OT Cybersecurity (Operational Technology)
Securing industrial control systems — PLCs, DCS, SCADA, RTUs, IIoT. IEC 62443, NIS2, Cyber Resilience Act. Purdue model, segmentation, ICS intrusion detection, OT incident response — fundamentals to protect a plant against Stuxnet, Triton and Industroyer.
IT vs OT: 2 worlds, 2 logics
You don't secure a plant like a data centre. OT cybersecurity has its own rules, inherited from industrial constraints: continuity, physical safety, unpatchable legacy equipment.
| Dimension | IT | OT |
|---|---|---|
| Priority | Confidentiality > Integrity > Availability | Availability > Integrity > Confidentiality |
| Lifetime | 3–5 years | 15–30 years |
| Patching | Monthly, automated | Annual, planned shutdown windows |
| Required availability | 99 % | 99,9–99,999 % |
| Incident consequence | Data loss, theft | Production halt, physical accident, injury |
| Protocols | HTTPS, SMTP, SSH | Modbus, PROFIBUS, EtherNet/IP, OPC UA |
| Authentication | Strong (MFA, SSO, IAM) | Often absent on legacy protocols |
Purdue model — the reference map
6-level hierarchy structuring every industrial network. Foundation of cybersecurity architecture: each level has its own requirements, and inter-level flows pass through mandatory control points (industrial DMZ, firewall, diode).
Enterprise network
ERP, mail, internet
Site business network
MES, historian, asset management
Industrial DMZ
Jump server, patch server, proxy
Site operations
Supervision, historian, engineering
Area / cell control
SCADA, HMI
Basic control
PLC, DCS, RTU
Physical process
Sensors, actuators, motors
Major incidents — history that teaches
These 5 attacks each redefined the perception of OT risk. Each carries a technical lesson still relevant today.
Stuxnet
Natanz centrifuges (Iran)
First malware targeting Siemens S7 PLCs. Destroyed ~1,000 uranium enrichment centrifuges by altering rotation speeds.
BlackEnergy / Industroyer
Ukraine power grid
230,000 people without electricity for 6 h. Nation-state attack targeting substations via SCADA.
Triton / Trisis
Saudi petrochemical
First attack on an SIS (safety instrumented system) — Schneider Triconex. Attempt to disable the shutdown which could have caused an explosion.
Colonial Pipeline
US oil pipeline
DarkSide ransomware. 5-day shutdown of an 8,800-km pipeline. East Coast shortages. CEO resigned. $4.4M ransom.
Industroyer2
Ukraine substations
Successor of 2015 Industroyer. Detected and neutralized before impact by Ukrainian defenders. Targets IEC 60870-5-104 directly.
Defense layers — defense in depth
No single measure is enough. OT cyber stacks barriers — bypassing one does not give an attacker process access.
Asset inventory and visibility
First layer: you cannot protect what you do not know. Passive tools (Dragos, Nozomi, Claroty, OTORIO) sniff industrial protocols and build the asset inventory, firmware, CVE vulnerabilities.
Segmentation and DMZ
The Purdue model mandates an industrial DMZ (level 3.5) between IT and OT. No direct flow from level 4 to level 3 anymore. Optical diodes for unidirectional flows (historian → IT). Industrial firewalls (Stormshield, Belden Tofino, Fortinet OT).
Intrusion Detection (IDS) for ICS
Passive probes analyzing OT traffic and alerting on anomalies: unusual Modbus command, unexpected setpoint range, scan, malformed packet. Essential because you cannot deploy an EDR agent on a PLC.
Access management
Mandatory jump servers from IT, MFA, timestamped badges, recorded sessions (Wallix, CyberArk, Thycotic). Disabling default accounts (admin/admin on HMIs…). No password sharing between operators and maintainers.
OT incident response
OT-specific response plan — different from IT. You don't simply "reboot" a PLC controlling a blast furnace. Degraded mode failover procedures, SOC ↔ process team communication. Annual tabletop exercises mandatory under NIS2.
Backup and recovery
Offline (air-gapped) backups of PLC configurations, batch recipes, SCADA images. Tested quarterly. Ransomware must NEVER reach the backups. Immutable WORM storage, ZFS snapshots, LTO tapes.
Multi-site interconnection — Plant A ↔ Plant B ↔ HQ ↔ cloud
PLCs across sites often need to talk — MES aggregation, group-level supervision, vendor remote maintenance, cloud digital twin. This inter-site connectivity is the trickiest cyber risk zone in modern industry. A naive VPN between two plants turns a local breach into a group-level incident (NotPetya → Maersk, June 2017: ~€10 B damage in 10 days via AD and VPN propagation).
1. The 5 typical scenarios
| Scenario | Flow | Common method | Main risk |
|---|---|---|---|
| Plant A ↔ Plant B | Process sync, batch recipe transfer, product traceability | Site-to-site IPsec VPN, MPLS, SD-WAN | Cross-site ransomware propagation — one shared AD is enough |
| Site ↔ HQ | MES reporting, KPI, quality data, ERP, planning | MPLS via industrial DMZ; data diode for one-way flows | HQ (IT) compromise → all OT sites |
| Site ↔ vendor | Remote support, firmware updates, vendor-side predictive maintenance | Dedicated VPN + vendor jump server + session recording | Compromised vendor account = permanent backdoor (Triton/Trisis 2017; SolarWinds 2020) |
| Site ↔ IIoT cloud | Sensor telemetry, ML models, group-level dashboard | Edge gateway → MQTT broker (Sparkplug B) → Azure/AWS IoT Hub. Outbound only. | Misconfigured cloud (public S3, exposed secrets) |
| Site ↔ partner / customer | Custody transfer (gas, oil, chemicals), invoicing, JIT delivery | Secure OPC UA (Sign + Encrypt) with mutual X.509 certificates via DMZ | Trust granted too broadly — access beyond business scope |
2. Reference architecture — multi-site defense in depth
Whatever the scenario, the target architecture follows the same principle: each site is an isolated fortress, and bridges between fortresses pass through control points where flows are inspected.
┌─────────────────────────────────────────────────────────────────────────────┐ │ Internet (publique, hostile) │ │ ▲ ▲ │ │ │ TLS 1.3 + cert mutuels │ TLS 1.3 + cert mutuels │ │ ┌───┴────────────────────┐ ┌───┴────────────────────┐ │ │ │ WERK A │ │ WERK B │ │ │ │ ┌──────────────────┐ │ │ ┌──────────────────┐ │ │ │ │ │ Niveau 5 ERP │ │ │ │ Niveau 5 ERP │ │ │ │ │ ├──────────────────┤ │ │ ├──────────────────┤ │ │ │ │ │ Niveau 4 MES │ │ │ │ Niveau 4 MES │ │ │ │ │ ├═══════════════ ══┤ │ │ ├═══════════════ ══┤ │ │ │ │ │ N 3.5 DMZ ind. │ │ │ │ N 3.5 DMZ ind. │ │ │ │ │ │ jump server, NDR │ │ │ │ jump server, NDR │ │ │ │ │ ├══════════════════┤ │ │ ├══════════════════┤ │ │ │ │ │ Niveau 3 SCADA │ │ │ │ Niveau 3 SCADA │ │ │ │ │ │ Niveau 2 HMI │ │ │ │ Niveau 2 HMI │ │ │ │ │ │ Niveau 1 PLC │ │ │ │ Niveau 1 PLC │ │ │ │ │ │ Niveau 0 procé. │ │ │ │ Niveau 0 procé. │ │ │ │ │ └──────────────────┘ │ │ └──────────────────┘ │ │ │ └────────────────────────┘ └────────────────────────┘ │ │ │ │ ❶ Pas de pont OT direct entre Werke. Toute synchro passe par les niveaux │ │ 4 (MES) chiffrée + authentifiée, JAMAIS depuis le niveau 1 ou 2. │ │ │ │ ❷ La DMZ industrielle (N 3.5) est OBLIGATOIRE. Aucun flux ne traverse │ │ N4 → N3 sans transit par DMZ (jump server, proxy, ou diode). │ │ │ │ ❸ Active Directory séparé par site. Pas de domaine groupe partagé entre │ │ les zones OT. Un AD compromis ne contamine pas les autres sites. │ └─────────────────────────────────────────────────────────────────────────────┘
3. Connection methods — comparison
| Method | Bandwidth / latency | Native security | Cost | Use case |
|---|---|---|---|---|
| Site-to-site IPsec VPN | Internet-limited (10–100 Mbps), variable latency | IKEv2 + AES-256 encryption. PSK or certificate auth. | € | Small sites, non-critical telemetry |
| MPLS | SLA-guaranteed, stable latency (5–30 ms) | Not natively encrypted — trust in operator required. Add IPsec on top. | €€€ | Large multi-plant groups with carrier contracts |
| SD-WAN | MPLS + Internet + 4G/5G aggregation, automatic failover | Native E2E encryption (Cisco Viptela, Fortinet, Versa). Centrally enforced policy. | €€ | Modern MPLS successor — 2024+ deployments |
| Cellular 4G / 5G (private APN) | 5G URLLC: <10 ms; 4G: 30–80 ms | Private APN + IPsec. No internet routing — direct VPN egress. | €€ | Isolated sites, mobile, or SD-WAN complement |
| Dark fibre (direct) | 1–100 Gbps, physical-only latency | None — L1/L2 encryption (MACsec, OTN) required. | €€€€ | Adjacent campus sites, very demanding apps (motion control, HD video) |
| Data diode (one-way) | Hardware-limited (Mbps to Gbps), µs latency | Physically impossible to send back — security by construction. | €€€ | Historian → IT, OT → SOC, nuclear, defence |
4. The 8 classic pitfalls to avoid
- Flat site-to-site VPN — Once connected, the attacker sees every PLC. Always micro-segment at the VPN egress.
- AD domain shared across OT sites — A single AD compromise at HQ gives access to every plant. Keep separate AD forests per OT site.
- Permanent vendor accounts — Vendor has 24/7 access? No. Just-In-Time access validated by a human, time-bound, session-recorded.
- VLAN ≠ real segmentation — A VLAN is logical isolation on a switch — not a firewall. Real isolation requires L3/L4 rules on an industrial firewall (Stormshield, Belden Tofino, Fortinet OT).
- Backups reachable from production network — OT ransomware reaching backups defeats DR. Always air-gapped and partly offline (3-2-1 rule).
- No cross-site log centralization — A coordinated multi-site attack goes unnoticed if SIEMs are siloed. Group-level SIEM reading OT logs from every plant.
- Asymmetric routes with MPLS + Internet — Outbound MPLS, return Internet: firewall sees only half the conversation. Force symmetric BGP routing.
- No multi-site incident response plan — If Plant A is hit, when do we isolate Plant B? Who decides? Written procedure, annual tabletop exercises mandatory under NIS2.
5. Recommended exchange protocols
| Need | Recommended protocol | Security |
|---|---|---|
| Cross-plant process data exchange | OPC UA (IEC 62541) | Mandatory Sign + Encrypt. Mutual X.509 certificates. |
| IIoT cloud telemetry | MQTT Sparkplug B | TLS 1.3 + certificates. Outbound only. |
| Cross-site substations | IEC 61850 MMS (cross-site) / GOOSE (intra-site uniquement) | IEC 62351 (cyber counterpart of IEC 61850). |
| Oil-gas custody transfer | OPC UA + dedicated signatures | OPC UA Sign + Encrypt. Separate backup historian for fiscal audit. |
| Vendor maintenance | Vendor bastion + RDP/SSH | PAM (CyberArk, Wallix, BeyondTrust). Mandatory MFA. Video-recorded sessions. |
Regulatory framework
NIS2
EU Directive 2022/2555
National transposition 17 Oct 2024. Expands NIS1 scope — now covers energy, water, food, critical manufacturing, waste. Obligations: risk analysis, technical measures, incident notification within 24 h, fines up to €10 M or 2% of global turnover.
CRA
Cyber Resilience Act
EU regulation applicable end 2027. Targets products with digital elements placed on the EU market. Manufacturer obligations: security-by-design, vulnerability management, 5-year security updates. Includes PLCs, IIoT sensors, connected industrial equipment.
ANSSI (FR)
OIV / OSE
Critical Operators (12 sectors) and Essential Service Operators (NIS2). ANSSI framework: EBIOS Risk Manager risk analysis, sensitive systems homologation, PASSI/PDIS qualifications. France imposes stricter rules than minimum directive.
IEC 62443 standards — the reference series
- IEC 62443-2-1 — Cybersecurity management program — asset owner
- IEC 62443-2-4 — Cybersecurity requirements for service providers
- IEC 62443-3-2 — Risk assessment and system design
- IEC 62443-3-3 — System security requirements and security levels
- IEC 62443-4-1 — Secure product development lifecycle for suppliers
- IEC 62443-4-2 — Technical security requirements for IACS components
The IEC 62443 series contains 14 documents in total — split into 4 categories: general (-1-x), operator (-2-x), system (-3-x), component (-4-x).
Tools
IEC 62443 Security Level (SL-T) calculator, Purdue segmentation matrix, NIS2 checklist — under development.