Where does IT Security END and OT Security BEGIN?
Where does the consequence boundary between IT and OT actually rest? Where is the line in the sand that separates what is needed to secure OT, an what is needed to secure IT? Lets have a look...
Waterfall team
Where does IT end and OT begin? Our research team frequently gets asked this question and the answer has grown technically more complex over the years, but the basic principles that guide the answer to this question have remained the same. It all has to do with first answering: “What is your risk tolerance? What is your risk appetite?”
With today’s complex and interconnected world, the lines between Information Technology (IT) and Operational Technology (OT) are increasingly blurred. While both IT and OT rely on digital systems to function, their purposes, priorities, and security challenges differ drastically. Understanding these distinctions is critical for crafting effective security strategies.
…the basic principles that guide the answer to this question have remained the same. It all has to do with first answering: “What is your risk tolerance? What is your risk appetite?
So, Where does IT end and OT begin?
In Andrew Ginter’s book Engineering-grade OT Security, he explains that OT begins at the consequence boundary. This boundary will differ for different operations, but the idea is that the IT/OT boundary rests somewhere around where the consequences of the risks actually happening become unacceptable.
Some common unacceptable risks across most industries include any loss of human life, bodily harm, damage to machinery or equipment, and then we have unscheduled downtime. The duration of what is acceptable unscheduled downtime can vary greatly between each industry. For a power plant, it would be unacceptable to shut down operations for a half hour, but for a shoe factory, it might not be as dramatic of an issue. Wherever that acceptable/unacceptable risk boundary lies, that is its IT/OT boundary for that business.
OT takes over from IT where the consequences of something going wrong become unacceptable.
The Purpose of IT Vs the Purpose of OT
IT systems manage data and support business processes, such as communication, record-keeping, and analytics. Think of email servers, financial systems, and cloud applications. In contrast, OT systems control physical processes and equipment, often in industries like manufacturing, energy, and transportation. Some classic examples of OT include robotic assembly lines, power generation, nuclear power plants, offshore oil platforms, and railway signaling systems.
Key Difference: IT security focuses on protecting data and business processes, while OT security focuses on protecting physical systems and ensuring operational continuity.
IT Priorities Vs OT Priorities
The core objectives of IT and OT security reflect their drastically different operational priorities.
Anyone who has casually walked by an ongoing cybersecurity classroom has most likely heard about the CIA Triad. This C-I-A concept formed the basis of cybersecurity when it first came out. It has grown partially outdated, as data Integrity hasn’t really become that great a threat, but Confidentiality (i.e. data exfiltration) and Availability (i.e. ransomware) have remained very relevant. The triad for OT security differs as it prioritizes safety and availability as well as operational integrity. When securing OT, the concern for data going into the machines far exceeds the concern for someone accessing outbound operational data from the machinery.
IT Security Priorities:
- Confidentiality – Protecting sensitive data from unauthorized access.
- Data Integrity – Ensuring the accuracy and reliability of data.
- Availability – Maintaining access to IT systems and data when needed.
OT Security Priorities:
- Availability – Keeping physical systems running and avoiding downtime.
- Safety – Ensuring the well-being of workers and preventing accidents.
- Operational Integrity – Guaranteeing the correct operation of equipment and processes.
Key Difference: IT prioritizes confidentiality first, while OT prioritizes safety
The IT Threat Landscape Vs OT Threat Landscape
IT systems face threats such as malware, phishing, and data breaches. The goal of IT attackers is often to steal or encrypt important data, usually for financial gain some sort of business disruption.
OT systems, however, are exposed to threats where the attacker will try and cause some kind of physical consequence such as machinery malfunctioning and causing downtime.
- Cyber-physical Attacks – Manipulating equipment to cause damage or outages.
Ransomware – Encrypting and shutting down critical systems to extort money. - Insider Threats – Human errors or malicious insiders impacting physical operations.
Key Difference: OT threats can directly impact physical infrastructure and human safety, making them potentially far more catastrophic than IT threats.
System Lifespan and Upgrades
IT systems typically have shorter lifespans and are often upgraded or replaced within 3-5 years to keep pace with technology. OT systems, on the other hand, may operate for decades without significant changes.
Additionally, many critical OT systems are prohibitively expensive to upgrade, with price tags in the tens of millions of dollars. Furthermore, the lead time on such an upgrade can exceed into months or even years, during which production must continue uninterrupted.
This longevity of OT systems creates 2 distinct challenges:
- Older OT systems may lack built-in security features, as they were designed before such threats needed to be considered
- Patching and updates can be difficult, as downtime impacts operations. Even minor patches pose the risk of ruining operations if the patch corrupts some file or dependency.
Key Difference: OT systems are much more likely to rely on outdated, unsupported technology. This outdated/unsupported technology can’t be updated or replaced without drastically risking impacting operations. Meanwhile, IT can typically roll out patches and updates fairly quickly. Even simple common IT fixes such as “turning it off and on again” are far more complex when it comes to OT
Interconnectivity and Access
IT environments are designed from the ground up for high interconnectivity, with users and devices accessing networks remotely and frequently. OT environments were traditionally isolated (“air-gapped”) to reduce exposure to external threats. However, the recent rise of Industrial IoT (IIoT) and the need for endless remote monitoring has increased OT interconnectivity, expanding the available attack surface.
Key Difference: OT systems are transitioning from isolated to interconnected, introducing new security challenges, while IT systems have always been high-interconnected.
Incident Response
In IT, incident response often involves detecting and isolating compromised systems to prevent data loss. In OT, response plans must consider the impact on physical operations, human safety, and regulatory compliance. A poorly managed response could disrupt critical infrastructure or even endanger lives.
Key Difference: OT incident response requires a multidisciplinary approach involving engineering, safety, and IT teams working together.
Cyber-Informed Engineering for OT Security
As IT and OT systems grew more integrated over the years, organizations tried to adopt some sort of unified security strategies that address both IT and OT. This included joint risk assessments, robust monitoring of OT/IT environments, and even some cross team collaborations. These efforts proved to be ineffective at fully stopping the threats and risks.
A more centralized effort was needed. In 2022, the US Department of Energy released the National Cyber-informed Engineering Strategy.
The principles of Cyber-informed Engineering strongly recommend building resilience into industrial systems from the ground up. Cyber-informed engineering focuses on designing and operating systems with cybersecurity as a foundational element, rather than an afterthought.
Some of the main recommendations of CIE:
- Incorporate Cybersecurity Early in Design – Embed security considerations into the design phase of OT systems to mitigate vulnerabilities before deployment.
- Understand the Mission Impact – Analyze how cyber threats could impact physical operations and engineer systems to minimize those risks.
- Integrate Safety and Security – Develop solutions that address both operational safety and cybersecurity simultaneously, ensuring one does not compromise the other.
- Leverage Threat Modeling – Use threat modeling techniques to anticipate potential attack vectors and implement defenses tailored to OT environments.
- Collaborate Across Disciplines – Bring together engineers, IT professionals, and security experts to foster a holistic approach to protecting systems.
By adopting cyber-informed engineering, organizations can proactively address the unique challenges of OT security and enhance the resilience of their critical systems.
Wrapping it up
So, to summarize, OT begins at the consequence boundary. The place along the entire network where the consequences of the risks become unacceptable. That is where IT solutions are no longer sufficient, and OT security takes over. And furthermore, by having IT and OT teams work together, as outlined with Cyber-informed Engineering, a higher and more resilient network can be achieved for the entire business or organization. Securing both IT and OT. When IT and OT work together, everyone is happier.
Want to protect your OT network? Book a consultation >>
About the author
Waterfall team
Share
Trending posts
Where does IT Security END and OT Security BEGIN?
Insights into Nation State Threats – Podcast Episode 134
Infographic: Top 10 OT Cyberattacks of 2024
Stay up to date
Subscribe to our blog and receive insights straight to your inbox