Featured Image: OT vs. IT: Equally Critical but Critically Different

Hyas Blog | OT vs. IT: Equally Critical but Critically Different

  • While traditional information technology (IT) networks enjoy a seat at the table (and a budget) at last, operational technology (OT) is just as critical to an effective organization today.
  • OT is hardware that impacts change on the world.
  • Insights on the importance of operational technology (OT), including how it differs from information technology (IT) and why it needs protection too.

While the concept of information technology (IT) is well-known enough to be a punchline (or a setting) on a TV sitcom, the lesser-known operational technology (OT) is an equally vital framework for managing critical infrastructure and industrial processes. 

Unlike IT, which focuses on managing data and software applications, OT is concerned with hardware and software systems that detect or cause change through direct monitoring and/or the control of industrial equipment, assets, processes, and events. 

Put another way: It's hardware that impacts change on the world. Most importantly, OT drives the revenue for organizations in critical sectors, including energy, manufacturing, and health care, whereas IT controls data, intellectual property, and compliance.

As a veteran OT technologist, it’s fair to say that it’s all important, but OT makes the factories run. As our reliance on IT continues to grow, so does the need for robust security measures to protect these systems from cyber threats. I make my case for OT as a critical system that needs protection, just like its higher-profile cousin. 


The OT Awakening

Historically, OT has been an afterthought — or siloed into a perfunctory role. We were left to the side, and the common anecdote is the CISO talking to the rest of the C-level people in the company and they say, We've got this amazing cybersecurity program.

It is so comprehensive; it costs a ton of money, but it is amazing. And then somebody asks, Does it include OT? And the answer, of course, is no, because the CISO was not in charge of the OT.

That's when everybody realizes there’s still a lot of work to do. There's been an awakening in OT, and we’ve got to get more secure.

IT security has come a long way in recent years. But OT, which was not under the umbrella of IT, fell behind. When I began my OT career, it was just called “direct digital controls,” and it was a good name. You put the controller right on the equipment and you control it directly — very succinct.

Then around 2013 or 2015, consumer goods companies began putting internet-enabled equipment into refrigerators and wearables. All of a sudden, they represented the “Internet of Things” (IoT) — and the OT community did not like being called IoT.

If you ever want to offend someone in the controls industry, call their stuff IoT. Because IoT is cheap. IoT ages like fish, or cheese or house guests. It goes bad after a certain amount of time. We like operational technology. That gives us the respect that we want. Our stuff is not cheap. Our stuff is made to last a super long time: a decade, two decades, three decades.

To be fair, some IoT devices are much more practical and essential than the proverbial WiFi toaster. Industrial IoT (IIoT), like smart sensors in manufacturing, and medical IoT (MIoT), such as remote patient monitoring devices in hospital settings, are two examples. 

But in general, if you want to give somebody the respect of saying that their stuff is not cheap and it's made to last, call it operational technology.

OT versus IT: 5 Critical Differentiators

How does an OT network differ from a traditional IT network? Here are five major ways to tell them apart. 

1. IT (customarily) does not maintain OT networks 

For better or for worse, an OT network is usually a wholly separate network installed by a mechanical or electrical contractor. I'm sure you can imagine … an Ethernet network running through a building, [if] not installed by IT, they hate that network. They [IT] just want to rip that network out, but they're not allowed to because the facility requires it to operate. There's a gap between the two networks. It's often called an air gap when they're not connected at all.


2. OT installation ‘comes with’ the building 

OT networks are usually installed during a building’s construction, or soon afterward. It's been left alone ever since — because it works. We don't want to take it offline. We don't want to upgrade it. If it's working, we just want to leave it.

OT engineers tend to use parts that last for decades precisely for that reason.

3. OT features a variety of network types (and some are considered ‘defunct’)

OT networks consist of many network types — beyond Ethernet and Transmission Control Protocol/Internet Protocol (TCP/IP). We get to go back in time to see the older networks we no longer have to deal with [in everyday IT operations]. We get to see concepts like token passing and ring networks and other things we no longer make.

4. OT networks include a limited number of servers and workstations 

PC workstations and servers are crucial parts of any OT network, but there are just not as many of them.  

5. OT systems’ endpoints are mostly PLCs

Most of the endpoints in an OT system are programmable logic controllers (PLCs) that use  protocols limited to OT.  

Here’s a Commonality: the Open Systems Interconnection Model 

I learned about the Open Systems Interconnection (OSI) model more than 20 years ago. If you have any IT training, you likely studied it, too — as one of the fundamental architectures of any network.

The OSI model allows us to visualize the layers in network communication, from the physical switches at the bottom (layer one), all the way up to the seventh layer, the application layer, which includes the data that’s part of the end user’s experience. We still use this in OT, but it's more complicated. 


  Open Systems Interconnection (OSI) model


Introducing the Purdue Model

The Purdue model is an offshoot of the OSI model that demonstrates OT to anyone who has a solid understanding of IT. The Purdue model starts at level five and works its way down to the floor level of a facility — a factory, for example.


Purdue Model Infographic

 

Levels 4 and 5: Enterprise

In this model, servers that are potentially accessible to the outside world are on the highest level.

“We've got a bunch of network segmentation all the way down. Right at the top, we've got mail servers, DNS and web servers. We remotely access these facilities. They probably have some web interface unless they're completely locked down.

For the facility to be remotely managed, the OT system needs a web server and then, “below” it,  a DMZ. Like the demilitarized zone on the border between North Korea and South Korea, the OT DMZ ensures the safety of both sides. The DMZ functions as a subnetwork containing the exposed, outward-facing services — the exposed point to an untrusted network, a.k.a. the internet. And so this level includes firewall controls, patch management, and the “historian.” 

The latter is particularly important because we collect data constantly out of these controllers. Data is just constantly being read to see if everything is working okay. Are we efficient? Are we saving energy this month compared to last year? The historian is continually collecting data out of the devices, and then that data is then used in, for example, energy management reports.

Level 3: Operation and control

This level features an engineering workstation, which would be unable to access the outside world - fingers crossed … Let’s hope [an employee] can't access their email on it.

Level 2: Control

Human-machine interfaces — like the iPad you see OT technicians walking around with and the panels they tap as they make adjustments to equipment — live on this level.

Level 1/0: Process

Then we get down to my favorite level, level one. This is the process automation level. This is where the PLCs exist. This is where we leave IP. From here we read the sensors, and manipulate the actuators and other control devices that interact directly with the physical world.

Until level one, this model was built upon  TCP/IP protocol. But OT controllers often use legacy or heritage technology, like ring networks and serial connections.

This is also where analog technology lives: the equipment that converts physical signals, such as temperature or pressure, into electrical signals that can be processed by the control system.

PLCs use analog inputs and outputs to communicate with other devices and control physical processes — for example, input from a Level 0 temperature sensor is the first step in a process that automates the physical behavior of the building’s HVAC system.

As long as we still rely on brick-and-mortar buildings, industrial equipment, and other “real-world” technology, OT will be the backbone of those systems. It’s time to recognize its complexity, its importance and its place in the larger technology ecosystem.

How can HYAS help your business protect every system — and every layer? 

Learn more about:
HYAS Protective DNS
HYAS Threat Intelligence & Investigation


Schedule a demo with HYAS.