Much of cybersecurity is focused on protecting information technology (IT). You’re familiar with the staples of IT…. servers, desktops, network attached storage, etc. The at-risk infrastructure that gets less press is operational technology (OT). NIST defines OT as “Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment).”
While IT operates in the world of data, OT operates in the physical world. It includes infrastructure like industrial control systems (ICS), building management systems, fire control systems, and physical access control mechanisms. Most people rarely think about these systems until they stop working. The Colonial Pipeline ransomware attack is an excellent example.
While most cybersecurity programs focus on IT security, there is a real need for cybersecurity professionals in OT security. It can be an advantageous specialty for career changers, who have prior experience with OT systems, or people who just appreciate the tangibleness of OT. If you can develop the skills, you’ll undoubtedly find ready demand for them.
What Makes OT Different?
The casual observer may assume there’s not much difference between IT and OT. We’ve heard of medical MRI machines and British nuclear submarines operating on Windows XP. One could extrapolate that the OT world runs on Microsoft just like the IT world does. (Note: No one should be running Windows XP anymore.) That assumption, while understandable, is wrong.
Instead OT deals with software the most people would be unfamiliar with, like Siemen’s WinCC RT Professional, Schneider Electric’s Wonderware, or Inductive Automation’s Ignition. OT systems are traditionally isolated and self-contained. Designed to run autonomously. OT devices are however being put on the internet at a rapid pace.
While this allows a limited technical staff to maintain a lot of infrastructure, it also opens up organizations to a world of bad actors. Russian state actors have attacked the US power grid and other critical infrastructure for years.
Operational technology represents a suite of tools that most people have no experience with. This provides an opportunity to anyone with prior experience with OT or simply motivation. But how do you get OT security experience? Fortunately, some notable cybersecurity organizations offer both training and certification.
The casual observer may assume there’s not much difference between IT and OT… That assumption, while understandable, is wrong.
(ISC)2 offers the course, Exploring Cybersecurity in Industrial Control Systems. This course explores the fundamental concepts around security concerns within industrial control systems (ICS) helping you understand how ICS supports critical infrastructure and the global need for ICS security, as it proliferates in various industries. It is an affordable introduction to anyone exploring OT security.
EC-Council offers a ICS/SCADA Cybersecurity program. This is a relatively affordable training and certification option. However, you must have at least one year of information security experience to be eligible for the program.
SANS Institute’s ICS410: ICS/SCADA Security Essentials course provides a foundational set of standardized skills and knowledge for industrial cybersecurity professionals. Certifications from SANS Institute’s sister organization GIAC continually represents the gold standard for technical cybersecurity certification. ICS410’s accompanying certification, Global Industrial Cyber Security Professional (GICSP), will certainly help an aspiring OT security professional to stand out.
OT security isn’t for everybody, but it represents a vitally important niche of cybersecurity. Much of a nation’s critical infrastructure would be considered operational technology. If you’re curious whether OT security is right for you, check out a few introductory videos on YouTube. If you’re still interested after that, explore your training options. There will undoubtedly be no shortage of demand for this cybersecurity niche.