IT vs. OT Differences, Superficial vs. Fundamental
The fundamental difference between these two kinds of networks is the worst-case consequences of a cyberattack.
Andrew Ginter
Much has been written about the differences between conventional IT networks and Operational Technology (OT) or industrial control system (ICS) networks: patching is harder in OT networks, anti-virus is harder, even simply using accounts and passwords is harder, OT networks use very old protocols and computers, and there can be enormous resistance to change from the people who manage these networks. These differences are, however, all superficial. The fundamental difference between these two kinds of networks is consequences: most often, the worst-case consequences of cyber attacks are sharply, qualitatively different on IT vs OT networks.
“The fundamental difference between OT and IT networks is the worst-case consequences of cyber attacks”
Worst-Case Consequence
What is the difference? Ransomware hits our IT network and what do we do? We detect, respond, and recover. We identify the affected computers and isolate them. We take forensic images for the security analysts, and we erase the equipment. We restore from backups. We repeat. This costs time and effort. The attack may have stolen intellectual property and/or personally identifiable information (PII), and we suffer lawsuits as a result. These are all business consequences. Said another way, on IT networks, the goal for managing cyber risk is to prevent business consequences by protecting the information – protecting the confidentiality, integrity, and availability of business information.
On OT networks, however, the worst-case consequences of compromise are very often physical. Explosions kill people, industrial malfunctions cause environmental disasters, the lights go out, aircraft drop out of the sky, or our drinking water is contaminated. The cyber risk management goal for OT networks is generally to assure correct, continuous, and efficient operation of the physical process. The goal is not to “protect the information” but rather to protect people, the environment, physical assets and physical operations from information, more specifically from cyber attacks that may be embedded in information. The fundamental difference between IT and OT networks is that neither human lives, damaged turbines, nor environmental disasters can be “restored from backups.”
Magic Wand?
Consequence drives superficial IT/OT differences, most often because of change. Every change is a potential threat to safe and reliable operations, and industrial software and systems are so complex that there is no way to prove their correctness under all possible normal and upset operating conditions. Engineering teams must therefore analyze changes at length, looking for possible unacceptable consequences, and test the proposed changes under operating conditions as realistic and diverse as practical, to become confident that the analysis is correct.
Why is this important? Well, even if we could somehow wave a magic wand and render all industrial networks fully patched, fully anti-virused, fully encrypted, and otherwise completely up to date with modern IT cybersecurity mechanisms, the fundamental difference between IT and OT networks would remain. When worst-case consequences of compromise in OT networks are unacceptable, the difference in consequence between IT and OT networks, today and always in the days ahead, will demand a different approach to risk management in safety-critical and reliability-critical networks versus business networks.
Consequence Determines Criticality
Worst-case consequence is every CPU in the automation system issuing all of the worst possible instructions to the physical process, at the worst possible time. Worst-case consequence determines the criticality of OT networks and that criticality determines the nature and strength of OT security programs demanded for OT systems.
Now, to be fair, not all OT systems have unacceptable worst-case consequences. If we can design our physical processes to eliminate the possibility of unacceptable safety outcomes, or unacceptable equipment damage, or other unacceptable outcomes, then our OT systems have the same kind of worst-case consequences as our IT networks, and these OT systems can be managed in much the same way as we manage our IT networks. Most often though, worst-case consequences in OT are unacceptable, and the difference between IT and OT networks is intrinsic, not superficial.
Want more details?
To learn more about consequence-driven designs for critical OT networks, click here to request a free copy of the author’s latest book, Engineering-Grade OT Security: A manager’s guide.
About the author
Andrew Ginter
Share
Trending posts
Stay up to date
Subscribe to our blog and receive insights straight to your inbox