By now, we all have some idea of what IT or Information Technology is comprised of. It’s pervasive in our everyday lives, and most of us – either consciously, or subconsciously – utilize it for a multitude of things every day. Whether it’s used to perform online banking via a personal cell phone, or to cast your favorite playlist on a smart device, we’re utilizing components of the IT systems the world runs on today.
But what exactly is OT?
OT, or Operational Technology, is defined as technology that deals with processes, instruments, and infrastructure that interface with the physical world. Equipment and supporting systems that are connected to things such as temperature and flow sensors that allow them to control valves, solenoids, and breakers that have real world impacts fall within this definition. These systems are just as significant in our daily lives, but often work behind the scenes. Industries such as your municipal water and wastewater systems, the electrical utility that provides power to your home and office, and mines and mills that provide valuable resources rely heavily on OT systems.
There are some significant differences to highlight when considering the priorities of OT systems, and how they are implemented and managed in comparison to their IT counterparts.
When we consider priorities in either IT or OT, we focus on 3 main topics: Confidentiality, Integrity, and Availability.
In an IT system, these three are prioritized with confidentiality being the primary objective, followed by integrity and availability. An example of this would be an online banking system; We would expect the IT team at the banking institution would be more concerned about an incident in which confidential information was leaked, than in an instance where the banking site was knocked offline temporarily. In an instance such as this, they’re considering confidentiality a priority over availability.
In an OT environment, the consequences of the breach of a water system network could lead to information such as water reservoir levels and historical data. A breach that knocked the communications systems down and caused a municipality to run out of water would be a far greater concern, with real-world safety consequences such as limiting the ability of fire departments to utilize water systems for fire suppression. As such, OT systems consider availability a priority over integrity and confidentiality.
Another key difference between OT and IT is the equipment lifecycle. In a modern IT system, devices are typically in service for 3-5 years, after which they are replaced. In an OT system, components may stay in service for up to 30 years. As such, they often don’t have the modern security features or network resiliency we would expect from a new device. It may be impossible, or extremely costly to upgrade older systems. This means the requirements to protect systems on an OT network differ from those of an IT system, and there are key differences in the approach to monitoring or updating devices on the network.
With these differences in mind, there are important considerations to make in establishing a program that manages OT infrastructure and its associated risks. A critical aspect of any OT CSMS (Cyber Security Management System) is to define how the OT system interfaces with the Enterprise IT system. It’s important to define the delineation points between the two systems and create plans for areas in which collaboration between the two groups (also known as OT/IT Convergence) is imperative. These considerations are some of the most critical in determining whether an attack on OT infrastructure leads to a breach and subsequent interruption of a key operational process, or the attacker leaves empty handed.
| Operational Technology When a 0 or 1 impacts the physical world. | Information Technology Moving data from one place to another. | |
| Risks | Less frequent, but potentially devastating events causing damage to equipment or infrastructure, or potential loss of life. | More frequent, low impact events causing leaked data or the disclosure of confidential information. |
| Priorities | Availability, Integrity, and Confidentiality | Confidentiality, Integrity, and Availability |
| Equipment lifecycle | 10-30 Years Patching or replacing hardware requires equipment downtime and is not always feasible for critical infrastructure. | 3-5 Years IT equipment is patched or replaced at regular intervals to encourage security and integrity. |
| Defense techniques | Some Cybersecurity defense techniques common in IT should be avoided in OT settings. For example, locking out a user after some number of failed login attempts, while common practice in IT, could present safety risks in an OT setting. Even if a network is compromised, it may be necessary to keep it operational if critical infrastructure relies upon it. | With confidentiality being top priority, systems are designed to prevent unauthorized access often by restricting the availability of the service. A banking website would sooner shut down due to a security issue than experience a cyber event that leads to the disclosure of confidential information. |
Darren Gillis
Director of ICS Security