IT vs. OT Cybersecurity: Why Process Industries Must Recognize the Important Differences

This audio was created using Microsoft Azure Speech Services

According to a recent ARC and Kaspersky industrial control system (ICS) cybersecurity survey, 70% of the 282 industrial organizations who participated consider a cyberattack on their operations technology (OT) / Industrial Control System (ICS) infrastructure to be likely. Despite this, many of the respondents, who work in oil, gas, and chemicals process industries, have yet to define their own approach to implementing OT / ICS cybersecurity.

When preparing an industrial cybersecurity defense plan, a common misconception of corporate stakeholders is to turn to IT departments, who are viewed as the traditional resources for managing cybersecurity related issues, for a solution. Although IT departments will play a principal role in protecting industrial machines and control systems, IT teams working with OT stakeholders will need to recognize some important distinctions between the way IT systems are cyber-protected and the way OT systems require protection.

How OT cybersecurity is unique

The traditional IT cybersecurity triad (a triad refers to a model designed to guide policies for information security within an organization) consists of three core elements: confidentiality, integrity and availability of information. When maintaining the readiness of IT systems, the information gleaned from these systems must be protected, readily available, accurate, and dependable. When IT systems fail, like an email system, for instance, corporate manufacturing output production does not come to a grinding halt. IT personnel can address some of these non-critical problems during off-peak times when system demand is quite low. But when dealing with OT systems, the situation is different.

Unlike IT systems, OT does not operate solely in a cyber world. OT systems address a cyber-physical world. OT systems touch, manipulate and change real world physical assets. Whether it’s opening a valve to let in more of a certain chemical, or turning on and off a motor, people can get hurt if the system fails or malfunctions. Tanks with volatile chemicals can overheat and explode, for instance, if control system actions are disrupted. Thus, the number one priority in the OT world isn’t confidentiality, integrity or availability—it’s safety.

Why OT reliability and confidentiality are also critical

In addition to safety, the other two legs of the OT cybersecurity triad consist of reliability and confidentiality. In process manufacturing, if a process fails, the company can very well lose $1 million or more for every day when machines are not up and running. Within food and beverage and semiconductor industries in particular, huge sums of money are lost if production experiences a midstream disruption. Tainted products have to be discarded as waste product. Reliability implies a system that is robust, provides consistent results free of tampering, and that has redundancy built in, in order to provide very high availability or uptime . If one machine or processing tank is out of commission, another must pick up the slack, if necessary.

Confidentiality comes into play when considering the intellectual property or trade secrets programmed into the OT system, or data coming from it that is of value to competitors. For example, recipes for pharmaceutical, food and beverage, and chemical products. The recipes for how much of a particular ingredient or color goes into a batch, and for how long the mixture cooks, for instance, represent important proprietary trade secrets. If that information were to be hacked and stolen, it can be used by competitors (or competing nations) to thwart business growth. Stolen recipes can also help a competitor to determine a particular firm’s production output. If a steel mill’s energy usage statistics were to be stolen, for instance, it would be relatively easy for a competitor to correlate that information into steel production data.

Unfortunately, most industrial process operators are not experts on cybersecurity, they are experts on their processes. That’s why they need to rely on their corporate IT colleagues for support. However, it is important for OT stakeholders to educate the IT staff on how their cybersecurity triad is different. In cases where coming up with a sound, in-depth cybersecurity plan for OT assets becomes problematic, involving a third-party consultant can help. The consultant can act as an IT to OT liaison and bridge any gaps in understanding between the two teams.

To learn more about how Schneider Electric experts can help you strengthen the cyber resilience of your OT networks visit our page and also download the “Strategies for Recognizing and Preventing Insider Attacks on Industrial Control Systems” white paper.