences Between OT & IT Cyber Security
IT and OT Cyber Security Have More in Common Than They Don't!
Many OT cyber security professionals might tell you that OT and IT cyber security have nothing in common. But that is the furthest thing from the truth. OT and IT cyber security actually have much more in common than they don’t.
What is critical is to understand where OT and IT cyber security are different and how they are different. Because if you are not aware of those differences, you could get someone hurt or killed, let alone take down a plant in the middle of operations.
IT Cyber Security
In IT cyber security, the primary requirements are formed by the C-I-A triad.
OT Cyber Security
In OT cyber security, many say the requirements are reversed, so we now have an A-I-C triad. Unfortunately, this formula leaves out the most important requirement in OT cyber security – physical safety. We must ensure that not only do on-site employees go home safe at the end of the day without getting hurt or killed, but that the general public and the environment surrounding the plant are not harmed as well.
Every action we take to defend OT/ICS networks from cyberattacks focuses first on ensuring physical safety, then on operational availability of the site, the integrity of its data, and, finally, confidentiality. In many OT/ICS environments focused solely on safety and operational availability, OT/ICS networks often lack encryption!
How IT and OT Cyber Security Compare
The following table highlights some of the significant differences between IT and OT cyber security.
Security Task | IT Environment (Back Office) | OT Environment (Factory/Plant) |
Patch Management | Automatic/Frequent (patches are rolled out almost as soon as they are released) | Planned/Rare (patching requires halting production which occurs rarely (e.g., once a year) in scheduled maintenance windows.) |
Vulnerability Scanning | Active Scanning (networks can be probed for existing vulnerabilities) | Passive Monitoring (active scanning with tools like Nmap and Nessus can cause OT assets to crash) |
Incident Response | Isolate & Reboot (If a system is compromised, we wipe it and reinstall) | Keep it Running (OT systems cannot simply be isolated or rebooted without introducing safety and operational availability issues) |
Network Encryption | Almost Everything (Almost all network traffic in IT networks is encrypted to ensure confidentiality) | Very Low (Most OT/ICS protocols do not support encryption; while newer protocols do, most plants continue to favor older unencrypted ones) |
Answer the questions below
What is the most important requirement for OT/ICS cyber security? Safety
What do many OT environments not leverage? Encryption
What a Human Operator Sees in OT Environments
Bringing It All Together
In this task, you will access the Human Machine Interface (HMI) for a specific type of OT/ICS environment. You will use the interface and information presented to think and respond as a human operator would in this environment. Open the static site by clicking the View Site button in the upper right corner and then proceed to solve the questions below.
Answer the questions below
Based on a review of the HMI, what type of environment is this? ICS
When you first look at the HMI, what is the current percentage level indicated by the tank level sensor? 65
Click on the START button to turn on the pump to bring more water into the tank. At what percentage level do you first receive an alert in a yellow warning banner? 85
Continue to allow water to flow into the tank. At what percentage level does the control system realize there is danger and shuts off the pump bringing water into the tank? 95
With the pump stopped, click OPEN on the valve on the outtake pipe. What happens to the water level in the tank? The water level <fill in the blank>. Lowers
Conclusion
Nice job getting started on learning how to protect OT and ICS environments from cyberattacks!
In this room, you learned about the differences between IT and OT, how ICS and SCADA systems are part of OT, how OT cyber security can be similar but different from IT, and the important role human operators play in OT environments.
This room was created by the incredible Mike Holcomb. You can find more information on his work here.
