# Introduction to the World of OT/ICS (TryHackMe)

### Introduction to OT/ICS Cyber Security

Welcome to the world of securing **Operational Technology (OT)** and **Industrial Control Systems (ICS)** against cyberattacks!

Most people are familiar with Information Technology (IT) systems, which they interact with daily:

*   Laptops and workstations for completing spreadsheets, writing documents, and playing games.
    
*   Servers that store our files and provide services the business needs to operate.
    
*   Websites we visit to do our jobs, learn, buy something, or waste time.
    
*   Smartphones that we can do all of these things from, and so much more!
    

And yet, many are unaware of the hidden world of Operational Technology (OT) and Industrial Control Systems (ICS) that provide the critical services we rely on in our daily lives.

*   How does cyber security work in a power plant to prevent an attack from causing a blackout?
    
*   Do power plants even have computers?
    
*   Surely they must, right? But, if they do, how are those computers used to generate electricity?
    
*   And how do we protect critical infrastructure, such as power plants, from cyberattacks?
    

## **Learning Objectives**

In this first room, you will:

*   Learn the differences between IT and OT/ICS
    
*   Be able to explain the basics of how an OT environment works
    
*   Understand the main OT systems that are found in critical infrastructure such as power plants, water treatment facilities, and manufacturing plants
    
*   See the role human operators play in these types of specialized environments
    
*   Comprehend the basics of how cyber security is essential to safe, reliable operations in critical infrastructure
    

## **Prerequisites**

While there are no formal prerequisites for this room, we do recommend taking the [Presecurity path](https://tryhackme.com/path/outline/presecurity) to have a basic understand of various IT concepts that are mentioned in this room.

### What is OT/ICS?

## **Operational Technology (OT)**

**Operational Technology (OT)** is the use of computers to monitor and control physical equipment and processes in the real world.

Such processes could include:

*   A generator inside a power plant that spins to create electricity.
    
*   A conveyor belt that moves parts within a manufacturing plant.
    
*   Computers that operate medical equipment such as MRI and CT scanners.
    
*   Safety systems that prevent a train from overturning when taking a curve too fast.
    
*   Building management systems that control elevators, badged door access, HVAC, and lighting.
    
*   Embedded computers in cars control systems such as engine control, Anti-lock Braking Systems (ABS), and Electronic Stability Control (ESC).
    

![OT Examples](https://tryhackme-images.s3.amazonaws.com/user-uploads/66c44fd9733427ea1181ad58/room-content/66c44fd9733427ea1181ad58-1775565960327.png align="center")

## **Industrial Control Systems (ICS)**

**Industrial Control Systems (ICS)** are a specific type of OT system found in industrial environments.

Industrial environments include:

*   Power plants
    
*   Oil refineries
    
*   Steel mills
    
*   Food packaging facilities
    
*   Pharmaceutical manufacturing
    
*   Water treatment plants
    

![Industrial Control Systems Examples](https://tryhackme-images.s3.amazonaws.com/user-uploads/66c44fd9733427ea1181ad58/room-content/66c44fd9733427ea1181ad58-1775565960455.png align="center")

Environments such as hospitals and cars are not considered industrial environments. Systems that are used in these environments to monitor and manage physical equipment and processes are only considered OT, not ICS, though you’ll find people often use the term interchangeably.

## **Supervisory Control and Data Acquisition (SCADA)**

**Supervisory Control and Data Acquisition (SCADA)** is a type of ICS used over a wide-area network to monitor and control remote equipment and processes. Examples of wide-area network connections include 5G cellular connections, microwave radio links, and satellite connections.

SCADA is used to monitor and control equipment in remote environments that can only be reached with WAN technologies, such as:

*   Electric substations
    
*   Offshore oil rigs
    
*   Pipeline pumping stations
    
*   Offshore wind farms
    
*   Remote solar farms
    

![SCADA Infrastructure Examples](https://tryhackme-images.s3.amazonaws.com/user-uploads/66c44fd9733427ea1181ad58/room-content/66c44fd9733427ea1181ad58-1775565960818.png align="center")

Other terms you might hear that refer to different specific types of OT include Cyber-Physical Systems (CPS), Industrial Automation and Control Systems (IACS) / Automation and Control Systems (ACS).

In this room, the term OT is used to represent all of these other terms, including ICS and SCADA.

### Answer the questions below

What does the 'O' in OT stand for? `Operational`

What does the 'C' in ICS stand for? `Control`

### How Does OT/ICS Work?

## **What Does OT Do?**

OT monitors and controls physical processes and equipment in the real world.

For example, if I have a power plant, the plant itself uses ICS to monitor and control the process of generating electricity. At a water treatment facility, ICS would be used to monitor and control the process of making water safe to drink and delivering it to customers.

## **Programmable Logic Controllers (PLCs)**

OT systems, such as Programmable Logic Controllers (PLCs), the most common type of OT asset deployed today, have both inputs and outputs.

![PLC Example](https://tryhackme-images.s3.amazonaws.com/user-uploads/66c44fd9733427ea1181ad58/room-content/66c44fd9733427ea1181ad58-1775560500937.png align="center")

Think of a PLC as a thermostat for an air conditioner you might have at your home or office. This thermostat has a sensor that continually reads the temperature to determine the room temperature. A PLC is programmed with logic so that if the room temperature exceeds the desired temperature, also referred to as the setpoint, it will send a signal to turn on the air conditioning unit.

## **Inputs**

Inputs are pathways that bring data into the PLC from sources such as sensors that monitor conditions in a particular environment. Common types of sensors include, but are not limited to:

*   Measure the temperature inside a furnace
    
*   Measure how full an oil storage tank is
    
*   Detect if a dangerous overpressure situation is occurring
    
*   Detect changes in vibration patterns to identify physically failing equipment that needs to be replaced
    

## **Outputs**

Outputs are pathways that allow the system to send signals to physical systems in the real world, such as pumps, valves, and motors. In our example of an air conditioning unit, once the thermostat determines that the room has reached the desired temperature, it sends a signal via an output to turn off the air conditioning unit.

We will discuss PLCs and other OT/ICS assets in greater detail in later rooms.

### Answer the questions below

When a PLC needs to send a signal to turn off a motor in the real world, it sends a signal through what type of connection? `Output`

What source provides the environmental data that inputs feed into a PLC? `Sensor`

### What is OT/ICS Cyber Security?

## **Where Does Cyber Risk Come From in OT/ICS?**

Modern OT/ICS environments leverage traditional IT technologies, such as Ethernet, TCP/IP, cloud-based services, and GenAI, to improve performance and efficiency in plants and factories. While these technologies bring significant business advantages to the environment, each also introduces vulnerabilities that attackers and other types of cyber security risks could exploit.

## **IT vs. OT Infrastructure Comparison**

But it's also important to keep in mind how IT and OT assets, and other infrastructure, are different.

<table style="min-width: 75px;"><colgroup><col style="min-width: 25px;"><col style="min-width: 25px;"><col style="min-width: 25px;"></colgroup><tbody><tr><td colspan="1" rowspan="1"><p><strong>Feature</strong></p></td><td colspan="1" rowspan="1"><p><strong>IT Infrastructure</strong></p></td><td colspan="1" rowspan="1"><p><strong><u>OT</u> Infrastructure</strong></p></td></tr><tr><td colspan="1" rowspan="1"><p>Primary Focus</p></td><td colspan="1" rowspan="1"><p>Managing data and information</p></td><td colspan="1" rowspan="1"><p>Managing physical processes and machinery</p></td></tr><tr><td colspan="1" rowspan="1"><p>Top Priority</p></td><td colspan="1" rowspan="1"><p>Confidentiality</p></td><td colspan="1" rowspan="1"><p>Safety (human &amp; environmental)</p></td></tr><tr><td colspan="1" rowspan="1"><p>Asset Lifespan</p></td><td colspan="1" rowspan="1"><p>Short (3 - 5 years). Hardware is often replaced</p></td><td colspan="1" rowspan="1"><p>Long (10 - 30+ years). Legacy systems are very common</p></td></tr><tr><td colspan="1" rowspan="1"><p>Patching</p></td><td colspan="1" rowspan="1"><p>Regular, scheduled updates are standard</p></td><td colspan="1" rowspan="1"><p>Difficult or rare; requires expensive downtime</p></td></tr><tr><td colspan="1" rowspan="1"><p>Response to Failure</p></td><td colspan="1" rowspan="1"><p>Rebooting is acceptable</p></td><td colspan="1" rowspan="1"><p>Rebooting can cause safety issues or physical damages</p></td></tr></tbody></table>

OT assets, such as PLCs, are now assigned IP addresses to connect to the OT network and communicate with other systems. For example, a **Human Machine Interface (HMI)** is a graphical interface used by human operators to monitor a physical process, which is in turn controlled by a PLC. The human operator uses the HMI not only to visually monitor how the process is operating, but also to make adjustments, such as in response to an alert.

What type of damage could an attacker do if they gained access to a plant network and accessed an HMI?

![PLC and HMI Overview](https://tryhackme-images.s3.amazonaws.com/user-uploads/66c44fd9733427ea1181ad58/room-content/66c44fd9733427ea1181ad58-1775633247982.png align="center")

## **What Could Happen?**

Could they:

*   Stop power generation to create a blackout?
    
*   Poison water in a water treatment facility?
    
*   Cause systems to physically break down?
    
*   Prevent food from being packaged safely and sent to stores?
    

**All** of these types of scenarios can happen, and so many others. In fact, the situations listed above are just a small list of the types of OT/ICS cyber security incidents that **have already happened**.

## **Cyber Security is a Necessity in OT/ICS**

OT/ICS cyber security is necessary to ensure the safety and availability of OT/ICS environments. As the number of cyber-attacks targeting OT/ICS networks (and the connected IT networks) has nearly doubled each year since the [Colonial Pipeline incident(opens in new tab)](https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years) in 2021, defenders of these specialized environments are woefully underprepared to defend OT against attackers. But it is possible, and it doesn’t have to be hard!

### Answer the questions below

What type of system is used by a human operator to interact with a PLC and control a physical process in the real world? `Human Machine Interface`

Which 2021 incident marked a turning point for OT/ICS security, after which annual cyberattacks against these networks doubled? `Colonial Pipeline`

### Differences Between OT & IT Cyber Security

## **IT and OT Cyber Security Have More in Common Than They Don't!**

Many OT cyber security professionals might tell you that OT and IT cyber security have **nothing** in common. But that is the furthest thing from the truth. OT and IT cyber security actually have much more in common than they don’t.

What is critical is to understand **where** OT and IT cyber security are different and **how** they are different. Because if you are not aware of those differences, you could get someone hurt or killed, let alone take down a plant in the middle of operations.

## **IT Cyber Security**

In IT cyber security, the primary requirements are formed by the C-I-A triad.

![CIA Triad](https://tryhackme-images.s3.amazonaws.com/user-uploads/66c44fd9733427ea1181ad58/room-content/66c44fd9733427ea1181ad58-1775634014465.png align="center")

## **OT Cyber Security**

In OT cyber security, many say the requirements are reversed, so we now have an A-I-C triad. Unfortunately, this formula leaves out the most important requirement in OT cyber security – physical safety. We must ensure that not only do on-site employees go home safe at the end of the day without getting hurt or killed, but that the general public and the environment surrounding the plant are not harmed as well.

Every action we take to defend OT/ICS networks from cyberattacks focuses first on ensuring physical safety, then on operational availability of the site, the integrity of its data, and, finally, confidentiality. In many OT/ICS environments focused solely on safety and operational availability, OT/ICS networks often lack encryption!

![OT CIA Triad](https://tryhackme-images.s3.amazonaws.com/user-uploads/66c44fd9733427ea1181ad58/room-content/66c44fd9733427ea1181ad58-1775634014643.png align="center")

## **How IT and OT Cyber Security Compare** 

The following table highlights some of the significant differences between IT and OT cyber security.

<table style="min-width: 75px;"><colgroup><col style="min-width: 25px;"><col style="min-width: 25px;"><col style="min-width: 25px;"></colgroup><tbody><tr><td colspan="1" rowspan="1"><p>Security Task</p></td><td colspan="1" rowspan="1"><p>IT Environment (Back Office)</p></td><td colspan="1" rowspan="1"><p><u>OT</u> Environment (Factory/Plant)</p></td></tr><tr><td colspan="1" rowspan="1"><p>Patch Management</p></td><td colspan="1" rowspan="1"><p>Automatic/Frequent (patches are rolled out almost as soon as they are released)</p></td><td colspan="1" rowspan="1"><p>Planned/Rare (patching requires halting production which occurs rarely (e.g., once a year) in scheduled maintenance windows.)</p></td></tr><tr><td colspan="1" rowspan="1"><p>Vulnerability Scanning</p></td><td colspan="1" rowspan="1"><p>Active Scanning (networks can be probed for existing vulnerabilities)</p></td><td colspan="1" rowspan="1"><p>Passive Monitoring (active scanning with tools like <u>Nmap</u> and Nessus can cause <u>OT</u> assets to crash)</p></td></tr><tr><td colspan="1" rowspan="1"><p>Incident Response</p></td><td colspan="1" rowspan="1"><p>Isolate &amp; Reboot (If a system is compromised, we wipe it and reinstall)</p></td><td colspan="1" rowspan="1"><p>Keep it Running (<u>OT</u> systems cannot simply be isolated or rebooted without introducing safety and operational availability issues)</p></td></tr><tr><td colspan="1" rowspan="1"><p>Network Encryption</p></td><td colspan="1" rowspan="1"><p>Almost Everything (Almost all network traffic in IT networks is encrypted to ensure confidentiality)</p></td><td colspan="1" rowspan="1"><p>Very Low (Most <u>OT</u>/<u>ICS</u> protocols do not support encryption; while newer protocols do, most plants continue to favor older unencrypted ones)</p></td></tr></tbody></table>

### Answer the questions below

What is the most important requirement for OT/ICS cyber security? `Safety`

What do many OT environments not leverage? `Encryption`

### What a Human Operator Sees in OT Environments

## **Bringing It All Together**

In this task, you will access the Human Machine Interface (HMI) for a specific type of OT/ICS environment. You will use the interface and information presented to think and respond as a human operator would in this environment. Open the static site by clicking the `View Site` button in the upper right corner and then proceed to solve the questions below.

### Answer the questions below

Based on a review of the HMI, what type of environment is this? `ICS`

When you first look at the HMI, what is the current percentage level indicated by the tank level sensor? `65`

Click on the **START** button to turn on the pump to bring more water into the tank. At what percentage level do you first receive an alert in a yellow warning banner? `85`

Continue to allow water to flow into the tank. At what percentage level does the control system realize there is danger and shuts off the pump bringing water into the tank? `95`

With the pump stopped, click **OPEN** on the valve on the outtake pipe. What happens to the water level in the tank? The water level `<fill in the blank>`. `Lowers`

### Conclusion

Nice job getting started on learning how to protect OT and ICS environments from cyberattacks!

In this room, you learned about the differences between IT and OT, how ICS and SCADA systems are part of OT, how OT cyber security can be similar but different from IT, and the important role human operators play in OT environments.

This room was created by the incredible **Mike Holcomb**. You can find more information on his work [here.](https://www.mikeholcomb.com/)
