The Industrial Internet of Things (IIoT) is becoming an indispensable part of the manufacturing industry, leading to real-time monitoring and an increase in overall equipment effectiveness (OEE) and productivity. Since the machines are being connected to the intranet and sometimes to the Internet for remote monitoring, this brings a set of challenges and security concerns for these now-connected devices.
What causes security to be so different between OT and IT?
Operational Technology (OT) manufacturing equipment is meant to run 24/7. So, if a bug is found that requires a machine to be shut down for an update, that stop causes a loss in productivity. So, manufacturers can’t rely on updating operational equipment as frequently as their Information Technology (IT) counterparts.
Additionally, the approach of security for OT machines has largely been “security through obscurity.” If, for example, a machine is not connected to the network, then the only way to access the hardware is to access it physically.
Another reason is that OT equipment can have a working lifetime that spans decades, compared to the typical 2-5-year service life of IT equipment. And when you add new technology, the old OT equipment becomes almost impossible to update to the latest security patches without the effort and expense of upgrading the hardware. Since OT equipment is in operation for such a long time, it makes sense that OT security focuses on keeping equipment working continuously as designed, where IT is more focused on keeping data available and protected.
These different purposes makes it hard to implement the IT standard on OT infrastructure. But that being said, according to Gartner’s 80/20 rule-of-thumb, 80 percent of security issues faced in the OT environment are the same faced by IT, while 20 percent are domain specific on critical assets, people, or environment. With so many security issues in common, and so many practical differences, what is the best approach?
The difference in operation philosophy and goals between IT and OT systems makes it necessary to consider IIoT security when implementing the systems carefully. Typical blanket IT security systems can’t be applied to OT systems, like PLCs or other control architecture, because these systems do not have built-in security features like firewalls.
We need the benefits of IIoT, but how do we overcome the security concerns?
The best solution practiced by the manufacturing industry is to separate these systems: The control side is left to the existing network infrastructure, and IT-focused work like monitoring is carried out on a newly added infrastructure.
The benefit of this method is that the control side is again secured by the method it was designed for – “security by obscurity” – and the new monitoring infrastructure can take advantage of the faster developments and updates of the IT lifecycle. This way, the operations and information technology operations don’t interfere with each other.