Security Framework
4: Distinguishing Aspects of Securing the IIoT
4 DISTINGUISHING ASPECTS OF SECURING THE IIOT
Traditionally, the security of Information Technology( IT) and Operational Technology( OT) systems has been evaluated independently, but an Industrial Internet of Things( IIoT) system is more than a simple merge of the two. Trustworthy IIoT systems require their security functions to be evaluated end-to-end across both IT and OT.
Integrating IT and OT security requires understanding the differences between them and their approaches to evaluating and protecting systems. Security, regulations and standards must evolve in both worlds and together to be effective. They can no longer focus narrowly.
4.1 CONVERGENCE OF INFORMATION TECHNOLOGY AND OPERATIONAL TECHNOLOGY
In the past, there has been a strong separation between IT and OT. IT covers computer and communication systems common across industries. Software applications are people-centric, and risks are often low. Real-time behavior is usually bounded by human interaction times, for example, how long someone will wait for information to be displayed.
OT, on the other hand, is a combination of hardware( initially) and software( more recently) that collects information and causes changes in the physical world through the direct monitoring and control systems. Control of physical systems, unlike IT systems, are task-specific, customized, automated and require less user interaction. In OT, real-time behavior can be essential for correctness, which may affect the type of security controls implemented.
Converging IT and OT involves a complex merge of their key system characteristics. Though many industrial systems are combining IT and OT to control devices by software, these systems are usually isolated on the OT side. Bringing these systems together modifies the security implementation both in IT and OT. For example, preserving information integrity stored in the cloud may affect OT system reliability and so becomes a matter of safety. If the control information stored in an IT system is modified without authorization due to incorrect security implementations, the OT system relying on these data may fail.
Convergence of IT and OT also brings different drivers and attitudes. Few IT specialists consider safety in their designs, while safety is not optional in OT. IT generally focuses on cost reduction once quality requirements of the system are met and may not have the resources to improve the safety quality of the system. More generally, key system characteristics and their assurance have different priorities in the two worlds that must be reconciled.
This convergence requires that the various functions that execute in the IIoT system always be considered together. It is for that reason that the‘ Industrial Internet Reference Architecture’ [ IIC- IIRA2016 ] merged IT and OT functions into a set of functional domains( control, operation, information, application and business) that cover what needs to be done, rather than where it has been done in the past.
IIC: PUB: G4: V1.0: PB: 20160926- 21-