OT security is a challenge
OT security is a challenge.
Firstly most security processes are based on IT systems where the priority is to protect data. OT systems availability is the priority. So for example if we design security based around certificates, and that certificate expires what should a system do? In the IT world they may deny access, in the OT world that would cause huge issues. There are other issues such as the fact OT systems are designed to have a long working life (25+ years), run with minimum interaction and are generally bespoke and finely tuned, so any changes have to be carefully planned. The last one means patching systems is not as easy as just uploading new software, there has to be considerable testing, planned downtime. Add in that your system maybe be older than some engineers and that just adds to the challenge.
Some suggestions such as authentication don't fit well with OT systems. M2M is a challenge because it requires non-human authentication. Also adding security without deep thought has its own issues. You could just be adding a layer that an attacker can do a denial of service attack. Unlike IT systems, the attacker is often happy just to bring your system down.
This brings another point. I said availability is a priority in OT systems, but in fact Safety is the overriding concern. There is an overlap and ballance between safety and security. Getting both right is the challenge.
The other thing to remember is that OT systems are often very performance sensitive. When you are controlling billion $ of equipment with very fast control cycles, adding jitter on the line can cause mayhem. So running industrial protocols over say VPN is just not possible. Many of these protocols such as Ethercat are basically running at Ethernet wired speed. Adding an encryption layer would cause chaos.
As someone suggested air gapping a system makes sense, but of course in the world of remote diagnostics customers want to be able to see how their system is doing. There are other architectures that are almost as secure. A DMZ zone while not totally secure can be secure if the connection to the outside world is well controlled. One criticism of the report is by examining each protocol in isolation, it misses the mitigation techniques in the system context.
Some have suggested that security has not improved in OT systems in the last 10 years. That is just not true. Standards such as IEC 62443 and the industry acceptance of them has really help improve OT security, but people are not going to rip out legacy systems to add security, and shoehorning security into existing systems is very hard, so the change is not going to be met overnight, but most systems designed today are expected to be security aware.