Operational Technology Security – Focus on Securing Industrial Control and Automation Systems

In a previous blog, I wrote of the terminology that we use when describing security for the Internet of Things, or IoT (“Getting Past the Word Games to Secure the Internet of Things”). In that blog I also mentioned that I would write about operational technology (OT) security as well.

Gartner defines OT in industrial areas as “hardware and software that detects or causes a change, through the direct monitoring and/or control of physical devices, processes and events.” In the world today you see many different examples of OT– industrial control systems (ICS), industrial automation, process control networks (PCN), distributed control systems, and more. You also have seen terms such as SCADA (for “Supervisory Control and Data Acquisition”), a prominent management system for OT. As we’ve written about in blogs in previous years, there is an entire universe of technologies that IT professionals know little about unless they happen to support such environments in enterprises that are involved with OT. There are many of enterprises engaged with OT, from energy and utilities, oil and gas, chemical, manufacturing, transportation to health care, pharmaceuticals, aerospace and defense, and more. In IT, our primary deliverable is information. We use applications, databases, networks and systems to ultimately derive information to make business decisions. Information is also used in OT environments, but the reason Gartner uses the word “operational” in OT is because information is used for other purposes than just decision making. One of the main purposes is to change the “state” of the environment around an OT device, or the state of the OT device itself.

OT applications, hardware and networks frequently followed a different development path than IT historically, resulting in platforms and protocols that IT professionals may not recognize except in principle only. The terminology for many of the systems is different, though they may look familiar. The vendors and service providers are frequently different. Many can argue that OT actually came first in the form of mechanical, analog devices dating back to uses in the 19th century, before the advent of general-purpose computers. In any case, we have IT environments and OT environments today in enterprises, managed separately. This also means that we have IT security concerns and OT security concerns frequently addressed by different organizations. The question is, are IT and OT the same, or are there particular differences in the way we secure OT environments? Gartner believes there is an 80/20 rule-of-thumb in the answer: 80% of the security issues faced by OT are almost identical to IT, while 20% are very unique and cannot be ignored. The 80% figure is due in no small part to the adoption of IT technologies by OT over time.

Gartner’s definition of OT security is “practices and technologies used to (a) protect people, assets and information, (b) monitor and/or control physical devices, processes and events, and (c) initiate state changes to enterprise OT systems. We believe that there are many aspects of OT security that are the same as IT security, particularly in areas such as the network. We also believe that there are major movements in the industries to use IT security architecture and IT security platforms increasingly in OT environments, as OT infrastructure and applications are gradually upgraded as needed. In a sense, the industries are bringing some of the IT security “sins” of the past into the OT environment. In another sense, there remain unique requirements in OT that will require special approaches to security. We’ll write more about those similarities and differences in a future blog, because they are important.

But where does OT security fit (if anywhere) in the discussion about the Internet of Things? Are they one and the same, or is OT something completely different? Even more importantly, should you care?

Yes, you should care, and yes, OT and the IoT are related. In a sense, OT is the “first generation” of the IoT, one specifically designed for industrial use, often in long-term deployments, whose endpoints are found in industrial environments, from aircraft to automobiles, from assembly lines to airports. OT and IoT do share many of the same underlying components: sensors, actuators, meters, machine-to-machine communications, and embedded systems. OT historically has mechanical origins for many of its systems (though it is now primarily digital), whereas the IoT is rooted almost entirely in digital architecture.

As a decision maker, you should care about OT and IoT similarities and differences because many of your security decisions will be affected by the use of those building components, arranged in different ways for different industrial, commercial and consumer solution scenarios. There will be common vendors in the OT and IoT worlds. There will be mixed OT/IoT scenarios from service providers such as telecommunications and multi-media. OT can be considered a subset of the IoT in the same manner some refer to OT as the “industrial Internet”, or the “industrial IoT”. Just remember that not all security scenarios for OT apply to the IoT and vice versa.

Regulatory uncertainty and global concerns about the security of OT systems around the world is fueling the interest in OT security solutions. These concerns are even more urgent than the more nebulous, generalized concerns discussed about securing the IoT, because many OT environments have direct, immediate impacts on people and the environment. OT failures (due to security failures) literally have the capacity to kill or maim and can have severe environmental impact. That is quite different from concerns about the loss of data or even impacts on corporate brand based on compromises of many IT environments.

In future blogs we will explore OT security in more detail. If your company is involved in providing OT security or in using OT security systems, Gartner would be interested in hearing from you regarding your products, services and/or experiences. This is particularly true if you are a vendor or service provider intent upon addressing some of the unique 20% differences in OT currently not addressed by IT security products and services.

Don’t be a stranger.