By Nisarg Desai, Product Manager, GlobalSign, GMO Internet Group. This blog originally ran on 27-April-2016 on the GlobalSign Blog.
IT and OT – What’s the Difference?
Most people are familiar with the term Information Technology (IT). These teams generally work on the enterprise side of things and cover:
“The entire spectrum of technologies for information processing, including software, hardware, communications technologies and related services. In general, IT does not include embedded technologies that do not generate data for enterprise use.”
I’m emphasizing that last part because it plays an important role in the rest of this discussion.
Operational Technology (OT) is a relatively newer term and as Gartner explains:
“Is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”
For the purposes of this piece, we’re focusing on OT in the context of manufacturing plants and the assembly line – the teams responsible for the technology and industrial systems that keep the manufacturing process going.
When Worlds Collide - The Industrial Internet
From the explanations above we can see that, traditionally at least, IT and OT have had fairly separate roles within an organization. However, with the emergence of the Industrial Internet and the integration of complex physical machinery with networked sensors and software, the lines between the two teams are blurring.
Remember that portion of the IT definition I highlighted earlier, “In general, IT does not include embedded technologies that do not generate data for enterprise use”?
Well, one of the main reasons these industrial systems and appliances are being brought online is to deliver smart analytics - using data generated from the machines to modify and optimize the manufacturing process. Generating data for enterprise use? That’s starting to sound more like traditionally IT territory.
Now, this convergence of OT and IT isn’t exactly news; Gartner predicted this back in 2011. However, in more recent years we’ve noticed the scope of Industrial Internet has started to explode into more general Internet connectivity, as opposed to the historically closed systems that relied more heavily on physical security to ensure integrity. With this shift from closed to open systems comes an even greater interdependence and overlap between the two teams and a slew of new security concerns.
New Concerns for Both Sides
Greater connectivity and integration is obviously beneficial for smart analytics and control, but more connections and networked devices means more opportunities for security holes. While security has always been a priority for both IT and OT teams in traditional systems, these networked systems are presenting new scenarios and risk profiles to both sides. IT now needs to start thinking like OT and vice versa.
New Concerns for IT
Greater scope of impact – There’s no downplaying the obvious detrimental results of a security incident in a more traditional enterprise environment, but the effects of an incident on an industrial system are on a completely different scale. Consider the repercussions if an electricity grid went offline, or if a car’s engine control system was hacked and drivers were no longer within complete control.
Physical risks and safety – Unlike more traditional enterprise systems, networked industrial systems bring an element of physical risk to the table that IT teams have not had to think about. An interruption in service or machine malfunction can result in injury to plant floor employees or the production of faulty goods, which could potentially harm end users.
Outdated or custom systems – IT is used to frequent and consistent software patches and upgrades, but the industrial environments tend to be more systemic, where one small change can trigger a domino effect. As a result, many legacy plant control systems may be running outdated operating systems that cannot easily be swapped out or a custom configuration that isn’t compatible with IT’s standard security packages.
New Concerns for OT
Physical risks and safety – Threats to physical safety are not a new concern to OT teams; they’ve been implementing safety measures into industrial systems for decades. However, they’re now facing threats that are potentially outside of their control. Taking machines and control systems out of a closed system brings the threat of hacked machines, which could potentially injure employees (e.g. overheating, emergency shut-offs overridden, etc.).
Productivity and quality control – Losing control of the manufacturing process or any related devices is any OT team’s worst nightmare. Consider a scenario where a malicious party is able to shut down a plant, halting production entirely, or reprogram an assembly process to skip a few steps, resulting in a faulty product that could potentially injure end users down the road.
Data leaks – While data breaches have long been a top concern for traditional IT teams, they are somewhat new territory to OT teams that are used to working with closed systems. Given the nature of the types of industrial systems that are coming online, such as utilities, aviation and automobile manufacturing, ensuring the privacy of transmitted data is critical.
Working with IT – One of the more unexpected concerns I hear from OT teams is around how to work with IT to solve the security threats discussed above, when IT teams generally have little experience with industrial systems and their traditional security solutions typically aren’t compatible with legacy control systems. While many on the OT side see the benefits of moving away from closed systems and increasing connectivity, the perceived lack of IT experience and potential solutions for their security concerns is causing some resistance.
Finding Common Ground
While OT and IT may have different backgrounds framing their concerns about the transformation brought about by the Industrial Internet of Things, the main underlying concern for both parties is retaining control of systems and machines and ultimately the safety of their employees and customers. To make both sides happy, key components of any potential security solutions should include:
- Identifying and authenticating all devices and machines within the system, both within manufacturing plants and in the field, to ensure only approved devices and systems are communicating with each other. This would mitigate the risk of a hacker inserting a rogue, untrusted device into the network and taking control of any systems or machines.
- Encrypting all communications between these devices to ensure privacy of the data being transmitted.
- Ensuring the integrity of the data generated from these systems. As mentioned earlier, smart analytics are a major driver in the adoption of the Industrial Internet, but those analytics are worthless if the data is inaccurate.
- Assuming the manufactured goods contain software or firmware themselves, enabling the ability to perform remote upgrades down the road and ensuring the integrity of those updates.
If things continue as they are today, it’s likely we will see the separation between OT and IT continue to fade until they are potentially one and the same. In the meantime, it’s essential that both sides consider the other’s expertise and point of view and work together toward the ultimate goal – a secure, productive Industrial Internet.