When the first personal computers were deployed in industrial automation environments during the 1980s, it was difficult to imagine how the information technology (IT) would influence the day-to-day operations of industrial organizations. For the last decade or so, the convergence of operational technology (OT) and IT has been an important topic in organizations whose operations rely on industrial control systems.
The advantages of merging the realms of information technology (IT) and operational technology (OT) are obvious: cost reduction, improved capabilities, and greater efficiency. These advantages, however, come with a cost because they have affected the way that industrial control systems operate and have increased the exposure of industrial control systems to cyber risks.
According to one research study, nearly 90% of organizations with connected OT infrastructures have experienced a security breach within their Supervisory Control and Data Acquisition and Industrial Control Systems (SCADA/ICS) architectures, with more than half of those breaches occurring in just the previous 12 months.
Solving the Technical Challenges
IT networks set the security priorities for operational technology. The priorities of OT are given by the nature of the processes that it supports. In most cases, these processes must work continuously, meaning the most important risk dimension in OT is availability.
OT networks enable improved uptime not only for IT systems but also for all the technical components that support the physical processes. IT/OT convergence enables the use of commercial off-the-shelf systems to reduce costs, while developing new functionalities based in the interoperability of systems and digital technologies.
As industrial environments are digitized, however, the limitations of information technology to enable secure operational technology represents a significant barrier to achieving a modern, responsive organization at scale.
The Purdue Enterprise Reference Architecture (PERA) has been used widely for more than 25 years to design and build industrial control systems. The model is based in well-delimited architectural levels that go from the physical aspects of the control process (Levels 0–3), or the manufacturing level, to the corporate business planning and logistics and the enterprise network (Levels 4 and 5). It is the “neutral” space between these levels where gaps traditionally exist to prevent data from a web or cloud-based environment that influences the network’s effect on the operations of the plant or devices.
An important component of the IT/OT convergence relies on the connectivity between the lower parts of the control systems architecture and the corporate networks, which allow real-time data transfer and provide the business with accurate information about the production processes. This connectivity has blurred the limits among architectural layers, exposing and increasing the vulnerabilities in the lower layers of the control network, and introducing cybersecurity challenges, previously unknown to industrial organizations, such as
- The use of nonstandard and proprietary communication protocols, which complicates the creation of situational awareness and the detection of cybersecurity incidents
- The sensitivity of industrial devices to nonexpected network traffic, which discourages the use of typical IT active techniques such as network scans
- The existence of outdated network architectures, which makes difficult the deployment of traditional security paradigms such as network segmentation
- The difficulty of deploying end-point protection software, which causes vulnerable systems to be kept in production
It is in this neutral space between the manufacturing and enterprise levels where emerging applications and technologies, including Internet of Things devices, which have characteristics of both hardware and software, will reside and where governance of the security across the stack will be most challenging.