The OT vs. IT debate has waged for years in the Industrial IoT Security (or IIoT Security) space. To properly understand this debate, and how we can shift the conversation from one versus the other to one of how OT and IT can work together, let’s start with a couple of definitions.
🔎 Related Article: Why Do We Need a Hardware Only VPN at the Edge?
Definitions of OT, IT and ICS
Operational Technology (OT)
Operational Technology refers to the networks that manage operations and control of physical processes and machinery.
Industrial Control Systems (ICS)
Industrial Control Systems, often used interchangeably with OT, refers to the control systems and instrumentation used for the actual control of industrial processes. Industrial Control Systems live on the OT network.
Information Technology (IT)
Information Technology refers to the networks that deal with the flow of data or information across an organization.
How OT and ICS fit into the broader IoT Ecosystem
Dragos CEO Robert Lee shared, in his interview on the Secure Communications Podcast, that people often just broadly lump OT into the IoT category simply because they don’t understand it.
Really, we should be looking at ICS/OT as its own category instead.
The differences between OT and IT
Operations technology does fundamentally different things than general information technology systems do because it controls physical processes rather than simply controlling the flow of information.
Consequences of a breach
As such, the threats to those systems are different, the risks are different, and the inherent impact of a breach is very different. This means that the security measures you place on these systems must also be different.
🔎 Related Article: IoT Security: Hardware or Software?
ICS/OT systems are very prevalent in highly regulated industrial IoT verticals like government, oil and gas, as well as energy and utilities. The concern with a breach of a system that actually controls the function of any of these types of systems is astronomically higher than the concerns associated with a simple breach of data.
Consider the difference between your Alexa device (a typical IoT product more on the IT side of the fence) and a gas control system.
If someone learns your Amazon order history or steals your credit card, it might not be great, but it would be recoverable.
If someone were to shut down an entire city, state or country’s infrastructure for gas or power, the impact would be incalculable.
So treating these two categories of IoT systems as if they are somehow the same is not only an oversight, it is downright dangerous.
Industrial security isn't even the same sport, much less in the same ballpark as that of general IT.
Methods for management
Additionally, because they inherently do different things, ICS/OT systems must be maintained in different ways than typical IT systems or equipment.
When in an operational environment, the risk of a disruption of service is much larger with ICS/OT than it is in an IT system. For example, applying a patch that breaks the system can result in catastrophic downtime for an entire factory.
Compounding this issue, much of the equipment connected to and controlled by an OT network relies on legacy technology. Often, applying patches or keeping applications up to date is simply not possible in these scenarios. As such, there must be different methods for maintenance and security for these types of networks.
Bridging the gap between OT and IT
Within the IoT security space, there is plenty of debate about the integration of IT and OT. Many believe that bridging the gap between the two is important, while some strongly maintain that they should remain separate.
The risks to the systems that communicate through and are controlled by the OT network is so great, it is often not worth the risk to connect them to the primary IT network.
However, the benefits of having the data available from OT networks to the business systems and data analysis functions of the IT network are substantial.
As such, there is always a strong push and pull force when it comes to finding a method to bridge the gap between the two networks.
What is most important when considering cybersecurity with respect to IIoT is finding a way to transfer information between IT and OT networks, while segregating control and access to OT networks in order to preserve the security of the technology controlled by those networks.
Using tools to keep the two networks as separate as possible will help you allow data to cross from one network to the other when you want it to while maintaining the integrity and higher degree of security for the OT network.
Creating a management network and data network
Tools like the data diodes from companies like Owl Cyber Defense allow you to separate out network functions that are available on your IIoT devices.
Your management network is reserved solely for controlling the function of the IoT device. It is the only network that is allowed to send data or commands to the devices. As such, if you can lock your management network down to the tightest levels of access and security, then you can limit anyone who can actually control the behavior of those devices.
You can then create a second network just for the IIoT devices to share data back to a centralized repository. This network can allow much greater levels of access, as the device will not be able to accept and control commands from users on this network.
Firewalling your OT and IT networks
You can also use a platform like the one provided by Dragos, which inserts a layer of protection between your IT and OT networks.
In the Dragos platform, the Operational Systems layer acts as the bridge between the OT system and the IT system, with a very strong firewall in place to prevent data from flowing in the wrong direction between systems.
Using an edge gateway to obfuscate your devices
You can provide the devices on your OT network an additional layer of protection by connecting endpoint devices through an edge gateway to prevent unauthorized access.
Some benefits of using something like Archon’s GoSilent Cube as an edge gateway for your devices include:
- Greater control over where traffic is sent. A hardware-based VPN can be configured to only allow traffic to flow to a single endpoint. Meaning, once connected to an endpoint device, it can ensure that any and all traffic can only go to the central network.
- Smaller attack surface. Because the endpoint device is completely obfuscated from the network, the applications and operating system that are running on that device no longer offer an attack surface. Typically, operating systems -- like Windows for instance -- will have a large number of potential entry points because the software is doing so much. This means more opportunities for attack. With a GoSilent Cube, your attack surface becomes microscopic.
- No software compatibility concerns. Often, legacy IoT devices will not support modern software VPNs. Because no software is required on the endpoint devices, there is no concern about which versions of applications or operating systems are running on those devices.
- Firewalling and isolation. The endpoint devices connected through GoSilent Cube never actually touch the networks they connect to. The GoSilent device acts as a firewall between the device it is connected to and the outside world. No other devices on the same network as that end user device can even see that the device itself exists. Instead, their view ends at the GoSilent Cube.
Final Thoughts
Keeping OT networks as secure as possible is the first priority in any industrial IoT environment. In the past, this has meant that connecting those devices, and using data or information from those devices on the IT network was impossible.
That no longer has to be the case. There are secure solutions for bridging the gap between OT and IT such that you can have the best of both worlds: data at your fingertips and a highly secure OT network.
