Critical infrastructure


Satyam Singh
August 29, 2019 by
Satyam Singh

Today’s technology is defined by two terms, information technology (IT) and operational technology (OT). IT is the use of hardware and software to create, store, transmit and retrieve data; it typically includes computers that can act as a server or client, networking devices that are used for routing the traffic, virtual software to reduce the need for hardware and applications to provide a front end to the client to perform various tasks.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

On the other hand, OT is the use of hardware and software to detect, monitor or control the physical devices, processes, and events in an enterprise. OT is used primarily used in Industrial Control Systems (ICS) for manufacturing and automation. 

Companies using both IT and OT often fail to securely integrate them. In this article, we will have a look at how IT, which is a subsection of information systems, and ICS, which is a subsection of OT, are different from each other.

The differences between ICS and IT

1. Security objective

IT is more data-centric, where the key requirement is Confidentiality, Integrity and Availability (CIA). On the other hand, ICS is more concerned with Availability and Integrity. Confidentiality is the lowest priority.

Let’s consider an example for the above points:

Imagine an internet banking facility provided by a bank. It’s important to have confidentiality and integrity in net banking. An adversary sniffing or modifying the net banking traffic is a problem, but even if net banking is not available for a few minutes, loss is minimal.

Now, let’s imagine a power grid. Availability is the power grid’s key requirement, as a disruption in the power supply can have a huge impact on the entire grid’s consumers. Power disruption may directly impact IT operations as well, as IT uses electricity. It’s important to note that ICS safety is a constant requirement along with CIA.

2. Network topology

IT environments are large, with a number of devices and servers. These servers are segregated based on the importance and need. The environment is dynamic, with IP being allocated from the DHCP server. In contrast, ICS setup is comparatively small, with a limited number of assets and mostly static IP addresses. Dynamic IP addresses may hamper operations.

3. Physical component

IT systems primarily consist of servers, network devices and workstations. These components are often protected by firewalls, antiviruses, IPS and web application firewalls. 

ICS, on the other hand, has proprietary products. Other than desktop and servers, the rest of the platforms are embedded and vendor-specific. There are limited security products available for ICS networks. 

The lifetime of IT and ICS components varies. IT component life may range from three to five years, but ICS component life ranges from 15 to 20+ years.

4. Patch management

IT and ICS have different patch management processes. IT has patch management control where the patches are pushed as they are released. On the other hand, ICS patches are released on time, but due to a lack of operational downtime the patches are rarely applied. Consequently, ICS software is obsolete and critically vulnerable to attack. 

5. Encryption and authentication

Encryption is commonly used in IT setups to protect sensitive data passing over the network. Similarly, authentication is required in IT to provide access to resources. Authentication and encryption are required in applications like net banking, email or any other entities who share and manage sensitive data. 

Authentication and encryption aren’t priorities for ICS, despite their overall security benefits. In fact, implementing authentication and encryption processes often increases equipment overhead costs and slows operations.

6. Security testing

IT security testing is different from ICS security testing. Applying IT testing methodology on ICS may crash fragile ICS setups. Simply running an Nmap scan with various options like service and OS fingerprinting, script-based vulnerability detection, full port TCP and UDP scan, or Nessus scan can crash a simple PLC, hampering plant operations.

7. Environmental factors

Assets related to IT are hosted in a data center where environmental factors like temperature, humidity and cleanliness are controlled. These facilities have an automatic backup and human support staff. 

ICS setups may be distributed across different locations. The components of the setup are exposed to temperature, pressure and humidity extremes and fluctuations. 


To summarize the difference between IT and ICS:


Security Objective








Component Lifetime 3-5 years 15-20+ years

Patches Timely Difficult/slow


Must be fast

Non-real time Must be real-time

Security Testing Standard approach Specialized approach

Antivirus Common Difficult

Security Awareness Good Poor

Component Location

Usually local components

Controlled temperature environment

Can be local or isolated and remote

In a dynamic environment like high/low temperature or high/low pressure/humidity

Protocol Standard TCP/IP protocol which includes authentication and encryption

Vendor-specific protocols with

no security


No impact on the environment

No threat to human life Possible impact on environment and threat to human life


IT and OT seem similar but are not the same. IT and OT are set up, used and controlled differently but often converge. What works for one might harm the other, so security measures are also different for IT and OT. 

Understanding these differences is key to keeping these systems secure and avoiding conflict between IT and ICS administrators.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.


Satyam Singh
Satyam Singh

Satyam is an Informational Security Professional, currently working as a Tech Specialist and Team Lead at Paladion Networks. He has 5.5 years of practical experience in this domain, with the main area of interest in Web and Mobile Application, Network Penetration Testing, Vulnerability Assessment and Infrastructure Security.