The relationship between IT and Operational Technology security is an important one for maintaining cybersecurity in business. In terms of industry trends, the two are becoming increasingly converged.
To understand the landscape, Digital Journal spoke with Ilan Barda, CEO of OT security firm Radiflow, focusing the key differences between approaching OT and IT security and how the digitalisation and increased digital connectivity of OT systems is causing the two to converge.
Digital Journal: What is the difference between OT security and IT security?
Ilan Barda: In very basic terms, information technology (IT) concerns enterprise computers and networks. The primary currency is data – which is what IT security professionals are trying to protect. OT systems stands for operational technology and comprise networks of both software and hardware, industrial elements, and adjunct components which are used for industrial automation applications. Traditionally, this has meant it has always needed a distinct approach to security.
For example, while IT security is all about protecting data and making sure it doesn’t fall into the wrong hands, the priority for OT security is safety. This is followed closely by making sure of continuous uptime of systems and machinery, while IT systems – although admittedly it’s not ideal – can be shut down temporarily to apply patches and security updates.
Monitoring and protecting networks made up of so many composite parts is a very complex process – and one that is completely unique to each industry, and each company within that industry.
DJ: Why are they converging?
Barda: As discussed, OT and IT are two entities with two separate sets of requirements, but digital transformation has meant that the two have become linked. Keeping OT systems safe and operating continuously used to mean that networks were often siloed from outside threats, or ‘airlocked’.
But the arrival of Industry 4.0 has seen the integration of machine learning and automation into industrial technology in order to speed up processes and streamline operations. This inevitably involved the combination of IT and OT and opened up incredible lines of opportunity for the industrial sector.
At the same time, however, this interconnectivity has led to the elimination of what was effectively an early form of air-gapping from industrial networks, opening them up to more cyber threats.
DJ: How do the two compare?
Barda: IT security might seem to some people like it’s a long way ahead in terms of maturity – but the main issue is that the two are not meshing well together now that they have converged. OT security absolutely has to learn from IT security in how to protect its digital networks and adopt the appropriate protocols, but in the same way, IT security experts need to respect OT critical requirements for safety and availability when proposing cybersecurity measures.
Many industrial processes have the potential to cause catastrophic harm to both people and property – for example, heavy machinery can hurt workers if they malfunction, or trains can derail. Meanwhile, a breach can slow down operations, impacting supply chains or stopping vital products such as pharmaceuticals from reaching the market, which can massively impact bottom lines and even harm the health of consumers.
Case in point is the 2021 Colonial Pipeline attack where a Russian cybercriminal group used ransomware to hack into a US oil pipeline company’s IT system, which meant it had to shut down operations to prevent the damage from spreading to the OT system. This disrupted the lives of millions of people and cost hundreds of millions to rectify (even after the $4m ransom was paid).
DJ: How does the future look for IT/OT security?
Barda: It’s not an either/or situation, but will become something entirely new. The OT security mindset used to be reactive – which made sense when it only dealt with closed systems which were far less exposed to external attacks. This mindset is now shifting towards the IT security standard of proactive security.
IT systems are frequently updated to ensure they’re less vulnerable to an attack. IT/OT systems will likewise need to be continuously monitored and updated, while simultaneously keeping them online and fully functional.
For this reason, a key emerging technology being used by OT security specialists is the capability to simulate attacks as a means of testing the resilience of networks. With an accurate model of a network, AI makes it possible to proactively pinpoint existing vulnerabilities within an OT network. It also allows security specialists to make truly informed, data-driven decisions regarding the exact changes or updates that necessarily need to be implemented into the live, physical system, including which vulnerabilities are the most urgent and need to be patched first. Advancing technologies mean that the outlook is hopeful; it will become less about bringing together two disparate cybersecurity approaches but will instead herald a third and more effective system for identifying vulnerabilities and plugging the gaps.
