Operational technology

Last updated

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. [1] The term has become established to demonstrate the technological and functional differences between traditional information technology (IT) systems and industrial control systems environment, the so-called "IT in the non-carpeted areas".

Contents

Examples

Examples of operational technology include:

Technology

The term usually describes environments containing industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems, distributed control system (DCS), remote terminal units (RTU) and programmable logic controllers (PLC), as well as dedicated networks and organization units. The built environment, whether commercial or domestic, is increasingly controlled and monitored via 10s, 100s, and 1,000s of Internet of Things (IoT) devices. In this application space, these IoT devices are both interconnected via converged technology edge IoT platforms and or via "cloud" based applications. Embedded Systems are also included in the sphere of operational technology (e.g. smart instrumentation), along with a large subset of scientific data acquisition, control, and computing devices. An OT device could be as small as the engine control unit (ECU) of a car or as large as the distributed control network for a national electricity grid.

Systems

Systems that process operational data (including electronic, telecommunications, computer systems and technical components) are included under the term operational technology.

OT systems can be required to control valves, engines, conveyors and other machines to regulate various process values, such as temperature, pressure, flow, and to monitor them to prevent hazardous conditions. OT systems use various technologies for hardware design and communications protocols, that are unknown in IT. Common problems include supporting legacy systems & devices and numerous vendor architectures and standards.

Since OT systems often supervise industrial processes, most of the time availability must be sustained. This often means that real time (or near-real time) processing is required, with high rates of reliability and availability.

Laboratory systems (heterogenous Instruments with embedded computer systems or often non standardized technical components used in their computer systems) are commonly a borderline case between IT and OT since they mostly clearly don't fit into standard IT scope but also are often not part of OT core definitions. This kind of environment may also be referred to as industrial information technology (IIT).

Protocols

Historical OT networks utilized proprietary protocols optimized for the required functions, some of which have become adopted as 'standard' industrial communications protocols (e.g. DNP3, Modbus, Profibus, LonWorks, DALI, BACnet, KNX, EnOcean and OPC-UA). More recently IT-standard network protocols are being implemented in OT devices and systems to reduce complexity and increase compatibility with more traditional IT hardware (e.g. TCP/IP); this however has had a demonstrable reduction in security for OT systems, which in the past have relied on air gaps and the inability to run PC-based malware (see Stuxnet for a well-known example of this change).

Origins

The term operational technology as applied to industrial control systems was first published in a research paper from Gartner in May 2006 (Steenstrup, Sumic, Spiers, Williams) and presented publicly in September 2006 at the Gartner Energy and Utilities IT Summit. [2] Initially the term was applied to power utility control systems, but over time was adopted by other industrial sectors and used in combination with IoT. [3] A principal driver of the adoption of the term was that the nature of operational technology platforms had evolved from bespoke proprietary systems to complex software portfolios that rely on IT infrastructure. This change was termed IT OT convergence. [4] The concept of aligning and integrating the IT and OT systems of industrial companies gained importance as companies realized that physical assets and infrastructure was both managed by OT systems but also generated data for the IT systems running the business. In May 2009 a paper was presented at the 4th World Congress on Engineering Asset Management Athens, Greece outlining the importance of this in the area of asset management [5]

Industrial technology companies such as GE, Hitachi, Honeywell, Siemens, ABB and Rockwell are the main providers of OT platforms and systems either embedded in equipment or added to them for control, management and monitoring. These industrial technology companies have needed to evolve into software companies rather than being strictly machine providers. This change impacts their business models which are still evolving [6]

Security

From the very beginning security of operational technology has relied almost entirely on the standalone nature of OT installations, security by obscurity. At least since 2005 OT systems have become linked to IT systems with the corporate goal of widening an organization's ability to monitor and adjust its OT systems, which has introduced massive challenges in securing them. [7] Approaches known from regular IT are usually replaced or redesigned to align with the OT environment. OT has different priorities and a different infrastructure to protect when compared with IT; typically IT systems are designed around 'Confidentiality, Integrity, Availability' (i.e. keep information safe and correct before allowing a user to access it) whereas OT systems require 'realtime control and functionality change flexibility, availability, integrity, confidentiality' to operate effectively (i.e. present the user with information wherever possible and worry about correctness or confidentiality after).

Other challenges affecting the security of OT systems include:

Common vulnerabilities

OT often control and monitor important industrial processes, critical infrastructure, and other physical devices. These networks are vital for the proper functioning of various industries, such as manufacturing, power generation, transportation and our society. Most common vulnerabilities and attack vectors should be addressed, whereof :

  1. Legacy systems and outdated technology: Many OT networks still rely on older hardware and software that may not have been designed with security in mind, making them more susceptible to cyber attacks.
  2. Lack of segmentation: Inadequate network segmentation can lead to a compromised device in one part of the network, which may allow an attacker to access other parts of the network, increasing the overall risk.
  3. Insufficient authentication and access control: Weak authentication mechanisms and access controls can enable unauthorized users to gain access to sensitive systems and data.
  4. Insecure communication protocols: Many OT networks use proprietary or legacy communication protocols, which may lack encryption or other security features, making them vulnerable to eavesdropping and data tampering.
  5. Limited visibility and monitoring: OT networks often lack comprehensive monitoring and visibility tools, which makes it difficult to detect and respond to potential security incidents.
  6. Insider threats: Malicious insiders or negligent employees can exploit their access to OT networks to cause harm or steal sensitive data.
  7. Integration with IT networks: The increasing convergence of IT and OT networks can introduce new vulnerabilities and attack vectors, as vulnerabilities in one network can potentially be exploited to compromise the other.
  8. Supply chain risks: Compromised hardware or software components in the OT network can introduce vulnerabilities that attackers can exploit.
  9. Physical security: OT networks involve physical devices and infrastructure that can be susceptible to physical attacks, such as tampering or theft.
  10. Lack of cybersecurity awareness and training: Many organizations do not adequately train their employees on the importance of cybersecurity, leading to an increased risk of human error and insider threats.

To protect against these risks, organizations should adopt a proactive, multi-layered security approach, including regular risk assessments, network segmentation, strong authentication, and access controls, as well as continuous monitoring and incident response capabilities.

Critical infrastructure

Operational technology is widely used in refineries, power plants, nuclear plants, etc. and as such has become a common, crucial element of critical infrastructure systems. Depending on the country there are increasing legal obligations for Critical Infrastructure operators with regards to the implementation of OT systems. In addition certainly since 2000, 100,000's of buildings have had IoT building management, automation and smart lighting control solutions fitted [8] These solutions have either no proper security or very inadequate security capabilities either designed in or applied. [9] This has recently led to bad actors exploiting such solutions' vulnerabilities with ransomware attacks causing system lock outs, operational failures exposing businesses operating in such buildings to the immense risks to health and safety, operations, brand reputation and financial damage [10]

Governance

There is a strong focus put on subjects like IT/OT cooperation or IT/OT alignment [11] in the modern industrial setting. It is crucial for the companies to build close cooperation between IT and OT departments, resulting in increased effectiveness in many areas of OT and IT systems alike (such as change management, incident management and security standards) [12] [13]

A typical restriction is the refusal to allow OT systems to perform safety functions (particularly in the nuclear environment), instead relying on hard-wired control systems to perform such functions; this decision stems from the widely recognized issue with substantiating software (e.g. code may perform marginally differently once compiled). The Stuxnet malware is one example of this, highlighting the potential for disaster should a safety system become infected with malware (whether targeted at that system or accidentally infected).

Sectors

Operational technology is utilized in many sectors and environments, such as:

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that may result in unauthorized information disclosure, theft of hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

SCADA is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and other devices, such as programmable logic controllers, which interface with process plant or machinery.

<span class="mw-page-title-main">VxWorks</span> Real-time operating system

VxWorks is a real-time operating system developed as proprietary software by Wind River Systems, a subsidiary of Aptiv. First released in 1987, VxWorks is designed for use in embedded systems requiring real-time, deterministic performance and in many cases, safety and security certification for industries such as aerospace, defense, medical devices, industrial equipment, robotics, energy, transportation, network infrastructure, automotive, and consumer electronics.

Building automation (BAS), also known as building management system (BMS) or building energy management system (BEMS), is the automatic centralized control of a building's HVAC, electrical, lighting, shading, access control, security systems, and other interrelated systems. Some objectives of building automation are improved occupant comfort, efficient operation of building systems, reduction in energy consumption, reduced operating and maintaining costs and increased security.

<span class="mw-page-title-main">Profinet</span> Computer network protocol

Profinet is an industry technical standard for data communication over Industrial Ethernet, designed for collecting data from, and controlling equipment in industrial systems, with a particular strength in delivering data under tight time constraints. The standard is maintained and supported by Profibus and Profinet International, an umbrella organization headquartered in Karlsruhe, Germany.

A unidirectional network is a network appliance or device that allows data to travel in only one direction. Data diodes can be found most commonly in high security environments, such as defense, where they serve as connections between two or more networks of differing security classifications. Given the rise of industrial IoT and digitization, this technology can now be found at the industrial control level for such facilities as nuclear power plants, power generation and safety critical systems like railway networks.

An industrial control system (ICS) is an electronic control system and associated instrumentation used for industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large interconnected and interactive distributed control systems (DCSs) with many thousands of field connections. Control systems receive data from remote sensors measuring process variables (PVs), compare the collected data with desired setpoints (SPs), and derive command functions that are used to control a process through the final control elements (FCEs), such as control valves.

Internet of things (IoT) describes devices with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communication networks. The Internet of things encompasses electronics, communication, and computer science engineering. "Internet of things" has been considered a misnomer because devices do not need to be connected to the public internet; they only need to be connected to a network and be individually addressable.

Security convergence refers to the convergence of two historically distinct security functions – physical security and information security – within enterprises; both are integral parts of a coherent risk management program. Security convergence is motivated by the recognition that corporate assets are increasingly information-based. In the past, physical assets demanded the bulk of protection efforts, whereas information assets are demanding increasing attention. Although generally used in relation to cyber-physical convergence, security convergence can also refer to the convergence of security with related risk and resilience disciplines, including business continuity planning and emergency management. Security convergence is often referred to as 'converged security'.

Dynamic Infrastructure is an information technology concept related to the design of data centers, whereby the underlying hardware and software can respond dynamically and more efficiently to changing levels of demand. In other words, data center assets such as storage and processing power can be provisioned to meet surges in user's needs. The concept has also been referred to as Infrastructure 2.0 and Next Generation Data Center.

<span class="mw-page-title-main">IT infrastructure</span> Set of information technology components that are the foundation of an IT service

Information technology infrastructure is defined broadly as a set of information technology (IT) components that are the foundation of an IT service; typically physical components, but also various software and network components.

Ember was an American company based in Boston, Massachusetts, USA, which is now owned by Silicon Labs. Ember had a radio development centre in Cambridge, England, and distributors worldwide. It developed Zigbee wireless networking technology that enabled companies involved in energy technologies to help make buildings and homes smarter, consume less energy, and operate more efficiently. The low-power wireless technology can be embedded into a wide variety of devices to be part of a self-organizing mesh network. All Ember products conform to IEEE 802.15.4-2003 standards.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

Granular configuration automation (GCA) is a specialized area in the field of configuration management which focuses on visibility and control of an IT environment's configuration and bill-of-material at the most granular level. This framework focuses on improving the stability of IT environments by analyzing granular information. It responds to the requirement to determine a threat level of an environment risk, and to allow IT organizations to focus on those risks with the highest impact on performance. Granular configuration automation combines two major trends in configuration management: the move to collect detailed and comprehensive environment information and the growing utilization of automation tools.

Control system security, or industrial control system (ICS) cybersecurity, is the prevention of interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

ObjectSecurity is an information technology company focusing on information security, supply chain risk analysis, data analytics, and artificial intelligence. The company pioneered the development of model-driven security, which was mostly an academic concept prior to the company's developments. The company is best known for their OpenPMF model-driven security product, security policy automation product for which the company received a "Cool Vendor" award from Gartner in 2008. In recent years, ObjectSecurity diversified into supply-chain risk-analysis automation for which the company was selected "Finalist" by AFWERX in 2019, and vulnerability assessment & pentesting automation.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.

The industrial internet of things (IIoT) refers to interconnected sensors, instruments, and other devices networked together with computers' industrial applications, including manufacturing and energy management. This connectivity allows for data collection, exchange, and analysis, potentially facilitating improvements in productivity and efficiency as well as other economic benefits. The IIoT is an evolution of a distributed control system (DCS) that allows for a higher degree of automation by using cloud computing to refine and optimize the process controls.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

<span class="mw-page-title-main">Home Assistant</span> Home automation software

Home Assistant is free and open-source software used for home automation. It serves as an integration platform and smart home hub, allowing users to control smart home devices. The software emphasizes local control and privacy and is designed to be independent of any specific Internet of Things (IoT) ecosystem. Its interface can be accessed through a web-based user interface, by using companion apps for Android and iOS, or by voice commands via a supported virtual assistant, such as Google Assistant, Amazon Alexa, Apple Siri, and Home Assistant's own "Assist" using natural language.

References

  1. "Gartner IT Glossary > Operational Technology"
  2. Steenstrup, Sumic, Spiers, Williams. "IT and OT Interaction Gives Rise to New Governance". Gartner.{{cite web}}: CS1 maint: multiple names: authors list (link)
  3. "The IoT Convergence: How IT and OT Can Work Together to Secure the Internet of Things".
  4. Steenstrup, Kristian. "The Strategy, Value and Risk of IT/OT Convergence".
  5. Koronios, Haider, Steenstrup (2010). "Information and Operational Technologies Nexus for Asset Lifecycle Management". Engineering Asset Lifecycle Management. pp. 112–119. doi:10.1007/978-0-85729-320-6_13. ISBN   978-0-85729-321-3.{{cite book}}: CS1 maint: multiple names: authors list (link)
  6. "Industrial Giants Still Struggling To Find New Digital Business Models".
  7. "IT/OT Convergence: Bridging the Divide" (PDF).
  8. "Internet of Things Forecast Database".[ dead link ]
  9. "Smart Yet Flawed: IoT Device Vulnerabilities Explained".
  10. "The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History".
  11. "Gartner Glossary: IT/ OT Alignment".
  12. "5 TIPS TO IMPROVE IT/OT ALIGNMENT".
  13. "Mind the Gap - A Roadmap to IT/OT Alignment".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.