11 Sep Differences between IT and OT Industrial security
Informational and Operational technology are different sectors with different rules of the game. Nowadays these two separate domains are often linked with operational overlaps in which it is difficult to recognize where IT competences end and OT ones begins. It is quite common to confuse working and operational conditions, aptitude to follow IT procedures and even working objective to the point that implemented industrial security strategy are based on theoretical models that can hardly be pursued in reality.
This results in an approach towards Industrial cyber security that is often driven by a strategy in which sophisticated security products are integrated in working operating procedure with meaningless results.
IT and OT tasks
The IT department is generally responsible for the informational infrastructure of an enterprise, this means that IT teams are focus on maintaining consistent policies and control across the organization, while also responsible for the protection of sensitive applications and confidential data from unauthorized access.
On the other hand, OT deals with connecting, monitoring, managing, and securing an organization’s industrial operations. The managing of complex industrial resources such as robots, industrial control systems (ICS), Supervisory control and data acquisition (SCADA) systems, programmable logic controllers (PLCs), and computer numerical control (CNC) are just a few examples of OT basis building blocks.
Moreover, the domain of the OT realms can be extended beyond the company’s door to outdoor areas such as parking lots, external CCTV cameras, ATMs and kiosks, connected buses, trains, and service fleets, weather stations, and so on, in general it is extended to every area in which an industrial IoT device is placed.
To briefly try to sum up the key difference between IT and OT, it is possible to argue that IT is centred on an organization’s front-end informational activities, while OT is focused on their back-end production.
One apple, two half
Let’s have a brief review of the main differences between IT and OT that effect the security strategy, the aim is not to give an exhaustive or academic analysis of the differences, but only to highlight the major constraints that affect operations in a pragmatic and realistic way.
Firstly, the working objective. It might seem strange to start from the objective, usually everybody knows what their job is, however, sometimes you may (erroneously) expect others to know and share your same work goals. As already outlined, the goal of the IT department is to keep IT services up and running (often outsourced) and grant access to accredited users while those who work in the industry have their own main objective in operation continuity and production efficiency, almost always internal. These two different targets also have different boundary conditions, working prospective and urgencies. From an IT point of view, it is common to think of productivity as secondary to security while from the OT point of view it is the opposite. And since very often in “medio stat virtus” a good approach is to create a security resilience strategy that must be able to overcome the operator procedure policies, which means that the more security is independent from workers’ actions the more effective it will be.
Presence of external users. Generally, guests or suppliers do not have direct access to the company’s IT services and information systems, however, in most companies, there is a constant presence of external personnel within the plant (maintenance, industrial electricians, etc..) with direct access to industry equipment and network. Suppliers have access to your company’s local network and often there is limited direct control by the company’s operators. This means that OT operators are generally left free to use all their resources and capacities to keep production up and running.
Different asset types. IT deals with modern assets and devices, PCs, servers, smartphones are under direct control of IT with ease of maintenance and updating while in the factory there is a plethora of heterogeneous and obsolete assets, often unprotected such as PLCs, sensors, CCTV cameras, older PCs, and so on. The low frequency and difficulty in the updating of these assets puts every asset at serious risk. One of the fixed points in Industry domain is the inability to secure hosts (unless the host has its own security) because it is mandatory to preserve the device’s functionalities.
Network boundaries. IT services generally have well-known network edges; it is easy to define network perimeter and set up a strategy to protect the boundaries. Within the boundary there are modern assets, each with its own protection, this has the effect of creating “safe” fences. On the other hand, an OT network is generally considered borderless because of the frequent external or internal connections and access (external VPN, local maintenance, etc..). The presence of external operators, often unsupervised, and the plethora of devices results in a set of unplanned connected devices. As a matter of fact, most of the networks are based on flat architecture, with just some (often one) VLAN to segment some network portions.
Operating conditions: one of the most relevant differences between IT and Industrial devices is their different operating conditions. In fact, users use IT tools freely, however, it is virtually impossible to define a predictable behaviour or working profile across the board for PCs, smartphones, servers which use many applications and processes that exchange data traffic between unpredictable end-points with many protocols. While, in the industry sector, data traffic is exchanged in a controlled way with known network identifiers and communication protocols. Device traffic profile is predictable. PLCs, sensors, SCADA, and so on often have a single application data exchange with well-known peers most of the time within a local network.
But, unfortunately, today the deterministic traffic information is not used in any way, quite the opposite, normally it is common that the OT department does not know what kind of traffic or connections there are in the plant. This is the direct consequence of an attitude more devoted to allowing suppliers to operate without procedures to gain quick results rather than a good control and management of the company.
Starting from these relevant differences, it is easy to conclude that a defence strategy must be tailored to the characteristics of Industrial sector and an outdated copy of the security strategy for the IT domain cannot be used.
This brings us back to the main question, what is a practical security model that fits with the industrial sector, and what is the starting point strategy?
For sure, telecommunication network is one of the key elements, crating a network that allows industrial resources to exchange only the relevant data for their proper functioning and not the complete visibility of all network interfaces or a network portion.
For this task a programmable network such as the Software Define Network could be useful, and more so a programmable network that has Edge SDN controlling its main purpose. Check out Edge SDN to see how to exploit the specific characteristics of the OT to create an effective security layer.