IT vs OT Cybersecurity: Why IT Best Practices Often Don’t Apply

Today, nearly everyone – and everything – is connected to the internet. Cybersecurity is frequently a regular part of mainstream news reporting and is a frontline issue for organizations worldwide. But “cybersecurity” doesn’t have a one-size-fits-all solution, especially when it comes to the difference between IT (information technology) and OT (operational technology) systems.

These differences become obvious when it comes to protecting critical infrastructure built on OT systems. In these environments, it isn’t possible to simply take cybersecurity policies and best practices from the IT side of the house and apply them directly to an OT network. Both systems themselves and technologies they use are fundamentally different, and in order to defend both environments effectively, it’s important to understand the distinctions between them.

Let’s talk about IT vs OT and why you shouldn’t use the same blanket strategies across both domains.

Differences Between IT vs OT in Technology and Cybersecurity

We’ve written before about the technological differences between IT and OT systems. To recap, IT deals with data and manages the digital flow of information through businesses and other networks. OT systems monitor and control industrial equipment, assets, and processes.

The challenge many organizations face in securing OT systems comes from the rapid advances and innovations in technology. Industry 4.0 and smart devices introduce opportunities for automation and efficiency, but also often involve external connections into industrial systems that weren’t designed with connectivity in mind.

OT systems are purpose-built for specific operational needs. The devices in these systems are designed to be simple, robust, and operate within self-contained networks that don’t have external connections. Occasionally, this means these environments are running legacy devices at or near end-of-life, or are no longer supported by the original equipment manufacturer OEM.

Because OT systems manage devices carrying out physical operations, disruptions to these systems can have huge impacts. Not only can even brief shutdown stints negatively impact the company financially, but the consequences ripple through to both the end users who depend upon the organization’s services, and the safety of the operators maintaining those systems.

For example, imagine the direct impact you would experience as the result of an OT network outage at your local electricity provider, as opposed to an email server outage at a nearby office building where you do not work. Of the two network outages, the electrical company outage would have a far more wide-reaching and physical impact on people’s daily lives than the email server being down.

Cybersecurity Best Practices in IT vs OT

While it might seem logical to try and apply cybersecurity practices and solutions that work well in IT into an OT environment, there are a few reasons why it isn’t quite that simple:

• Every OT Environment is Unique – OT systems can be built in a number of ways, and the devices they control use a wide variety of protocols. Those protocols themselves may vary between OEMs and even product lines. A PLC from Siemens, for example, might use a different protocol than a PLC from Honeywell. This means that an organization could be juggling as many types of software, hardware, and protocols as there are vendors in each part of their environment. Conversely, IT-focused security solutions often don’t encompass OT protocols at all, or are unlikely to include enough OT protocols to be effective in an OT environment.
• OT Systems are Elegant, but Delicate – Because of their unique design, OT systems can be disrupted by what may seem to be even a basic IT process. Scanning an environment, for example, even if a request or scan is done using a “safe” or “known” protocol, may delay or have other unintended effects on OT devices that could disrupt or halt operation. 
• OT is Designed for Continuity – Devices in OT environments are designed to be available and running continuously, so maintenance windows are carefully planned and scheduled to minimize disruptions to service and operations. That means applying patches in an OT environment isn’t as simple as taking something offline for an hour to install and configure an update. That’s why managing vulnerabilities in an industrial environment often isn’t as straightforward as it might be for an IT system.
• IT Security Solutions May Not Meet OT Constraints – Many IT-focused solutions require an external connection. To reduce exposure and access through these channels, however, OT systems often have limits on the number and type of externally bound connections that can exist at a time. Not all IT security tools can be configured to meet those constraints.

OT Cybersecurity Solutions by OT Specialists

The key to properly protecting complex environments that have both IT and OT systems is to understand how each of these systems work, how they interact, as well as the different requirements and limitations of both systems.

Making informed cybersecurity decisions and building effective policies and processes starts with good data, and ensuring that data is accessible to everyone who needs it. Visibility into your assets, an established baseline of “normal” traffic, and other relevant data is critical to securing an industrial environment and ensuring that things are working as intended.

If you’re interested in getting started with your visibility journey, the OT PCAP Analyzer offers a quick snapshot and visibility into your network (it’s also a free tool, designed by members of the OT community for the OT community!).

For organizations that have more sites or want to address blind spots in their industrial visibility efforts, EmberOT also offers software-based sensors that can be deployed from the edge to the core, so operators, analysts, and other security-minded team members can get the visibility and data they need to protect their industrial environment.