Welcome to Your
Personalized OT Security Path

⚖️ The IT vs OT Priority Inversion

Security priorities in IT and OT environments are fundamentally inverted. This shapes every architectural and operational decision in industrial security.

IT: Confidentiality > Integrity > Availability (CIA)  |  OT: Availability > Integrity > Confidentiality (AIC)

A manufacturing PLC that goes offline costs thousands of dollars per minute in lost production. This fundamental difference shapes every security decision.

🏗️ The Purdue Model — Your Security Blueprint

The Purdue Model defines 5 levels of an industrial environment. Security controls at the DMZ boundary are the most critical single control in OT security. A breach at Level 3 should never reach Level 1/0.

📐 ISA/IEC 62443 — The OT Security Standard

ISA/IEC 62443 is the primary international standard for ICS/SCADA cybersecurity. It defines four Security Levels (SL) based on attacker capability and motivation:

• SL1: Protection against casual or unintentional violations
• SL2: Protection against intentional violations using simple means — the recommended minimum baseline for most industrial facilities
• SL3: Protection against sophisticated, motivated attackers with sector-specific knowledge — target for defense and critical infrastructure
• SL4: Protection against nation-state level attacks with unlimited resources

Most industrial facilities should target SL2 as a baseline. Defense and critical infrastructure operators should target SL3.

🎯 The Top 5 OT Attack Vectors

• Spear phishing → lateral movement from IT to OT via shared workstations or historian servers
• Compromised vendor/contractor remote access — the most common confirmed initial access vector in ICS incidents per CISA
• Removable media (USB drives) — bypasses network controls entirely, especially effective against air-gapped environments
• Supply chain compromise — trojanized software updates and compromised firmware delivered through legitimate vendor channels
• Internet-exposed OT assets — SCADA and HMI systems directly reachable via Shodan and other internet scanners

🔀 The IT/OT Pivot — How Attackers Move Laterally

Most OT breaches do not begin in OT. They begin in corporate IT through phishing or credential theft, then pivot into OT via historian servers with dual network interfaces, engineering workstations used for both email and PLC programming, or inadequate firewall rules at the IT/OT boundary.

The average dwell time before OT compromise is discovered is 200+ days.

• Unexpected outbound connections from OT systems
• Authentication failures on engineering workstations
• SCADA reading anomalies not explained by process changes
• New devices appearing on the OT network without change management approval

🔑 Remote Access: The #1 Exploited Vector

Since 2020, remote access abuse has been the leading confirmed initial access vector in ICS attacks. The risk profile: vendor credentials shared across multiple sites, no MFA on VPN connections to OT environments, sessions not logged or recorded, and access not time-limited.

Minimum required controls for all remote OT access:

• MFA enforced on all remote sessions without exception
• Jump server (bastion host) for all third-party vendor access
• Session recording enabled — every keystroke and screen action logged
• Time-limited access with automatic expiry after the maintenance window
• Least-privilege vendor accounts — read-only where possible, no persistent credentials