Critical Infrastructure – The Benefits and Risks of IT and OT Coupling

April 2, 2020

In multiple industries, Information Technology (IT) is essential for systems and people to achieve peak performance by monitoring software and hardware issues. Industries designated as critical infrastructure rely as heavily on IT as any other industry, though due to their designation as essential services it is an imperative to ensure they remain operational above all other non-essential services.  

Every day, multiple technologies work in the background to make modern life possible. One example of such technologies is IT, however a relatively new term recently arose to distinguish the IT that can be found across industries and the specific IT practices used in fields of critical infrastructure, called Operational Technology (OT)1. While most of us recognize IT as a term that broadly encompasses digital computing, what about OT? 

The Difference between IT and OT  

While IT focuses on information, as designated in its name, OT centers around processes and the operation of those processes1.  An IT system will protect data first while an OT system prioritizes uninterrupted operation of processes1. For example, IT would allow a system to be restarted to install updates which prevent data loss, but OT will allow data to be lost as long as the program continues to run 1.   

One obvious best practice to improve personal cybersecurity is to regularly update any systems used, which would be an IT function, especially if an issue has been detected by the user to announced from the publishing company. In fact, Engineering In Real Life reports the average amount of time a patch has been available for with such cases is 100 days1. Unfortunately system patches often require the system to pause or stop running, which conflicts with the priorities of OT1

These basic examples exemplify the distinction between IT and OT and the issues it presents in critical infrastructure. Now, the above examples aren’t the only ways the differences in goals manifests, but it's a good segue into cybersecurity needs. 

Difference Between OT, ICS, SCADA and DCS in Facilities: The Specifics 

Operational Technology (OT) “encompasses the computing systems that manage industrial operations” including "monitoring of Oil & Gas, the Electric Utility Grid, manufacturing operations,” as defined by Sacuricon2.  In terms of modern life, OT controls systems that need to run ubiquitously and consistently like electricity and water2

Industrial Control System (ICS) is a network which runs multiple systems, such as those used to measure and regulate power consumption in electrical grids, that are in-demand, critical and require availability of resources 2. Securicon writes that “this emphasis represents the main difference between IT and OT/ICS systems. For IT, security is high priority preserved by the Confidentiality, Integrity, and Availability (CIA) triad. In OT/ICS networks, both integrity and confidentiality come second to availability 2.” 

Supervisory Control and Data Acquisition (SCADA) “is a systems architecture for managing large and complex processes” Securicon describes 2. Gas companies and providers of electricity often use SCADA systems because of the vast areas they need to cover 2.   

According to Securicon, SCADA systems consist of three main components:  

  • A central command center consisting of all the servers running SCADA software; 

  • multiple, remotely located local control systems directly controlling and automating process equipment; and  

  • communication systems connecting the servers at the central command center to the remote locations2.   

Securicon further describes “the main purpose of SCADA is data acquisition. The networks consist of multiple remote terminal units (RTUs) that are used to collect data back at the central command center, where they can be used to make high-level decisions 2.” 

Distributed Control System (DCS) “is a type of process control system that connects controllers, sensors, operator terminals, and actuators” while functions to acquire data and control functions are executed by nearby distributed processors” as defined by Securicon2. Securicon distinguishes DCS from SCADA systems as “DCS is generally employed at large, continuous processing facilities. Operations are almost always controlled onsite rather than remotely2.” 

Converging Legacy Tech Attracts Attacks on Infrastructure 

An article published by Security Intelligence writes that “the convergence of IT and OT systems means the logical and physical connection between “classical” IT systems and computer controllers that operate physical assets3.” However important this convergence is, it does increase the assumed risk taken on by organizations. 

Security Intelligence explains a real-world example of when this risk became reality in 2019: 

“This convergence allows IT breaches to target OT devices controlling physical assets, which can greatly increase the cost of recovery. One example of the potential impact of such an attack was a breach in early 2019 at a global manufacturing company. A ransomware infection starting from an IT system moved laterally into OT infrastructure and brought plant operations to a halt. The attack impacted not only the company’s own operations, but also caused a ripple across global markets.  

Security assessments performed by IBM X-Force through 2019 highlighted the vulnerability of OT systems, which often use legacy software and hardware. The continued use of old, unsupported production systems containing well-known vulnerabilities means that even if OT systems are not internet-facing, they may still be easy prey. In cases of lateral movement, after an attacker gains the first foothold, these systems can be accessed from inside the network and harmed by relatively simple exploitation techniques3."

This same article reports that OT and ICS attacks are expected to increase in 2020 and beyond3

Safety and Security in IoT 

An article published by Help Net Security echoes the concerns mentioned by Securicon regarding the benefits and risks associated with the close coupling of OT and IT. Help Net Security made specific mention that IT security experts use traditional CIA models, “putting functional or procedural controls in place that will cost-effectively reduce the CIA-type risks to data assets,” while OT experts focus on the "assurance of safe, sound operation of OT infrastructure in a manner that avoids human casualties and lost production for large, costly physical assets4.” 

Apply now for one of Capitol Technology University’s degrees in Critical Infrastructure and start a meaningful career protecting the 16 critical infrastructure sectors designated by the Department of Homeland Security. Through Capitol’s programs you will gain the necessary experience in IT, OT, and Cybersecurity to safeguard the physical and virtual assets, systems, and networks of America’s critical infrastructure sectors. Become an essential expert in these areas to lead efforts protecting the nation’s critical infrastructure against compromises which could debilitate security, national economic assets, and the nation’s safety and public health. Secure your future, and the future of the nation, today. 

 

References: 

  1. Andrew Sario. (2019, October 16). What is Operational Technology. Retrieved from https://www.engineeringinreallife.com/post/what-is-operational-technology

  1. Securicon. (2019, May 1). What’s the Difference Between OT, ICS, SCADA and DCS?. Retrieved from https://www.securicon.com/whats-the-difference-between-ot-ics-scada-and-dcs/

  1. Security Intelligence. (2020, February 20). What the Explosive Growth in ICS-Infrastructure Targeting Means for Security Leaders. Retrieved from https://securityintelligence.com/posts/what-the-explosive-growth-in-ics-infrastructure-targeting-means-for-security-leaders/

  1. Edward Amoroso. (2018, July 13). An overview of the OT/ICS landscape for cyber professionals. Retrieved from https://www.helpnetsecurity.com/2018/07/13/ot-ics-landscape/