Key Takeaways: Securing Operational Technology

A one-page reference. Reread before an exam or before moving on. Dense by design.

OT vs IT — the inversion that drives everything

"Downtime can kill." Every OT control is weighed against the risk of stopping or destabilizing a physical process. The IT reflexes (patch now, scan hard, agent everywhere, force MFA on the device) are often unavailable or unsafe. Critical infrastructure (16 U.S. sectors) runs on OT — and even IT-centric orgs have OT in building management, power, and cooling.

The ICS stack (bottom → top)

Three facts that drive defense: protocols are old and unauthenticated (Modbus/DNP3/etc.) → the network is the access control; equipment lives 20–30 years; determinism/availability is sacred. → Reachability equals control.

The Purdue model + the IDMZ

  L5 Enterprise (corp IT, email, internet)  ┐ IT domain
  L4 Business/site logistics (ERP, sched.)  ┘
  ── L3.5 IDMZ: jump host, historian replica, patch/AV relay ──  (the broker)
  L3 Site ops (SCADA servers, historian, eng WS) ┐
  L2 Area supervisory (HMIs, area SCADA)         │ OT domain
  L1 Basic control (PLCs, RTUs)                  │
  L0 Physical process (sensors, actuators)       ┘

• THE rule: IT (4–5) and OT (0–3) never communicate directly. Every exchange is brokered through the IDMZ (Level 3.5) — the network DMZ (Ch.6) with the stakes raised.
• Segmentation in OT is a safety control, not just security. The IT/OT boundary is where critical-infrastructure incidents are won or lost.

Why you can't just patch — and what to do instead

Compensating-control toolkit (by leverage): (1) segment harder (remove reachability), (2) monitor passively, (3) broker + strongly authenticate access at the IDMZ, (4) patch only what is safe, in windows. A vuln you cannot reach is largely neutralized.

SIS: the independent last line of physical defense → must be the most isolated, highest-value asset to protect (Triton targeted it). Never relax its segmentation.

Passive OT monitoring

• Definition: detect/inventory by observing a copy of traffic (network tap or SPAN port); never transmit. A true tap cannot crash a PLC → the only universally safe method.
• Gives you: (1) safe asset inventory, (2) anomaly detection vs an unusually trustworthy baseline (OT is predictable → first-occurrence is actionable), (3) protocol-aware threat detection.
• Highest-fidelity alert = any IT→OT boundary crossing (direction, not content). The boundary is the detector. Don't tune OT alerts away like an IT IDS — every anomaly is meaningful.

Real incidents — one lesson each (public-fact level)

Air gap = a network presumed safe because it has no connection to others. Treat every air gap as porous.

Certification crosswalk

Project additions this chapter

• Meridian program: OT/facilities segmentation plan — passive inventory + Purdue zone map + IDMZ brokered access (kill the direct vendor path) + compensating controls + passive boundary monitoring, with a documented risk-acceptance note for legacy components.
• bluekit toolkit: otsec.py — purdue_zone(asset) returns {level, domain, is_boundary}, flagging the IDMZ brokers that are the only legitimate IT/OT bridges.

Common pitfalls

• Importing IT reflexes unexamined (patch/reboot/scan a controller) → can cause the incident.
• Treating "we're air-gapped" as the end of the security conversation (Stuxnet).
• Rating facilities/BMS OT "low risk" via confidentiality bias — re-score on availability/safety.
• Leaving a vendor's direct internet→OT remote-access path because "it's worked fine" (Colonial).
• Tuning OT anomalies away like a noisy IT IDS — in a quiet OT network, the anomaly is the signal.
• Forgetting the SIS is a security target, or relaxing its isolation.