Operational Technology
Operational Technology (OT) – the hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, etc.
Simply put, OT is the use of computers (or other processing devices) to monitor or alter the physical state of a system, such as the control system for a power station or the control network for a rail system. The term has become established to demonstrate the technological and functional differences between traditional IT systems and Industrial Control Systems environment, the so-called "IT in the non-carpeted areas". Examples of operational technology include:
- PLC's
- SCADA
- DCS
- Computer Numerical Control (CNC) systems, including computerized machine tools
- Scientific equipment (e.g. digital oscilliscopes)
Technology
Usually environments containing Industrial Control Systems (ICS), such as: supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), Remote Terminal Unit (RTU) and programmable logic controllers (PLC) as well as dedicated networks and organization units. Embedded Systems are also included in the sphere of operational technology (e.g. SMART instrumentation), along with a large subset of scientific data acquisition, control & computing devices. An OT device could be as small as the ecu of a car or as large as the distributed control network for a national electricity grid.
Systems
Systems that process operational data (including electronic, telecommunications, computer systems and technical components) are included under the term operational technology.
OT systems can be required to control valves, engines, conveyors and other machines to regulate various process values, such as temperature, pressure, flow, and to monitor them to prevent hazardous conditions. OT systems use various technologies for hardware design and communications protocols, that are unknown in IT. Common problems include supporting legacy systems & devices and numerous vendor architectures and standards.
Since OT systems often supervise industrial processes, most of the time availability must be sustained. This often means that real time (or near-real time) processing is required, with high rates of reliability and availability.
Protocols
Historical OT networks utilized proprietary protocols optimized for the required functions, some of which have become adopted as 'standard' industrial communications protocols (e.g. DNP3, Modbus, Profibus). More recently IT-standard network protocols are being implemented in OT devices and systems to reduce complexity and increase compatibility with more traditional IT hardware (e.g. TCP/IP); this however has had a demonstrable reduction in security for OT systems, which in the past have relied on air gaps and the inability to run PC-based malware (see Stuxnet for a well-known example of this change).
Security
From the very beginning security of Operational Technology has relied almost entirely on the standalone nature of OT installations. Recently OT systems have become linked to IT systems with the corporate goal of widening an organizations ability to monitor and adjust it's OT systems, which has introduced massive challenges in securing them. Approaches known from regular IT are usually replaced or redesigned to align with the OT environment. OT has different priorities and a different infrastructure to protect when compared with IT; typically IT systems are designed around 'Confidentiality, Integrity, Availability' (i.e. keep information safe and correct before allowing a user to access it) whereas OT systems require 'Availability, Integrity, Confidentiality' to operate effectively (i.e. present the user with information wherever possible and worry about correctness or confidentiality after).
Other challenges affecting the security of OT systems include:
- OT components are often built without basic IT security requirements being factored in, aiming instead at achieving functional goals. These components may be insecure by design and vulnerable to cyber-attacks.
- Vendor dependency: Due to the general lack of knowledge related to industrial automation, most companies are heavily dependent on their OT vendors. This leads to vendor lock-in, eroding the ability to implement security fixes.
- Critical Assets: Because of OT's role in monitoring and controlling critical industrial process, OT systems are very often part of National Critical Infrastructure As such they may require enhanced security features as a result.
Critical Infrastructure
Operational Technology is widely used in refineries, power plants, nuclear plants, etc. and as such has become a common, crucial element of critical infrastructure systems. Depending on the county there are increasing legal obligations for Critical Infrastructure operators with regards to the implementation of OT systems.
Governance
There is a strong focus put on subjects like IT/OT cooperation or IT/OT alignment in the modern industrial setting. It is crucial for the companies to build close cooperation between IT and OT departments, resulting in increased effectiveness in many areas of OT and IT systems alike (such as change management, incident management and security standards).
A typical restriction is the refusal to allow OT systems to perform safety functions (particularly in the nuclear environment), instead relying on hard-wired control systems to perform such functions; this decision stems from the widely recognized issue with substantiating software (e.g. code may perform marginally differently once compiled). The Stuxnet malware is one driver behind this, highlighting the potential for disaster should a safety system become infected with malware (whether targeted at that system or accidentally infected).
Sectors
Operational Technology is utilized in many sectors and environments, such as:
- Oil & Gas
- Power and Utilities
- Chemicals manufacturing
- Water treatment
- Waste management
- Transportation
- Scientific experimentation
Description
The Term OT is now widely used in industry, see the following examples:
- Gartner e.g. http://www.gartner.com/it/page.jsp?id=1590814 http://www.gartner.com/technology/research/it-ot-alignment/
- NIST e.g. http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf
- ISA (International Society of Automation) e.g. https://www.isa.org/belgium/standards-publications/ISA99/
- ENISA e.g. https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/maturity-levels or https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/maturity-levels/at_download/fullReport