Trying to implement an IT-based cybersecurity policy in an OT environment is a recipe for expensive failure. The IT vs. OT distinction is well understood, but the differences in IT vs. OT security strategies are still confusing, particularly to those with a traditional cybersecurity background. To understand the differences, consider a simple example of two laptops – one connected to a hard drive with personal information and the other connected to an industrial robot.
Security for the first (IT) laptop is primarily concerned with protecting the data on the SSD/hard drive. This involves preventing unauthorized access to the data, ensuring that the data is not exfiltrated, and preventing malware attacks that might compromise the efficiency of the laptop itself (such as the now ubiquitous ransomware).
Security for the second (OT) laptop has a different focus. Unlike the IT laptop, the OT laptop contains very little confidential information, so data exfiltration is not the biggest concern. However, it is critical to prevent unauthorized access to the laptop and to the robot the laptop controls, as well as to prevent malware attacks (again, such as ransomware) that could prevent the robot from operating. Additionally, unauthorized access to the robot could result in damage to the robot or pose a risk to people in the vicinity of the robot.
IT vs OT: Policies
Security policies, tools and strategies for these two laptops cannot be identical if the security system is to provide effective protection for each. The security program must reflect the specific needs for IT vs. OT systems. The system must reflect the most damaging attack scenarios for each laptop, must also reflect the different backgrounds and expertise of the personnel responsible for each laptop and, perhaps most importantly, must reflect the different kinds and scale of worst-case consequences of compromise for each asset.
A successful cyber attack on an IT laptop may result in financial losses, from paying a ransom, cleaning up the damage caused by stolen information, or lawsuits stemming from stolen customer or other personal information. In contrast, a successful attack on an OT laptop could range from a nuisance, to financial loss, to injuries and even casualties at the worksite.
When it comes to safety, we generally demand deterministic protection: no matter how sophisticated the external attacks, your brakes should never activate or fail to activate at the appropriate moment while driving due to a problem in the cloud, or a cyber attack from the cloud or through a firewall. The most reliable – deterministic – way to enable cloud-based monitoring without cloud-based controls is to physically prevent any data at all, no matter how benign that data seems, from flowing from the cloud back to your brakes.
Unidirectional technologies in cybersecurity are based on hardware. They can send data but not receive. As such two main factors will make them an optimal solution over firewalls:
IT / OT: Connectivity
Now, as a final exercise, imagine that we connect these two laptops to each other with a network cable. When connecting the IT and OT laptops, it’s important to understand the nature of the information exchange between the two systems. This will dictate the next steps in securing the network, which likely includes a risk analysis and appropriate segmentation to evaluate and restrict the flow of information. There is no one-size-fits-all solution to the IT vs. OT debate, and the best approach will depend on the specific information being exchanged and the risks involved in doing so.
But one approach to avoid: blindly implementing IT policies in the OT environment.