Power grid outages driven by malware, dam control system attacks, vehicle onboard system hijacking: recent incidents like these show how critical cybersecurity has become in connected operational technology. But if you think OT is “just IT in an industrial environment,” then think again. The worlds of operational technology and information technology are fundamentally different.
A cybersecurity solution in business IT, often requiring the use of active components and intrusive techniques, may be highly unsuitable for industrial systems and networks. Not only will it fail to recognize specific industrial protocols and interactions, but it can also upset delicate timing mechanisms that are essential for safe industrial operations.
Yet in OT, as in IT, cyberattack prevention is better than cure. Designing cybersecurity in beforehand, instead of trying to bolt it on as an afterthought, is not only more effective, but also less expensive. Accordingly, cyber protection is making its way into OT project lifecycles earlier. New projects offer the chance to specify cybersecurity from the start, even before any software or hardware development occurs.
At the same time, the challenge remains for bringing existing OT devices and installations under the cyber protection umbrella. The term “legacy equipment” in industrial systems and networks extends to setups that sometimes look prehistoric compared to the standard three-year renewal cycle that many business IT departments use.
The OT/IT difference goes way back. Operational technology teams battled with demanding industrial environments and complex combinations of sensors, controllers, and actuators. Business IT engineers grappled with finance, pay, HR, marketing, and sales. While IT evolved with database management and procedural programming languages, OT developed industrial control systems (ICSs) like SCADA (Supervisory Control and Data Acquisition) to operate field devices, production machines, and turbines, among others. Historically, SCADA was used for systems covering long distances, such as power, water, and gas distribution – infrastructure that is designed to last for decades.
Consequently, the installed base of industrial equipment is very large and in some cases very old. OT cybersecurity must play catchup, but without interfering with operations. Visibility is a key issue. Devices can only be protected from attacks if they can be seen by the cybersecurity management system. If standard business IT security procedures were then followed, actions and interactions would be captured from the devices for analysis and identification of suspicious transmissions. software, firmware, and hardware would be systematically updated to the latest versions. Vendor patches would be applied directly they were available. But OT, as we have already remarked, is not IT.
There are two fundamental differences between OT and IT that mean that conventional IT security approaches are often unsuitable or unavailable for the OT environment. First, OT and its industrial protocols come from a world in which network connections with the outside have been the exception. Physical “air gap” isolation was often held to be enough for protection. Until recently, speed and reliability have been the priorities rather than security. OT installations may lack the security tools and even the monitoring interfaces that business IT takes for granted.
Second, OT also has a longstanding culture of “If it ain’t broke, don’t fix it.” Installation complexity, timing constraints, and fragile compatibility between components have taught OT teams that they meddle at their peril. This includes putting extra loads on devices to get them to log and report events, or attempting to patch OT software and systems that may have been deployed 10 or 15 years ago without any updates applied since then.
The industrial world measures its performance with metrics like productivity, time to value, and availability.
