IT, OT, IIoT & Security:
challenges & chances

Traditionally, in the world of computer-controlled operations, there’s a divide between IT and OT. But with the advent of IIoT, these different forms of tech become more and more co-dependent.

 

If the above makes sense to you, feel free to skip to the next section. If not, please do continue reading.

IT, OT & IIoT: what it all means

If you’re reading this, I’m going to assume your head started spinning a little from the acronyms I used in that sentence above. Allow me to explain.

 

IT, or Information Technology, is the use of digital systems to generate, store, retrieve and control data and information. IT includes devices you likely use every day, such as your desktop computer, laptop or smartphone.

 

OT, or Operational Technology, on the other hand is concerned with automating physical processes. These are the circuit boards and control systems that, for example, direct energy & water supply systems or train track switches.

 

IIoT stands for Industrial Internet of Things and is the collective term for all kinds of devices that collect data and connect through the internet to measure and automate (digital) processes, like industrial pressure sensors.

 

Over the past few years, new developments in technology have been blurring the lines between these concepts. This is especially beneficial for both remote monitoring & administrating and process automation. The IIoT-sensors in the OT system notify the IT device(s) that something needs to be done and the IT-systems pass that information on to either another automated system, or the supervisor responsible. I hope that sentence made some sense to you now.

"Many OT environments are safeguarded with physical measures."

A difference in priorities

IT and OT systems require different approaches when it comes to security. Since IT-systems contain and process a lot of data, securing that data is the biggest priority. Suppose you can’t answer your email for an afternoon because your network is deactivated by the company’s IT department. If this saves your company from a possible data breach scandal, that’s worth it. We’re used to strong data protection and it is for this reason that most account-based services require (and if not strongly suggest) the use of 2-factor authentication.

 

The priorities are different for OT systems, as these are often used in critical processes such as energy distribution and water purification. In other words, processes that have to prioritize keeping the process running over keeping it secure. You can’t just shut down an entire region’s power supply for an afternoon simply on the suspicion of a cyber-attack; you’d have to be absolutely sure it is happening and you’ll need a back-up power supply. This is why OT security requires a different approach than security of the digital systems you use in your daily life.

 

OT systems have traditionally been ‘air gapped’ from other networks in a company. ‘Air gapping’ is the security practice of isolating a machine/network. By not connecting it to any other network, especially if it has internet access, you prevent remote connections. Because of this, there is little chance of outside tampering with the device; you have to be physically present to interact with the machine. Consequentially, this means that many OT environments are safeguarded with physical measures like walls/fences and card readers or other kinds of locks.

"While there are many advantages to IT/OT Convergence, it opens up a whole new world of security risks."

So what's the problem?

The problem arises in what we’ve deemed “IT/OT Convergence”; the merging of OT’s functionality with IT’s convenience and data processing. While there are many advantages to doing so (e.g. predictive maintenance & control and advanced process automation), it opens up a whole new world of security risks.

 

Making use of IIoT-sensors and IT data processing applications, requires OT systems to be connected to the larger company network, meaning that air gapping is no longer a viable security strategy. In other words, OT security is moving from physical security to digital security.

 

I think we can all bring to mind examples of serious IT security breaches from the recent past. Imagine that those malicious actors could not just leak data, but take control of our energy or water supply. In fact: this has already happened.

 

Earlier this year a water treatment facility in Oldsmar, Florida in the United States was breached and the hacker greatly increased the concentration of certain particles to lethal levels. Another, high-profile example of an attack on OT systems is the Colonial Pipelines hack. Through a compromised password, a malicious actor gained access to the IT systems and launched a ransomware attack. In response, the pipeline had to be shut down to prevent any further damage from the attack, resulting in fuel shortages and a subsequent spike in fuel prices.

 

While data breaches can have far-reaching consequences they rarely cause direct, physical harm. Attacks on OT systems have far more potential to cause damage in the physical world, both short and long-term. And as I noted before; the convergence of these systems with IT and IIoT, brings new and unprecedented security concerns.

"To deal with an environment where different priorities are at play, there has to be at least some compromise."

What measures can we take?

To deal with an environment where different priorities are at play, there has to be at least some compromise. Yet, in the case of IT/OT convergence there are a couple of strategies that are extremely beneficial to keeping out unwanted guests.

 

 Asset Management: if you want to properly protect your IT/OT environment, you’ll first need a comprehensive overview of exactly what IT devices and OT systems you have. That’s where asset management comes in. Asset management is a method for keeping track of your asset lifecycles. It allows you to keep a tight inventory and maintenance schedule so you’ll know exactly what machinery you have, where it is and when it needs to be updated, patched or revised.

 

Zero Trust Policy: as the name implies, Zero Trust is a security measure that assumes that nobody -not even anyone already connected to the network- is trustworthy. In the past, once you were connected to a network, that network would simply assume that you had good reason to be there and access other machines in that same network. Since cybercriminals have become more sophisticated in their breaking and entering methods, this has become a dangerous practice. Simply protecting the perimeter of your network is no longer enough. You need tools to verify movement within your network.

 

Network Segmentation: Network Segmentation is the practice of separating parts of a network by function. By walling off smaller chunks of your network, you’ll be able to create perimeters within your network. This makes it harder for an attacker to move through the network after an initial breach (‘lateral movement’).

Diagram of a company network with network segmentation

Combined with Zero Trust Policies, Network Segmentation stops attackers from moving through your entire company network and causing damage or extract information wherever they want.

The field of IT/OT convergence security is still in its infancy. As the world becomes more and more dependent on these systems and at the same time cybercrime is on the rise, we will have to invest time and effort into discovering and developing appropriate security measures. We’ve got to stay ahead of malicious actors. Lives literally depend on it.

en_USEnglish