IT vs OT security in critical infrastructure
68 min About this episode
Our guest Dan Ehrenreich has over 30 years of engineering experience and 15 years specialising in industrial control systems for water, electricity, and oil and gas. We explore the fundamental differences between IT and operational technology security, and why OT prioritises safety, reliability and performance over the traditional IT CIA triad.
Dan explains why standard IT practices such as penetration testing and Zero Trust can be dangerous or inapplicable in industrial settings, why OT-directed ransomware is largely a myth, the challenge of securing 20 to 40 year old equipment, and the career path for aspiring OT security professionals.
Episode chapters
- 00:00 Introduction
- 01:20 Dan's background and the birth of industrial cybersecurity
- 04:30 The difference between IT and OT: CIA vs SRP
- 09:15 Why penetration testing is dangerous in OT
- 12:00 The four pillars of OT security
- 15:45 Digital twins and deep inspection
- 19:00 The challenge of legacy systems in critical infrastructure
- 23:30 Secured interfacing vs IT/OT convergence
- 26:00 Why Zero Trust does not work in OT
- 31:20 The myth of OT-directed ransomware
- 38:00 Defining OT-directed cyber attacks
- 46:00 How to start a career in OT security
Topics covered
- #OTSecurity
- #ICS
- #CriticalInfrastructure
- #ZeroTrust
- #Resilience
