05 Jun 2019 Not IT or OT – It’s All Just T
In a recent Industrial Security podcast, Patrick Miller was asked about IT vs OT approaches to security. He replied, “We’ve always characterized it in terms of OT and IT … [but] …going forward it’s just T.” And he’s right – at least at the higher levels of most control system architectures. Most higher-level systems at most industrial sites – systems such as process historians, HMI workstations and even communications front ends – these systems all run on Windows. Not just Windows, these systems often use SQL Server databases, use other common infrastructure applications and communicate via TCP and SSL/TLS encryption. These OT systems differ from IT systems in terms of the physical consequences of compromise, but otherwise look very much like IT systems.
One consequence of this trend to “just T” has to do with security monitoring. In years past I recall a lot of experts saying that conventional security monitoring systems such as IT SIEMs and network intrusion detection systems were not useful on OT networks because those OT networks were so very different from IT networks. Well there are still differences in terms of communications protocols and even operating systems very deep into OT network architectures, but to Patrick’s point, the high levels of almost all OT networks are “just T.” Which means that pretty much all the attacks that work on all of this “T” on IT networks also work when attacking OT networks.
This means that conventional IT security monitoring and intrusion detection systems very much add value to protecting OT networks. OT-specific monitoring systems of course also add value when monitoring OT-specific systems, applications and communications, and both kinds of systems working together yield the best results.
Teams Working Together
Patrick’s bottom line, though, was not about security monitoring, it was about IT and OT teams working together. IT trends in technology, ubiquitous monitoring and “big data management” for all this monitoring data are inevitably working their way into OT networks. IT teams routinely take certain kinds of risks – risks having to do with ownership and management of this new data. IT teams are experts on dealing with such data and risks. OT teams, similarly, are experts in managing certain kinds of risks – risks to safe, correct and continuous physical operations.
The “just T” convergence is not one where an OT or IT perspective will come to dominate OT security programs. Like the example of security monitoring, each perspective brings value. A successful OT security program is not one where IT technology, approaches and risks are accepted blindly, nor one where OT risk management forbids all new technology and business opportunities. A successful OT security program is one that enables business opportunities due to new technologies while carefully considering and managing both informational and physical risks associated with those new technologies and opportunities.
Andrew holds B.Sc. of Applied Mathematics and M.Sc. of Computer Science degrees from the University of Calgary, as well as ISP, ITCP, and CISSP accreditations.