For a long time, operational technology (OT) was separate from the IT network and comparatively safe from cyber attacks due to proprietary protocols, among other things. With increasing networking in the wake of Industry 4.0 and the Internet of Things, the two worlds are growing ever closer together and OT systems are also being targeted by hackers.

The increasing communication and integration of software in machines and systems is opening up new attack scenarios familiar from IT. For example, if cyber criminals manage to penetrate the company network using infected emails, they can take over individual machines or production lines, bring them to a standstill or even manipulate processes.

Differences in IT and OT security

Companies should therefore start thinking about security when developing new machines or systems. In the OT sector, however, security differs significantly from a traditional IT environment: with average lifetimes of 20 years, updating firmware, operating systems and APIs and using antivirus software is much more difficult. If an individual solution that is specially adapted to the customer's needs is implemented, it is often not compatible with standardized IT security systems.

NTT's Security Division advises companies to take the following measures to secure their OT systems:

1. Carry out a risk analysis: What should be protected and what should it be protected against? The aim is to identify and evaluate the most important threats, whereby the risk analysis should be carried out specifically for a company, a production environment, a system, a plant or a machine. This also includes gaining an understanding of potential attack vectors such as uncontrolled remote access. The higher the risk rating for a facility, the more scrutiny is placed on any access to or through that facility.
2. Segmentation: A key aspect of ensuring security in the OT environment is the segmentation of the operator network into individual, separate segments. Complementary measures such as separating the OT network from the corporate and external network are particularly important for legacy systems, where security can only be upgraded to a limited extent.
3. Authentication and authorization: Setting up user accounts and credentials as well as authentication and authorization ensures that only authorized employees have access to machines and systems.
4. Security check: To prevent cyber criminals from exploiting the "one" vulnerability despite the highest protection measures, every single ICS (Industrial Control System) component should be checked for security and the network design should be designed accordingly. In this way, known vulnerabilities cannot be exploited or infections can be contained to small areas.
5. Define processes and guidelines: In addition to these technical measures, companies should develop and implement security guidelines and processes. Roles, responsibilities and accountabilities must be defined within this framework. Companies should also conduct regular incident response exercises to test organizational effectiveness.

"In the future, the IT department and OT colleagues will have to work more closely together to ensure the greatest possible security for your company. However, implementing cyber security for the OT environment is not an easy or quick process," explains Christian Koch, Director GRC & IoT/OT at NTT's Security Division. "However, more and more companies have recognized the need, which is partly due to the liability risks. The other driver is the automotive industry, which is pushing for end-to-end security by design in product development and along the entire life cycle in view of the upcoming UNECE certification and ISO/SAE 21434 as a technical standard. Car manufacturers are passing this requirement on to their suppliers and having it written into their contracts as a binding requirement."