Most people are familiar with the term Information Technology, or IT, and the way it refers to the use of computers in the storage, manipulation, transmission and presentation of data. A less familiar term is the one that refers to those computers and devices that we use to control or monitor the physical environment around us - Operational Technology or OT.
The term has only recently come into relatively widespread use and does not yet seem to have a common agreed definition. Gartner refers to OT as “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise” – quite possibly a description that has come from an effort to understand OT from an IT point of view.
Perhaps the clearest way to understand what we mean by Operational Technology is simply to state that it is the application of computers to monitor and/or control some aspect of the physical world.
The difference between IT and OT
Whilst often sharing many of the same characteristics as IT systems, OT systems have the additional attributes that they are used in some way to control or monitor physical processes. Thus, their design parameters are often very different from IT systems.
The type of applications in which OT is used is a long and exhaustive list. Examples of the type of systems that belong to the OT environment are Supervisory Control and Data Acquisition (SCADA) systems used by for example grid companies, and Building Management Systems (BMS) used in the facilities management industry. Other examples include robots, CCTV, Energy Management and Fire Alarm systems.
Supporting all these systems requires a network and server architecture that enables the necessary interoperability and provides the appropriate resilience.
A close inspection of many OT systems will reveal that they often depend on the same server, network and operating system technology that IT systems utilise, leading some to consider that IT and OT are on converging trajectories. However, whilst this may be the case to a certain extent, the drivers when designing these systems tend to be prioritised differently.
“There is often a significant gulf between the way in which IT and OT practitioners approach system design,” says Olav Foster, a Senior Project Manager experienced in the delivery of complex OT projects and a founding member of the IOTSA (International Operational Technology Security Association). “This is particularly evident when the subject of security is addressed”.
President of the IOTSA and CISO at Powel, Mike Loginov states that, “IT system security design tends to follow a priority order of confidentiality, integrity and availability. Here, data confidentiality is paramount, followed by data integrity and finally availability of the IT systems. For these systems, data security and quality are king”.
“However, OT system security design adds an additional component and modifies the priority order to ensure safety, availability, integrity and confidentiality with personnel and customer safety being most important, followed by system availability, data integrity and data confidentiality,” explains Loginov. “For these systems, safety is key followed by production quality and uptime.”
Why does OT Security matter?
As we move more into the Fourth Industrial Revolution (Industry 4.0), powered largely by the Internet of Things (IoT), it seems clear that the days of OT systems being protected by accidental virtues of obscurity and lack of connectivity are well and truly over. It is time to take a long, hard look at OT security strategies and make sure they are fit for purpose. Doing so will enable us to embrace the full potential that innovative new technologies can offer us.
Cost pressures have led to progressive technology convergence and an increase in the number of OT systems and devices developed using Commercial Off-The-Shelf (COTS) operating systems and network protocols. The requirement for increased uptime has led to the demand for 24/7 support, often fulfilled via some form of remote access.
“OT cyber security can be a complex additional requirement for business units within organisations already tasked with reducing costs and ensuring uptime and resilience,” says Serkan Yusuf, a principal OT security consultant and another founding member of the IOTSA.
“The technological differences between IT and OT that had traditionally kept these different disciplines separate are now converging. It is no longer sufficient to rely on the proprietary nature of the technologies used within the sector to provide an appropriate level of security,” Yusuf finishes.
With a 20 year history, Powel has both experience and expertise within several sectors including the energy sector, and in the converging worlds IT, IoT and OT. If you want to know more about how we can assist with your OT security, get in touch with Chief of Cyber Security Mike Loginov.