admeritia rightly claims that both information technology and operational technology are integral to ICS. Today’s industrial control systems rely on both information technology and operational technology to function. In the ICS security community, where professionals are tasked with securing these systems, the link between IT and OT is old news. However many working with critical infrastructure still don’t fully grasp the relationship between IT and OT and their unique security needs within ICS.
To address this gap, computer security services provider admeritia GmbH has produced a one-page explainer on why OT has different needs than IT. admeritia GmbH specializes in control system security from both the IT and OT perspectives.
“IT (information technology) moves data and OT (operational technology) moves physical processes, that much is clear. In the ICS security community, we’ve all talked so much about ‘IT vs OT’ that we’re tired of it,” writes Sarah Fluchs, a security consultant at admeritia GmbH. “There have been myriads of presentations on the topic, and fortunately, the most important ICS security conferences state that they do not accept any more ‘IT vs OT’ content.”
Just last month, Takepoint Research Directing Analyst Jonathon Gordon, covered this issue in Why IT/OT convergence will be the inevitable change that awaits the industrial realm. “IT/OT convergence involves integrating two worlds. Their functions are often completely different from each other and their ways of mitigating risks and managing tasks are equally dissimilar,” Gordon said.
However despite the many discussions around IT and OT, there continues to be conflict between ICS engineers and their IT counterparts due to the different cybersecurity needs of these two components. In a 2015 publication, the National Institute of Standards and Technology explored this issue.
“Initially, ICS had little resemblance to traditional information technology (IT) systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software. Many ICS components were in physically secured areas and the components were not connected to IT networks or systems,” NIST says. “As ICS are adopting IT solutions to promote corporate business systems connectivity and remote access capabilities, and are being designed and implemented using industry standard computers, operating systems (OS) and network protocols, they are starting to resemble IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems.”
This is why it’s vitally important for critical infrastructure operators to understand the unique security needs of OT and IT.
According to the admeritia GmbH guide, the differences between OT and IT can be broken down into six categories: operation environment, technology, design mindset, life cycle/dynamism, priority in operations, and regulations/compliance. When viewed in this way, the differences between the two are stark.
For example, when it comes to “design mindset,” IT systems were obviously designed to work with internet technology and networking, but OT systems are insecure by design. OT systems were not built for networking and internet connection and as a result OT vendors and operators often do not have IT knowledge as part of their skillset.
Additionally, OT and IT have different security objectives. IT is focused on the confidentiality, integrity and availability of data while OT is often more focused on the reliability of functions. Similarly, when it comes to regulations and compliance, IT is more concerned with data protection, quality management, and financial risk management, while OT requirements are focused on the availability of production or services and avoiding hazardous incidents.
“Although some characteristics are similar, ICS also have characteristics that differ from traditional information processing systems,” NIST says. “Many of these differences stem from the fact that logic executing in ICS has a direct effect on the physical world. Some of these characteristics include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial issues such as production losses, negative impact to a nation’s economy, and compromise of proprietary information. ICS have unique performance and reliability requirements and often use operating systems and applications that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and efficiency sometimes conflict with security in the design and operation of control systems.”