Purdue model segmentation, safety-first operations, asset inventory, protocol-aware monitoring, and IEC 62443 practices.
Operational Technology (OT) and Industrial Control Systems (ICS) security prioritizes safety and availability over confidentiality, requiring security controls adapted to real-time constraints, legacy protocols, and operational continuity requirements. Security engineers implement defense-in-depth for OT environments through network segmentation, protocol-aware monitoring, and safety-first incident response. Effective OT security balances protection with operational requirements including uptime, deterministic response times, and safety system integrity.OT environments differ fundamentally from IT environments in priorities, constraints, and risk profiles. Security controls must be adapted to OT operational realities rather than directly applying IT security practices.
Purdue ModelPurdue Model defines hierarchical network architecture for industrial control systems with levels from 0 (physical process) to 5 (enterprise). Purdue Model provides framework for segmentation.Level 0 includes sensors and actuators. Level 1 includes PLCs and RTUs. Level 2 includes supervisory control and HMIs. Level 3 includes site operations and historians. Level 4 includes site business planning. Level 5 includes enterprise network.Segmentation between levels prevents lateral movement and protects critical control systems. Segmentation is fundamental OT security control.Network IsolationLevels 0 and 1 should be isolated from IT networks. Isolation protects real-time control systems from IT threats.DMZs between enterprise and control networks enable controlled data exchange. DMZs prevent direct connectivity.Unidirectional gateways enable data flow from OT to IT while preventing reverse flow. Unidirectional gateways provide strong isolation.Access ControlStrict allow-listing permits only known-good communications. Allow-listing prevents unauthorized connections.Remote access should be minimized and tightly controlled. Remote access creates attack surface.Jump hosts with MFA and session recording provide controlled remote access. Jump hosts enable monitoring and audit.VPN access should use separate VPN infrastructure from IT. Separation prevents IT compromise from affecting OT.
Passive DiscoveryPassive network monitoring discovers OT assets without active scanning. Active scanning can disrupt OT operations.Passive discovery identifies devices, protocols, and communication patterns. Discovery provides visibility.Asset inventory should include device type, vendor, model, firmware version, and network location. Comprehensive inventory enables risk assessment.Vendor Bills of MaterialsVendor BOMs document installed components and versions. BOMs provide authoritative inventory.BOMs should be maintained and updated with changes. Stale BOMs create blind spots.Configuration BaselinesConfiguration baselines document known-good device configurations. Baselines enable drift detection.Configuration changes should be tracked and reviewed. Unauthorized changes indicate potential compromise.Baseline validation should be periodic. Validation detects configuration drift.Patch ManagementOT patching is constrained by maintenance windows, vendor support, and operational risk. Patching cannot follow IT timelines.Maintenance windows for patching may be annual or less frequent. Windows are limited by operational requirements.Compensating controls including network segmentation and monitoring should be used when patching is infeasible. Compensating controls reduce risk when patching is not possible.Patch testing should be comprehensive in non-production environments. Untested patches can cause outages.
Industrial Protocol SupportProtocol-aware IDS should support industrial protocols including Modbus, DNP3, Profinet, EtherNet/IP, and OPC. Protocol awareness enables deep inspection.Protocol violations indicate attacks or misconfigurations. Violations should be alerted.Protocol-specific attacks including command injection and unauthorized writes should be detected. Protocol knowledge enables attack detection.Anomaly DetectionBaseline behavior should be established for normal operations. Baselines enable anomaly detection.Anomalies including unexpected communications, unusual command sequences, and abnormal process values should be detected. Anomalies indicate potential compromise.Time-series analytics detect process anomalies. Process anomalies may indicate physical attacks.Monitoring ArchitectureMonitoring should use network TAPs or SPAN ports to avoid inline risk. Inline monitoring can cause outages.Monitoring should not impact OT network performance. Performance impact is unacceptable.Monitoring data should be sent to separate security network. Separation prevents compromise of monitoring.
Log RetentionLog retention should be tuned to incident investigation requirements. OT incidents may not be discovered for months.Long retention (1+ years) enables historical investigation. Short retention creates blind spots.Log storage should be sized appropriately for retention requirements. Insufficient storage causes log loss.Secure Time SynchronizationAccurate time synchronization is critical for correlation and compliance. Time sync should use secure protocols.NTP should be authenticated to prevent time manipulation. Unauthenticated NTP enables attacks.Time sources should be redundant and monitored. Time source failure affects logging and correlation.Tamper-Evident StorageLogs should be stored in tamper-evident storage. Tamper-evident storage prevents log manipulation.Write-once storage or cryptographic signing provides tamper evidence. Tamper evidence enables trust in logs.
Safety-First ContainmentSafety is paramount in OT incident response. Containment actions must not create safety hazards.Predefined manual overrides enable safe shutdown. Manual overrides should be tested.Incident response procedures should be developed with operations and safety teams. Collaboration ensures safe response.Vendor CoordinationOT vendors should be engaged early in incidents. Vendors have specialized knowledge.Vendor contact information should be current and accessible. Stale contacts delay response.Vendor response SLAs should be defined in contracts. SLAs ensure timely support.Tabletop ExercisesTabletop exercises should include operations, safety, and security teams. Cross-functional exercises improve coordination.Scenarios should include OT-specific attacks including controller compromise and safety system manipulation. Realistic scenarios improve preparedness.Exercises should validate manual override procedures. Validation ensures procedures work.RecoveryRecovery should prioritize safety systems and critical processes. Prioritization ensures safe operations.Recovery should include validation of system integrity before restart. Validation prevents compromised systems from restarting.
IEC 62443IEC 62443 series provides comprehensive OT security standards. IEC 62443 is industry standard for OT security.IEC 62443-3-3 defines system security requirements. Requirements provide security framework.IEC 62443-4-2 defines component security requirements. Component requirements guide procurement.Security levels (SL 1-4) define protection against different threat capabilities. Security levels enable risk-based implementation.NERC CIPNERC CIP (Critical Infrastructure Protection) standards apply to bulk electric system. NERC CIP is mandatory for utilities.NERC CIP requirements include asset identification, security management, personnel training, electronic security perimeters, and incident response. Requirements are comprehensive.NERC CIP compliance is audited with significant penalties for violations. Compliance is mandatory.Change ManagementChange management should include security review. Security review prevents introduction of vulnerabilities.Separation of duties should be enforced for changes. SoD prevents unauthorized changes.Emergency changes should have expedited but documented process. Emergency process balances speed with control.Change testing should be comprehensive. Untested changes cause outages.Access ReviewsAccess to OT systems should be reviewed regularly. Reviews ensure least privilege.Privileged access should be reviewed more frequently. Privileged access warrants closer scrutiny.Terminated employee access should be revoked immediately. Delayed revocation creates risk.Supply Chain RiskOT supply chain includes hardware, software, and services. Supply chain creates risk.Vendor security assessment should include OT-specific requirements. OT requirements differ from IT.Component authenticity should be verified. Counterfeit components create safety and security risks.Firmware and software should be verified before installation. Verification prevents malicious code.
OT and ICS security requires adapting security controls to operational realities including safety priorities, real-time constraints, and legacy protocols. Security engineers implement defense-in-depth through network segmentation, protocol-aware monitoring, and safety-first incident response.Success requires collaboration between security, operations, and safety teams, understanding of OT-specific threats and constraints, and implementation of standards including IEC 62443. Organizations that invest in OT security fundamentals protect critical infrastructure while maintaining safe operations.
