Let’s begin with a couple of fundamental definitions:
Information Technology (IT) can be defined as a set of infrastructures, devices and software for processing information. A traditional IT system is in charge of storing, transmitting and transforming data, but it does not interface directly with the physical world.
Operational Technology (OT) is a set of hardware devices, sensors and software that support management and monitoring of physical equipment and processes within an enterprise, such as manufacturing plants or power distribution grids. OT deals with such components as various sensors, meters and valves, as well as industrial control systems (ICS) that supervise and monitor them.
The terms ICS and SCADA, by the way, are nowadays often used interchangeably; however, this isn’t strictly true, since Supervisory Control and Data Acquisition (SCADA) is just a subset of industrial control systems, other types being embedded systems, distributed control systems, etc. Traditionally, the term SCADA has been used for large-scale distributed control systems, such as a power grid or a gas pipeline.
Historically, IT and OT have evolved quite independently, driven by completely different business demands, requirements and regulations. In a sense, Operation Technology predates the era of computers – the first manufacturing control systems weren’t even electronic! Early ICS were monolithic physically isolated systems without network connectivity. Later generations were usually based on proprietary communication protocols and device-specific real-time operating systems. Driven above all by demand of process continuity, they were usually designed without security in mind.
Current ICS, however, have gradually evolved towards large-scale systems based on open standards and protocols, such as IP, as well as using standard PCs running Windows as control workstations. They are becoming increasingly interconnected with office networks and the Internet. Yet, modern industrial networks are often still plagued with the same blatant disregard for security. The underlying reason for that has little to do with technology; on the contrary, it’s a consequence of a deep cultural divide between OT and IT. Operations departments usually consist of industry specialists with engineering background, while IT departments are staffed by people without knowledge of manufacturing processes. OT is usually managed by a business unit, with different requirements, strategies and responsibilities from IT. Instead of collaborating, they are often forced to compete for budgets and fight over issues that the other party simply sees as insignificant.
The times are changing, however. As we are approaching the new “connected” age, the technological divide between industrial and enterprise networks is disappearing. Smart devices or “things” are everywhere now, and embedded intelligence finds widespread use in industrial networks as well. A modern agile business constantly demands for new ways of communication with partners, customers and other external entities. All this creates new exciting opportunities. And new risks.
Opening OT to the world means that industrial networks are exposed to the same old security problems like malware attacks and lack of strong authentication. However, the challenges for information security professionals go far beyond that. There are challenges that traditional IT security isn’t yet capable of addressing. This includes technical issues like securing proprietary programmable logic controllers (PLC), business requirements like ensuring manufacturing process continuity, and completely new challenges like enabling massive-scale identity services for the Internet of Everything.
The convergence of IT and OT is therefore inevitable, even though the challenges the organizations are going to face on the way to it look daunting. And it is the responsibility of IT specialists do lead and steer this process.
“If not us, then who? If not now, then when?”