OT Security
Operational Technology (OT) Security research at SGU focuses on protecting industrial control systems (ICS), SCADA networks, and critical infrastructure from sophisticated cyber threats. As the convergence of IT and OT environments accelerates, our research bridges the gap between traditional cybersecurity and industrial systems safety.
About OT Security Research
Operational Technology (OT) encompasses the hardware and software systems used to monitor and control physical processes, including power grids, water treatment plants, manufacturing lines, and transportation networks. As these systems become increasingly connected to corporate IT networks and the internet, they face unprecedented cybersecurity risks that demand specialized research and defense strategies.
Research Focus Areas
- •Industrial Control System (ICS) vulnerability assessment and threat modeling
- •SCADA network security and anomaly detection
- •IT/OT convergence security architecture
- •Critical infrastructure protection frameworks
- •OT-specific incident response methodologies
- •Secure remote access for industrial environments
- •Protocol security analysis (Modbus, DNP3, IEC 61850, OPC UA)
The IT/OT Convergence Challenge
Traditionally, OT environments operated in isolation, air-gapped from corporate networks and the internet. However, the drive toward digital transformation, predictive maintenance, and real-time operational data has erased these boundaries. This convergence introduces IT-style attack vectors into environments where security failures can have catastrophic physical consequences.
Key Threat Categories in OT Environments
| Threat Category | Impact Level | Target System | Research Status |
|---|---|---|---|
| Ransomware targeting ICS | Critical | HMI / Engineering WS | Active Research |
| Supply chain attacks on OT components | High | PLC / Firmware | Active Research |
| Protocol exploitation (Modbus, DNP3) | High | RTU / SCADA | Under Investigation |
| Insider threats in critical infrastructure | Medium | All OT layers | Ongoing Study |
| Remote access vulnerabilities | High | VPN / Jump Hosts | Mitigation Development |
| Nation-state APT campaigns | Critical | Energy / Water Sector | Intelligence Monitoring |
OT Network Segmentation Model
Proper network segmentation is the first line of defense in OT environments. The Purdue Model (ISA-95) defines hierarchical zones that isolate field devices from enterprise systems, limiting lateral movement during a breach.
OT Security Architecture (Purdue Model Layers)
================================================
Level 5 | Enterprise Network (Business IT)
| -- DMZ / Firewall --
Level 4 | Site Business Planning (ERP, MES)
| -- Industrial DMZ --
Level 3 | Site Operations (Historian, SCADA Server)
| -- Firewall / Unidirectional Gateway --
Level 2 | Area Supervisory (HMI, Engineering WS)
Level 1 | Basic Control (PLC, RTU, DCS)
Level 0 | Physical Process (Sensors, Actuators, Field Devices)
================================================
Rule: No direct connectivity from Level 5 to Level 0Protocol Vulnerability Analysis
| Protocol | Port | Authentication | Encryption | Risk Level |
|---|---|---|---|---|
| Modbus TCP | 502 | None | None | Critical |
| DNP3 | 20000 | Optional (SAv5) | None by default | High |
| IEC 61850 (MMS) | 102 | Basic | TLS optional | Medium |
| OPC UA | 4840 | Certificate-based | TLS 1.2+ | Low |
| EtherNet/IP | 44818 | None | None | High |
| PROFINET | Various | None | None | High |
Sample: Modbus Packet Inspection Script
Our research team developed lightweight monitoring scripts to detect anomalous Modbus commands in OT network traffic. This approach enables passive detection without disrupting industrial processes.
from pymodbus.client import ModbusTcpClient
import logging
# Allowlist of permitted function codes
ALLOWED_FUNCTION_CODES = {0x01, 0x02, 0x03, 0x04}
def inspect_modbus_traffic(host: str, port: int = 502):
"""
Connect to a Modbus device and flag disallowed function codes.
For passive monitoring, mirror traffic to a dedicated tap interface.
"""
client = ModbusTcpClient(host=host, port=port)
client.connect()
# Read holding registers (FC 0x03) - normal operation
response = client.read_holding_registers(address=0, count=10, slave=1)
if response.isError():
logging.warning(f"[ALERT] Error response from {host}: {response}")
else:
fc = response.function_code
if fc not in ALLOWED_FUNCTION_CODES:
logging.critical(f"[CRITICAL] Unauthorized function code: 0x{fc:02X} from {host}")
else:
logging.info(f"[OK] FC 0x{fc:02X} - Registers: {response.registers}")
client.close()
inspect_modbus_traffic("192.168.1.100")ISA/IEC 62443 Compliance Mapping
| Security Level (SL) | Description | Countermeasure Focus | Applicable Zone |
|---|---|---|---|
| SL 0 | No specific requirements | Basic hygiene | Office IT |
| SL 1 | Protection against casual violation | Authentication, patching | Site operations (L3) |
| SL 2 | Protection against intentional violation | Role-based access, monitoring | Control center (L2) |
| SL 3 | Protection against sophisticated attack | Encryption, MFA, audit trails | SCADA / DCS (L1-L2) |
| SL 4 | Protection against state-level attack | Full isolation, formal verification | Safety systems (L0) |
Strategic Partnerships and Collaboration
- •National cybersecurity agencies (BSSN) for critical infrastructure threat sharing
- •Industrial sector operators for real-world OT environment access and field testing
- •International ICS security research communities and working groups
- •Standards bodies (IEC, ISA/IEC 62443) for compliance framework development
Why OT Security Matters
An attack on industrial control systems does not just compromise data. It can disrupt power grids, contaminate water supplies, halt manufacturing, or endanger lives. As Indonesia's critical infrastructure undergoes rapid digitalization, the need for robust OT security research and expertise has never been greater.
"The greatest risk in OT security is assuming IT solutions are sufficient. Industrial environments require tailored defenses that respect the unique constraints of safety-critical systems."
Other Research Areas
Cyber Deception (Honeypot)
Advancing cyber deception through innovative honeypot research to detect and analyze evolving cyber threats.
Learn moreSecurity Operations Center
Transforming the Security Operations Center into a measurable, governable, and resilient cyber-defense system with national and sectoral impact.
Learn moreIPv6 Development
Strategic collaboration between SGU and Netciti for IPv6 infrastructure development and Tangerang Internet Exchange.
Learn moreLearning Management Platform
A scalable, community-driven learning platform designed to build skills, empower professionals, and accelerate workforce readiness across diverse sectors.
Learn moreThreat Intelligence
Advanced threat intelligence gathering, analysis, and dissemination for proactive cyber defense.
Learn more