IT and OT systems used to be segregated systems, with IT focused solely on data-focused applications like email and OT, which handled the physical control of industrial tasks. However, it finds new cybersecurity issues with the rise of digital transformation initiatives, which are where these systems start converging. To secure their organizations properly, leaders must understand the key differences between IT and OT security.
In this article, we dive deep into the major differences between IT and OT security in terms of eight key components: systems and data, threats, vulnerabilities, risk management, security solutions, governance, staff skills and culture.
Governance
The governance of IT and OT security also differs notably:
- Centralized security teams and standard processes such as change management workflows are all used by IT. The security decisions involve many cybersecurity, IT operations, compliance, legal, and other business unit representatives.
- OT governance is generally decentralized across production, as well as the site and process control groups. Operators and engineers make security decisions locally to maintain availability and safety. Global security standards are difficult to enforce across disparate regional and departmental OT teams.
The 2024 State of Operational Technology and Cybersecurity Report by Fortinet reveals that only 5% of organizations have full visibility into OT activities within their central cybersecurity operations, down from 13% in 2022. Enforcing centralized governance and standards for both remains an obstacle as operational groups resist perceived threats to production priorities and historic autonomy.
Systems and Data
At the most basic level, IT and OT utilize different types of systems and data:
- Enterprise operations are supported by IT systems that emphasize information flow and data processing. They are computers, servers, networking equipment and business applications. The data is usually digital information such as documents, databases, emails and media files.
- OT systems monitor and control physical industrial processes such as manufacturing, production, and distribution. This includes industrial control systems, sensors, actuators, HMIs, and SCADA software. The data is mainly real-time telemetry from industrial systems and equipment.
A 2022 study by Forrester Consulting found that large enterprises use an average of 367 software applications and systems. However, larger enterprises like manufacturers and utilities can have thousands of OT assets across multiple locations. Integrating these complex IT and OT environments under a unified security strategy is an escalating challenge.
Threats
The prevalence and types of cyber threats also differ between IT and OT:
- There are many types of cyber attacks, such as phishing, ransomware, data theft, DDoS attacks, etc., on IT systems. Hacking, online criminals, hacktivists and rogue insiders are all considered attackers. Usually, their motive is financial gain or to bring down someone’s reputation.
- OT systems were historically isolated from external networks and thus faced few cyber threats. However, with increased connectivity to corporate networks and the internet, they now face substantial cyber risks. Attacks like TRITON, Stuxnet, and the 2021 Colonial Pipeline ransomware attack demonstrated the physical damage cyberattacks can inflict. Nation-states and terrorist groups often perpetrate such attacks to cause economic and social disruption.
According to Statista, manufacturing is the second most cyberattacked industry after finance and insurance. The global average cost of a data breach across all sectors reached $4.88 million as of February 2024. As IT and OT integration accelerates, organizations must prepare for threats capable of crossing between both environments.
Vulnerabilities
IT and OT systems also differ significantly regarding vulnerabilities:
- IT systems tend to rely on off-the-shelf hardware and standard operating systems with well-known vulnerabilities. While still complex, their software vulnerabilities are broadly understood. However, the growing use of cloud services and third-party connections introduces new IT attack surfaces.
- A wide range of legacy, proprietary, and specialized hardware and software are used by OT systems that lack common security capabilities. It is very difficult to identify and assess vulnerabilities in a wide variety of OT environments. A recent SANS 2021 OT/ICS Cybersecurity Survey shows that the Formal Asset Inventory process remains a struggle that most organizations are faced with, as only 58.2% have a formal process in place. OT systems have long technology lifecycles and, therefore, antiquated platforms, insecure designs and easy-to-exploit unpatched weaknesses.
On that account, it causes partnered vulnerability and asset management to become harder. Rapidly evolving hardware and software means that IT teams must manage well-known risks. At the same time, OT security teams must secure inherent weaknesses in complex, dated operational environments.
Risk Management
Managing risks also differs considerably between IT and OT:
- IT security teams conduct cyber risk assessments using established frameworks like NIST, ISO 27001, and Controls CIS. They utilize data-driven metrics and key risk indicators (KRIs) to measure areas like patch latency, access violations, and phishing click rates.
- OT teams generally employ safety-focused risk analysis techniques like HAZOP, FMEA, and what-if analysis. However, these methodologies do not sufficiently measure cyber risks. Quantifying risks across diverse OT environments is extremely difficult, limited to telemetry and no cybersecurity KRIs. Instead, OT teams must make risk decisions based on process understanding and expert judgment.
Consequently, communication and coordination between IT and OT teams is weak, impeding enterprise-wide risk management. Then, it was found that only 24% of respondents have converged their physical and cybersecurity functions. Unifying cyber risk management across both environments remains an obstacle.
Security Solutions
The security solutions used in IT and OT also significantly differ:
- IT utilizes well-established cybersecurity technologies like firewalls, antivirus, IDS/IPS, SIEM, EDR, and email security gateways. IT teams can readily deploy security patches and updates across standardized systems as needed.
- OT relies on ruggedized hardware, air-gapped networks, and physical access controls. Hardening devices, manual patching, and other hands-on methods are common. However, modern attacks exploit connections to other networks. Consequently, advanced OT security controls like network monitoring, vulnerability scanning, user activity monitoring, and file integrity checking are gaining adoption.
The core challenge is to bring modern security tools into operational environments that are sensitive and could be easily compromised. The problems of IT solutions are destabilizing legacy systems or interrupting critical processes. On top of that, they are not able to work effectively over various OT protocols and customized applications. Organizations must carefully evaluate and test any new OT security capability.
Staff Skills
The skills and experience of IT and OT staff also diverge:
- IT teams have specialized skills in areas like networking, databases, and application development. Cybersecurity skills focus on data protection, malware defense, and threat intelligence.
- OT engineers have specialized skills in operating and maintaining industrial control systems safely and reliably. With environments that blend electronics, physics, and mechanics, skills focus on availability rather than security.
Consequently, cross-training staff between the two environments is very limited. New research from TechTarget’s Enterprise Strategy Group and the ISSA reveals continuous struggles within the cybersecurity professional workforce.
- 54% of cybersecurity professionals feel the skills shortage has worsened over the past two years.
- The same report notes that 80% of organizations experienced breaches due to a lack of cybersecurity skills or awareness.
- In sectors like construction and manufacturing, between 91% and 94% of organizations report having security skills gaps.
Developing multi-disciplinary teams with both operational and security skills remains a key challenge.
Culture
Finally, one of the most prominent divides lies in the cultural differences between IT and OT teams:
- IT staff operate in a dynamic culture of ongoing upgrades, new technologies, and constant change to drive enhanced data processing. Their cybersecurity culture is similarly focused on agile detection and response to an ever-evolving threat landscape.
- OT The culture centers on safety, reliability, and availability after decades of optimizing mature control processes. Upgrades occur over years, not months. With critical physical equipment at stake, OT staff view changes as inherently risky, and security is often perceived as an availability threat.
It is a difficult task to integrate these diametric cultures. The clashes are between mindsets, vocabularies, key performance indicators, and operating procedures between IT-driven security initiatives and OT operational priorities. Cultural divides are now estimated to be over half the challenge in improving the IT/OT cyber risk management program, according to researchers.
Conclusion
IT and OT convergence is accelerating, but the two environments remain vastly different in terms of security. There are key differences between systems and data, threats, vulnerabilities, risks, solutions, governance, staff skills and culture.
The enterprises, too, need to understand these core differences in order to address the challenging relationship of securing operational and information systems under a holistic cyber risk program. After recent attacks, business leaders have their eyes on board-level scrutiny and must adopt unified IT/OT security strategies to prevent dangerous gaps in these intrinsically linked worlds.
