8.5 OT, ICS & SCADA Security

Why OT Security Is Different

Operational Technology (OT) is the hardware and software that monitors and controls physical processes — manufacturing lines, power grids, water treatment, oil and gas, building systems. Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) are categories of OT. CEH expects you to understand why OT defense differs from IT and to choose OT-appropriate controls. The single most important idea is the priority inversion of the security triad.

IT vs OT Priorities

Why availability/safety dominates: in OT, an outage or a manipulated control command can damage equipment, spill chemicals, or harm people. A control that protects confidentiality but risks process disruption is often the wrong choice for OT. This is why routine IT practices — aggressive patching, active port scanning, forced reboots — are dangerous on a live plant floor.

The Purdue Model

The Purdue Enterprise Reference Architecture (Purdue model) is the standard way to describe OT/IT segmentation. It defines zones connected through controlled boundaries, with an IT/OT demilitarized zone (DMZ) isolating enterprise IT from the control network.

Lower levels are closest to the physical process and most safety-critical. The DMZ prevents direct IT-to-control connectivity; data flows through brokered, inspected paths only.

ICS Protocols (Conceptual)

Industrial protocols were built for deterministic reliability decades before modern security expectations, so most assume a trusted, isolated network.

Exam takeaway: the systemic OT issue is not an exotic zero-day — it is that core protocols assume a trusted, isolated network that no longer exists once OT is bridged to IT. IT/OT convergence (connecting plant networks to corporate IT and the internet for analytics and remote support) delivers business value but exposes these unauthenticated protocols to a far larger threat population.

Case Study: Stuxnet

Stuxnet (discovered 2010) is the landmark ICS attack CEH expects you to recognize. It spread via Windows (using four zero-day vulnerabilities) to find systems running Siemens Step7 / WinCC SCADA software, then reprogrammed specific Siemens S7 PLCs controlling variable-frequency drives on uranium-enrichment centrifuges. It manipulated centrifuge speeds (well outside safe operating range) to physically damage them while replaying normal readings to the HMI so operators saw nothing wrong.

Stuxnet proved that a cyberattack can cause real-world physical destruction and that air-gapped OT is not invulnerable (it crossed via removable media). It is the reason OT defense emphasizes integrity of control logic, monitoring for anomalous commands, and rigorous removable-media and supply-chain controls.

OT-Specific Defenses

• Zone segmentation: enforce the Purdue boundaries; never allow flat IT-to-PLC connectivity.
• IT/OT DMZ: broker all cross-zone data through inspected hosts; no direct enterprise-to-control sessions.
• Strict, brokered remote access: jump hosts, multi-factor authentication, session recording, and just-in-time access for vendors.
• Passive monitoring: prefer passive network monitoring and anomaly/baseline detection over active scanning that can destabilize controllers.
• Change-controlled patching: vendor-validated patches in maintenance windows; virtual patching/isolation as compensating controls when patching is impossible.
• Removable-media and supply-chain control: the Stuxnet lesson — govern USB/removable media and vendor software.
• Safety-first incident response: containment cannot trade physical safety for speed.

IT/OT Convergence Risks

For decades OT lived on isolated, sometimes air-gapped networks. Business pressure for real-time analytics, predictive maintenance, and remote vendor support has driven IT/OT convergence — connecting plant networks to corporate IT and, often, the internet. This delivers value but imports IT-style threats into an environment that was never designed to resist them. The specific convergence risks CEH tests are:

• Exposed unauthenticated protocols: Modbus, DNP3, and similar become reachable from a much larger network, where any node can issue control commands.
• Legacy, unpatchable systems: decades-old PLCs and HMIs run end-of-life operating systems that cannot be patched without vendor validation, if at all.
• Remote access sprawl: vendor VPNs, jump hosts, and remote HMIs become high-value targets and frequent entry points.
• Flat networks: without Purdue segmentation, a phishing foothold on the enterprise (Level 4/5) can reach control systems (Level 1/2) directly.
• Removable media and supply chain: as Stuxnet showed, USB drives and trusted vendor software can cross even an air gap.

The defensive answer to convergence is not to abandon it but to constrain it: enforce the Purdue boundaries, route all cross-zone traffic through the inspected IT/OT DMZ, broker remote access through hardened jump hosts with MFA and session recording, and monitor passively for anomalous commands. The recurring exam theme is that OT cannot simply adopt IT security practices wholesale — aggressive scanning, forced patching, and reactive reboots that are routine in IT can halt production or create a safety hazard in OT. Every OT control decision must respect the availability-and-safety-first priority.

When a question pits a confidentiality-protecting action against process availability or human safety, the OT-correct answer protects availability and safety.