IT versus OT: Between a rock and a hard place
By Professor Ron Martin, CPP
The convergence of information technology (IT) with operational technology (OT) is a new debate that often divides cyber professionals.
First things first, let’s define what we mean by IT and OT environments. According to the Office of Management and Budget, the IT environment is “…a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”
The National Cybersecurity & Communications Integration Center (NCCIC) defines the OT environment as “…any system that gathers information on an industrial process and modifies, regulates, or manages the process to achieve the desired result.”
Novotek, a Swedish software corporation, provides a helpful at-a-glance comparison between IT and OT. Several of the key differences discussed in the article appear below.
Dynamic vs. Deterministic
IT is fluid, involving a network of moving parts – “which means it also has an incredible number of exploit variants.” Novotek notes that IT security professionals “are caught up in a perpetual game of cat and mouse with attackers who always seem to have the advantage and be at least one step ahead.”
With OT, “systems are engineered for specific, measured, prescribed actions based on content, and not context.” OT outcomes are cut-and-dried, either right or wrong based on how the system was designed to act. Simplicity in the case of OT is not tantamount to a lack of severity, however. A malfunction in OT has the potential to have astronomical, deadly consequences.
Data is King vs. Process is King
Pretty self-explanatory. IT involves the management of a wealth of data, including “digital information storage, retrieval, transmission, and manipulation.” A smooth data flow typically means the business is happy, customers are satisfied, and confidential information is protected.
OT is all about the process. One glitch in the process can spell certain success or failure. For example, infiltration of an aviation OT system by cyber criminals could result in redirected GPS coordinates and loss of life for passengers.
Threats to OT systems are not a new phenomenon. They have existed for decades. The new challenge involves the threats coupled with technology, which has increased the number and complexity of systems that oversee everything from plane’s GPS coordinates to emergency shut-offs at nuclear power plants to flood warning systems that have the potential to wreak havoc on communities, the nation, and the world.
Read the entire Novotek article here.
And, to add to the list, IT and OT have different priorities.
Within an IT system, the priorities, in order of importance, are confidentiality, integrity, and availability (C-I-A) of information. In OT, the order of priority is availability, integrity, and confidentiality of data (A-I-C). The critical difference between the systems relates to the priority placed on confidentiality and availability.
Confidentiality is priority #1 in IT due to the system’s openness and the need to protect information from outside threats. Under normal circumstances, OT systems are not accessible to the public. The infrastructure of OT systems is segmented, and therefore, not subjected to the external cybersecurity threats of an IT system. The nature of an OT system requires information to be available for automated decisions. Is there any common ground? For sure – both systems must rely on the integrity of the information to be accurate.
Over the years, IT has created a system with economies to the scale of the enterprise. As the Novotek article notes, bandwidth and throughput matter in IT. Technology advances have resulted in ever-increasing demands on IT systems.
OT, on the other hand, is stove-piped or segmented. This segmentation is expensive since many OT systems are not currently a part of the enterprise IT infrastructure. It’s easy to understand why OT and IT tend to be kept separate: for security purposes. With the growing number of opportunities for cyber attackers to infiltrate IT networks, separate OT networks enable greater control and protection. But wait, do they really?
Here lies the corporate dilemma. The debate between IT and OT cyber professionals about how to balance the economies within the IT infrastructure versus the segmentation of OT is ongoing. Priority differences place organization decision makers between a rock and a hard place.
At its core, technology is about seeding innovation, solving problems, and building bridges. I’d say we can bet on a gradual convergence of IT and OT somehow, someway down the road.