Understanding cybersecurity for operational technology

April 19, 2016
Control Special Report highlights the differences between IT and OT cybersecurity and the challenge of protecting industrial control systems.

The promise of the Industrial Internet of Things (IIoT) is driving a convergence of information technology (IT) and operational technology (OT) and highlighting a critical issue: understanding the differences between IT and OT cybersecurity and how to begin developing effective defenses against the nightmare scenarios that come to mind when one imagines a hacker gaining access to industrial systems.

But attacks on industrial control systems are not the realm of imagination. As Marty Edwards, director of Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the U.S. Department of Homeland Security told our sister publication, Control Design, industrial equipment security breaches are occurring and well documented.

“Incidents range from what I call commodity-type malware, which could be a Trojan design dealing with banking information that is proliferating around the Internet accidentally getting into an industrial control system and infecting the machines,” Edwards said. “Or it could range all the way out to a significant, advanced and persistent threat from a nation-state-level actor who is very surgically and specifically targeting that control system for whatever the reason is.”

A 2014 report conducted by the cybersecurity research group, Ponemon Institute—and sponsored by Unisys—stated that 67% of companies with critical infrastructure suffered at least one attack in the previous 12 months and 78% expected a successful exploit of their ICS/SCADA systems within the next two years.

One major constraint to protecting industrial systems—even for industrial companies themselves—is a misunderstanding of the difference between IT (information technology) and OT (operational technology). It remains a hazy area in terms of if and how the two overlap, where they diverge, and who, with regard to internal security teams, is responsible for securing what.

The terms Industrial Internet and the Internet of Things (IoT) are frequently used interchangeably. But they are not one and the same. The former is more specific and a subset of the latter. While IoT connects “everything” (and most commonly refers to consumer devices like cell phones, fitness wearables, smart meters, etc.), the Industrial Internet represents the convergence of industrial machines, data and the Internet.

Here’s an easy—if simplistic—way to think about it. IT stores, retrieves, transmits, and manipulates data. OT uses that data to monitor, control and operate physical devices, processes and events. In the past, OT systems were not connected to the Internet. Today, this is changing: Not only must new OT vulnerabilities be addressed, but companies must decide who’s to address them and how.

The Industrial Internet is where the Internet intersects with our basic human needs, such as water, transportation, healthcare and energy; and where industrial enterprises are seeing the potential benefits that enhanced intelligence and connectivity can bring to their critical industrial control systems (ICS), including supervisory control and data acquisition (SCADA) and distributed control systems (DCS).

Beyond IoT’s convenience, what’s driving the inevitable evolution toward the Industrial Internet is the promise of asset availability, efficiency and safety. In fact, connecting to the Internet has become an unavoidable reality of business. By converging global industrial systems with the power of advanced computing, analytics, automation and connectivity, the Industrial Internet is allowing companies to make significant operational improvements and to better compete in the modern world.

And this trend toward increased connectivity is speeding up. In this article on our IIoT-focused sister website, SmartIndustry.com, a recent survey by the MPI Group found that manufacturers have incorporated smart devices or embedded intelligence in 25% (median) of their production equipment and processes as well as non-production processes (e.g., back office). And 76% will increase the use of smart devices of embedded intelligence in production processes in the next two years; 66% will increase non-production IoT applications. 

But as physical and cyber befriend one another, so, too, must efficiency and security. The two need not be at odds and, in fact, companies should factor both into the production cost-benefit equation sooner rather than later.

To learn more about this critical topic, download the Control Special Report: Cybersecurity in Operational Technology.

This article and the Special Report: Cybesecurity in Operational Technology, are sponsored by Wurldtech, a GE Company.