Every system is susceptible to failure or manipulation, and that is why all technology in the enterprise must be carefully secured. Depending on the type of technology, however, different approaches to security are required: guarding a computer with guns will not prevent it from being hacked. Likewise, anti-virus software will not protect a car.
At least, that’s how things used to be. More recently, the kinds of technology that support industry, business and personal productivity have started to converge on the level of software and networking, and security requirements are changing in response.
For instance: historically, the field of cybersecurity has applied exclusively to information technology (IT). Now, it increasingly applies to operational technology (OT) as well. So what is the difference between IT and OT, and how are they converging? In this article, we will explore that question.
What is IT?
IT stands for “information technology,” and the keyword here is “information”. According to Gartner, IT is:
“The entire spectrum of technologies for information processing, including software, hardware, communications technologies and related services.”
In the history of business, IT is very recent: prior to the existence of computers, it did not exist. Since then – and especially with the advent of the Internet – IT has increasingly become inseparable from business processes including decision-making and strategy, collaboration, sales and customer service.
Here are examples of the IT that an organization relies on every day:
- Local and wide area networks
- Data centers and data processing, including the cloud
- Sales management software
- Project management
- Email and calendar
As time goes on, IT absorbs or consolidates more and more business functions, and today the majority of technology within an organization falls into the category of IT. But there are some exceptions, and OT is one of them.
What is OT?
OT stands for “operational technology,” and – as the name implies – it supports the operation of other systems. According to Gartner, OT is:
“Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”
This technology is critical in industrial applications that involve the use of heavy machinery, physical processes and fleets. Examples include:
- Transportation services
- Public infrastructure
- Energy production, transmission and distribution
- Ventilation and heating
From a purely technological standpoint, the major difference between IT and OT involves information scope. According to Gartner, “IT does not include embedded technologies that do not generate data for enterprise use,” while OT does: but this distinction is beginning to disappear.
The OT/IT Convergence
While the term OT was invented relatively recently, what it refers to predates IT by many decades. Prior to the existence of microprocessors and programming environments, factories, utilities and production facilities still required technology to control operations.
Since the invention of IT, most OT assets have depended on Programmable Logic Controllers (PLCs) that use proprietary code and lack any networking protocols to connect or communicate with other devices.
Today, this physical isolation is quickly vanishing with the introduction of Remote Terminal Units (RTUs), Human Machine Interfaces (HMIs) and wide area Supervisory Control and Data Acquisition (SCADA) systems.
Gartner predicts that by 2020, 50% of OT providers will collaborate with IT leaders to provide IoT services that bring network connectivity into the OT environment. While these developments bring many advantages, they also bring added risk.
Pros and Cons
On one hand, the IT/OT convergence is bringing capabilities to organizations which they did not have before, driving more efficient processes and lower costs in many ways:
- Enables real-time/edge data processing and analysis
- Permits systems to be supervised, managed and adjusted off-premise
- Allows fast software updates that fix problems quickly
On the other hand, OT is now exposed to network access, becoming vulnerable to the same issues that have plagued IT for years, leading to data breaches, espionage and hijacking. Moreover, OT allows attackers to cause significant damage:
- In 2015, a cyberattack on Ukraine’s power grid led to a loss of power for 230 thousand residents
- Industrial firms have been crippled by ransomware like LockerGoga
- Conceivably, OT vulnerabilities could even lead to an international crisis through the hijacking of missiles and nuclear reactors.
With so much of our national infrastructure at risk, locking down OT should be an immediate priority for any organization. Fortunately, solutions exist, though they are not widely talked about.
The Need for Cybersecurity
In recent years, attention has been drawn to cybersecurity in many contexts as data breaches and cyberattacks achieve wide publicity, but OT remains dramatically underemphasized. A study conducted this year shows that 90% of OT organizations have fallen victim to a cyberattack within the last 24 months.
As OT and IT converge, the right approach to security mainly differs in emphasis: the fundamentals are the same. Strong authentication, encrypted network connections, persistent monitoring and audits, penetration and vulnerability testing are all tools that can keep OT systems safe.
The key for securing OT is to design and implement a series of cascading controls that use network security, operating system security, application and device security to ensure that no single weakness can allow a critical compromise. To protect your investment and keep your customers safe, choose a partner who can do it all.
Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and OT critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on securing your IT and OT environments.