The dictionary definition of information technology is the study or use of systems (especially computers and telecommunications) for storing, retrieving, and sending information. IT security, then, is the process or profession of securing and protecting those digital assets from cybercriminals.
On the other hand, OT, or operational technology, focuses much more on traditional, physical business operations. OT is focused more on hardware and software that contributes to the streamlining or automation of manual processes and events — think mechanized industrial equipment and supply chain operations. Or, to make it even shorter: critical infrastructure.
With a more connected and digital world, it's certainly not unusual to see traditionally manual processes aided, enhanced or otherwise made better by technology. So, OT security, then, is the process or profession of protecting these digitally enhanced systems to defend against bad actors just the same as information technology security professionals do for IT.
In a perfect world, IT and OT security teams would work together and form a unified security strategy to protect physical and digital assets as a whole. While some organizations are already working toward implementing a more holistic approach to security operations, many are not.
Noting that these two specialties are similar in their core function of protecting assets from cyber threats, there are some key differences that are important to note. In the same vein, there are certain threats that are pertinent to both IT and OT security, some are more of a concern for one over the other, and vice versa.
Common threats to IT security
When threat actors target IT, their intention is almost always to steal something — likely data and personal information — to use it for something else criminal, sell it or demand a ransom.
A botnet is a network of computers — which could be private desktops, laptops, cell phones, or other computing devices — that a threat actor infects with malware. A majority of the time, the infection goes unnoticed by the owner of the device. The cybercriminal then uses this infected, remote network of computers to carry out cyber attacks. Botnets are most commonly used to send malware-infected spam messages with the hope of gaining access to one or many people's personal data and information.
Phishing scams have been, and continue to be one of the most incessant IT security threats. Cybercriminals who employ this tactic will use what's called social engineering with the intention of getting employees to break standard security measures. Successful phishing attacks and scams make personal information and data more easily accessible to bad actors, who will likely use the stolen information to commit more crimes.
Human error and insider harm
Human error is inevitable — even in IT security. The problem here is that any degree of human error can expose vulnerabilities in an organization's security infrastructure, which is enticing for cybercriminals. But there's more to this 'human error' aspect of IT security, which goes beyond blunder and sits firmly on intent. This could mean that an employee — intentionally or unintentionally — compromises data in any way. Most commonly, this happens when careless individuals do not uphold their organizations security policy, thus exposing vulnerabilities or otherwise making it easier for cybercriminals to attack.
Common threats to OT security
Threat actors who target OT are usually intent on disrupting operations to achieve some sort of goal, prove a point or demand a ransom.
Legacy software/lack of encryption
Lots of operational technology throughout many industries still runs on legacy software. That's because organizations either don't want to spend the money on updating it, don't want to have to deal with any downtime or lost revenue or simply don't believe that refreshing OT software would offer any tangible benefits. The inherent problem with legacy systems, however, is the ever-dwindling lack of support that they receive from their original developers (if any at all), which means that, over time, they become increasingly vulnerable and lack the necessary encryption to keep operational technology safe.
A distributed denial-of-service attack, or DDoS attack, is a type of cyberattack that either temporarily or indefinitely disrupts a service, making it unavailable to its intended users.
A detached policy between IT and OT
Security is strongest when teams work together, but oftentimes it's not the IT and OT professionals to blame for disconnected approaches to cybersecurity. Many organizations fail to unify security teams and take a holistic approach to risk management. Policies and procedures need to be tailored at the highest level to meet the growing demand for stronger cybersecurity across almost every industry.
In a report titled The 2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide Between the IT & OT Teams, it was revealed that only 35% percent of organizations have a unified cybersecurity strategy, despite the rising number of threats that they face. Moving forward, unified and mature strategies are an organization's best bet to staying ahead of threats and mitigating as much risk as possible.