To begin, let’s take a look at the definitions of IT and OT separately. Information Technology (IT) refers to the “entire spectrum of technologies for information processing, including software, hardware, communications technologies and related services. In general, IT does not include embedded technologies that do not generate data for enterprise use.”
Operational Technology (OT), a relatively newer term, is explained by Gartner as the “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”
Traditionally, IT and OT have had separate roles within an organization. However, this is changing with the internet of things and particularly with the industrial internet of things. IIoT is a network of complex physical machinery with embedded sensors and software, thus blurring the lines between the IT and OT realms.
One of the main reasons these industrial systems and appliances are being brought online is to deliver smart analytics — using data generated from the machines to modify and optimize the manufacturing process. Generating data for enterprise use? That’s starting to sound more like traditionally IT territory. Another major use-case is that of predictive maintenance — which is outlined in greater detail below.
OT is mission-critical IT
As the industrial internet grows beyond the historically closed systems, and at an unprecedented rate, so comes an even greater interdependence and overlap between the two teams and a myriad of new security concerns. A key factor connecting the two is predictive maintenance, essentially the first major application of IoT in OT. Predictive maintenance is the instrumentation of machinery with IP-enabled sensors to monitor any anomalies or changes in behavior with a view to preempt mechanical failures, reduce downtime and ultimately save operational costs. This requires many things to talk to each other, for example an IoT device to a gateway to edge device to asset management software to an ERP system, etc. A data scientist sitting in a research facility can now predict whether the bearing on a fan is vibrating beyond its range and send in a crew to fix it. Earlier, an engineer sitting in a plant halfway across the world could never diagnose this. Or consider space agencies preparing for a rocket launch, where all the teams have tight integration among them.
Security concerns on both sides
The expanded network that the industrial internet of things is creating obviously has a vast number of benefits, particularly for smart analytics and control, but unfortunately it also opens up connected devices and systems to significant vulnerabilities and increased risk of devastating cyberattacks. Both IT and OT have always had security as a priority — these networked systems are presenting never seen before scenarios and risk profiles for both sides.
Key concerns for IT
Greater scope of impact: There’s no downplaying the obvious detrimental results of a security incident in a more traditional enterprise environment, but the effects of an incident on an industrial system are on a completely different scale. Consider the repercussions if an electricity grid went offline, or if a car’s engine control system was hacked and drivers were no longer within complete control.
Physical risks and safety: Unlike more traditional enterprise systems, networked industrial systems bring an element of physical risk to the table that IT teams have not had to think about. An interruption in service or machine malfunction can result in injury to plant floor employees or the production of faulty goods, which could potentially harm end users.
Outdated or custom systems: IT is used to frequent and consistent software patches and upgrades, but the industrial environments tend to be more systemic, where one small change can trigger a domino effect. As a result, many legacy plant control systems may be running outdated operating systems that cannot easily be swapped out or a custom configuration that isn’t compatible with IT’s standard security packages.
Key concerns for OT
Physical risks and safety: Threats to physical safety are not a new concern to OT teams; they’ve been implementing safety measures into industrial systems for decades. However, they’re now facing threats that are potentially outside of their control. Taking machines and control systems out of a closed system brings the threat of hacked machines, which could potentially injure employees (e.g., overheating, emergency shut-offs overridden, etc.).
Productivity and quality control: Losing control of the manufacturing process or any related devices is any OT team’s worst nightmare. Consider a scenario where a malicious party is able to shut down a plant, halting production entirely, or reprogram an assembly process to skip a few steps, resulting in a faulty product that could potentially injure end users down the road.
Data leaks: While data breaches have long been a top concern for traditional IT teams, they are somewhat new territory to OT teams that are used to working with closed systems. Given the nature of the types of industrial systems that are coming online, such as utilities, aviation and automobile manufacturing, ensuring the privacy of transmitted data is critical.
Working with IT: One of the more unexpected concerns I hear from OT teams is around how to work with IT to solve the security threats discussed above, when IT teams generally have little experience with industrial systems and their traditional security solutions typically aren’t compatible with legacy control systems. While many on the OT side see the benefits of moving away from closed systems and increasing connectivity, the perceived lack of IT experience and potential solutions for their security concerns is causing some resistance.
OT and IT collaboration: What does it look like?
While OT and IT may have different backgrounds framing their concerns about the transformation brought about by the industrial internet of things, the main underlying concern for both parties is retaining control of systems and machines and ultimately the safety of their employees and customers.
To make both sides happy, key components of any potential security solutions should include:
- Identifying and authenticating all devices and machines within the system, both within manufacturing plants and in the field, to ensure only approved devices and systems are communicating with each other. This would mitigate the risk of a hacker inserting a rogue, untrusted device into the network and taking control of any systems or machines.
- Encrypting all communications between these devices to ensure privacy of the data being transmitted.
- Ensuring the integrity of the data generated from these systems. As mentioned earlier, smart analytics are a major driver in the adoption of the industrial internet, but those analytics are worthless if the data is inaccurate.
- Assuming the manufactured goods contain software or firmware themselves, enabling the ability to perform remote upgrades down the road and ensuring the integrity of those updates.
It is very likely that things will continue on the path they are on today.
If things continue as they are today, it’s likely we will see the separation between OT and IT continue to fade until they are potentially one and the same. In an industrial setting, efficiency is the easiest innovation one can make, but we have reached the point of diminishing returns. Increasing efficiencies and better processes can only come by the data captured on the OT side and analyzed on the IT side. IT and OT will eventually become buzzwords and be replaced by a simple “T” – technology — in any and all forms. In the meantime, it’s essential that both sides consider the other’s expertise and point of view and work together toward the ultimate goal — a secure, productive industrial internet of things.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.