Security Framework
4 : Distinguishing Aspects of Securing the IIoT
4 DISTINGUISHING ASPECTS OF SECURING THE IIOT
Traditionally , the security of Information Technology ( IT ) and Operational Technology ( OT ) systems has been evaluated independently , but an Industrial Internet of Things ( IIoT ) system is more than a simple merge of the two . Trustworthy IIoT systems require their security functions to be evaluated end-to-end across both IT and OT .
Integrating IT and OT security requires understanding the differences between them and their approaches to evaluating and protecting systems . Security , regulations and standards must evolve in both worlds and together to be effective . They can no longer focus narrowly .
4.1 CONVERGENCE OF INFORMATION TECHNOLOGY AND OPERATIONAL TECHNOLOGY
In the past , there has been a strong separation between IT and OT . IT covers computer and communication systems common across industries . Software applications are people-centric , and risks are often low . Real-time behavior is usually bounded by human interaction times , for example , how long someone will wait for information to be displayed .
OT , on the other hand , is a combination of hardware ( initially ) and software ( more recently ) that collects information and causes changes in the physical world through the direct monitoring and control systems . Control of physical systems , unlike IT systems , are task-specific , customized , automated and require less user interaction . In OT , real-time behavior can be essential for correctness , which may affect the type of security controls implemented .
Converging IT and OT involves a complex merge of their key system characteristics . Though many industrial systems are combining IT and OT to control devices by software , these systems are usually isolated on the OT side . Bringing these systems together modifies the security implementation both in IT and OT . For example , preserving information integrity stored in the cloud may affect OT system reliability and so becomes a matter of safety . If the control information stored in an IT system is modified without authorization due to incorrect security implementations , the OT system relying on these data may fail .
Convergence of IT and OT also brings different drivers and attitudes . Few IT specialists consider safety in their designs , while safety is not optional in OT . IT generally focuses on cost reduction once quality requirements of the system are met and may not have the resources to improve the safety quality of the system . More generally , key system characteristics and their assurance have different priorities in the two worlds that must be reconciled .
This convergence requires that the various functions that execute in the IIoT system always be considered together . It is for that reason that the ‘ Industrial Internet Reference Architecture ’ [ IIC- IIRA2016 ] merged IT and OT functions into a set of functional domains ( control , operation , information , application and business ) that cover what needs to be done , rather than where it has been done in the past .
IIC : PUB : G4 : V1.0 : PB : 20160926 - 21 -