As the world of OT collides with IT, this convergence has brought a refreshed need to understand each other and how this IT/OT convergence affects businesses and their security. While in simple terms, IT deals with information and OT deals with machines, understanding the nuances beyond this and how IT vs OT cybersecurity needs are distinct but similar is important for businesses.
As advances in technology bring OT hardware online and into the business network, it introduces a new world of threats. IT vs OT cybersecurity has blurred, requiring the teams to work together and ensure that the network and its endpoints are enforcing the most cutting-edge architectures, like Zero Trust.
What is the Difference Between IT and OT
While we’ll review IT/OT convergence, it’s important to establish how each is distinct and what their typical needs and thought processes are. Just because IT and OT are seeing this convergence brought on by changes to technology, they have very distinct needs.
First, we’ll explore IT vs OT as their areas within the business and then review IT/OT convergence and how the distinction has started to close, with similar needs overlapping between each.
What is Information Technology (IT)
IT is primarily focused on data and how that information flows within the business while keeping it secure. This includes both managing the data and information itself, as well as the devices used to perform those activities and help the business operate smoothly (installing software or hardware, patching, maintaining data centers and their hardware, routers, etc.).
The IT team plays a crucial part in making sure the business stays secure from threats. This includes implementing security solutions like privileged access, logging and monitoring and more.
What is Operational Technology (OT)
OT has to do with operations of a business, both the hardware and software, that monitor and control physical equipment and devices. OT by its operation produces something. An OT system in a factory, for instance, could be something that turns the machines on or off and runs the conveyor belts. Things like Supervisory Control and Data Acquisition (SCADA) systems and Programmable Logic Controllers (PLCs) are also heavily present in these environments.
While IT worries about restricting access to specific files or applications, in OT access to specific devices and endpoints is also heavily restricted and left for specific individuals only. A user involved with management of Industrial Control Systems will be able to see alarms or make changes to processes that are critical to the functioning of a plant. In the wrong hands, mismanagement of these systems could result in severe consequences – potentially even death. Therefore, the stakes in OT are uniquely different from that of IT.
This means OT and IT think differently and view their technology differently. Equipment itself is also created to last a long time in OT. Powerplants may be built with the expectation of lasting 25 years from its construction and are planned to have a lot of redundancy. Multiple machines may be used to manage an operation in the plant, so in the event that one machine stops working, they note that it isn’t working and fix it when the plant’s next planned shutdown happens. In IT, systems and hardware are replaced often and when something goes down, it is addressed quickly.
What is IT/OT Convergence
With changes to technology like the Internet/Industrial Internet of Things, businesses wanting additional situational awareness and hooking more up to the corporate network, operational efficiencies and wanting insight into what is happening down at the plant level, the IT/OT convergence is in full effect. This has brought with it new advantages and capabilities, but also new challenges.
As IT and OT teams did not previously work together, security oversights, or even simple language differences, can lead to misunderstandings that result in vulnerabilities. This new collaboration can also be made difficult by the lack of understanding of needs between each team.
To an OT team the word “system” doesn’t necessarily mean a computer. They could mean a conveyor belt, which could mean five computers and other elements related to its operation. Whereas in IT, replacing a system could simply mean replacing one computer. While this example might seem basic, it can highlight some of the simple miscommunications that could occur as the teams work together.
In OT, fixing one computer could mean taking the plant offline, something non-negotiable, or something that could put someone’s life at risk. A security update for an operating system is something that could be applied rapidly on the IT side, while in OT, that update might be applied during the next planned plant shutdown.
These different demands bring about challenges among the teams, however security is very much a core concern among each. As old technology is brought into networks and exposed in new ways, the need to protect those assets has never been higher. The things IT has had to worry about for many years are now the same worries that OT teams are taking on as well and becoming the primary driver behind convergence.
IT teams don’t want OT’s systems to cause security problems. OT worries that connecting to the network opens them up to vulnerabilities because their assets weren’t necessarily built with security in mind or made to defend against today’s threats. Computer systems can be 25 years old in OT. For IT, a 3-year-old system is considered old.
IT/OT Convergence Moving Forward
As technology continues to close the distance in IT vs OT teams, the need for adopting best practices and ways of understanding each other, as well as the types of vulnerabilities that can arise as these two teams work together, will become more important. This IT/OT convergence is still just taking hold for many businesses, so navigating the path forward to ensure both teams’ needs are met, from efficiency and security, to safety, will be crucial to maintaining security.
ConsoleWorks works for both IT and OT teams, enabling access and enhancing security, while understanding the unique needs of each team. If you need help with your implementation or are currently in the midst of this IT/OT convergence, talk to us about navigating that here.
