The Differences Between IT and OT Networks in Cybersecurity
When it comes to cybersecurity, there are significant differences between conventional IT networks and operational technology (OT) or industrial control system (ICS) networks. While many of these differences may seem superficial, the intrinsic distinction lies in the consequences of cyberattacks on these networks. In IT networks, the worst-case consequences typically involve leaked information and potential lawsuits. However, on OT networks, the consequences are almost always physical, leading to explosions, industrial malfunctions, environmental disasters, and threats to public safety.
The Goal of Cyber-Risk Management in IT and OT Networks
On IT networks, the primary goal of managing cyber-risk is to protect the confidentiality, integrity, and availability of business information. Companies focus on detecting, responding, and recovering from cyberattacks, isolating affected computers, and restoring information from backups. In contrast, the aim of cyber-risk management on OT networks is to ensure correct, continuous, and efficient operation of physical processes. The priority is to protect physical operations from cyber-sabotage attacks that may be embedded in information.
This fundamental difference between IT and OT networks means that the consequences of compromise on OT networks cannot be easily restored. Even if every industrial network were fully secured with modern IT cybersecurity mechanisms, the physical risks associated with cyberattacks would remain. This calls for a different approach to risk management in safety-critical and reliability-critical networks compared to business networks.
The Power of Security Engineering
Fortunately, the engineering profession has powerful tools to address OT cyber-risks. Mechanical over-pressure valves, which have no CPUs and are thus unhackable, prevent pressure vessels from exploding. Torque-limiting clutches, also unhackable due to the absence of CPUs, prevent turbines from disintegrating. Unidirectional gateways, which physically restrict the passage of attack information, are also unhackable. These tools are often neglected because they have no IT security analogues.
Moreover, the engineering profession has a long history of managing risks to public safety, similar to the medical and legal professions. However, the contributions that engineers can make to managing OT cyber-risks are not widely understood. The vast majority of cybersecurity practitioners are IT experts, not engineers, and they may not be aware of the engineering profession’s responsibilities or potential in this field.
Additionally, the engineering profession itself has yet to fully comprehend the extent of cyber-risk to public safety and physical operations. While cyberattacks with physical consequences continue to increase, there is currently no jurisdiction where failing to apply robust cyber-risk management to industrial designs can risk an engineer’s license to practice. However, progress has been made in recent years, with several approaches to robust cybersecurity engineering emerging in areas such as process engineering, automation engineering, and network engineering.
The Importance of Robust Cybersecurity Engineering
Looking forward, the main question that needs to be addressed is “how much is enough” when it comes to cybersecurity. The degree of protection required for a system or network depends on the consequences it may face. Safety-critical and critical infrastructure systems need to be thoroughly secured. However, cybersecurity programs, even the best of them, cannot always provide the deterministic protection that engineering designs offer. This poses challenges when public safety is at risk.
Nevertheless, security engineering has the potential, if applied routinely and systematically, to eliminate many safety and reliability consequences. By reducing the remaining risks inherent in OT networks, this approach can simplify the “how much is enough” question and lower the strength and cost requirements of cybersecurity programs. Given the impending crisis in OT networks caused by cyber attacks, including shutdowns, equipment damage, and threats to public safety, the time is ripe for adopting this new approach.
Overall, a comprehensive understanding of the differences between IT and OT networks, along with the potential of security engineering, is critical to effectively managing cyber-risks in safety-critical and reliability-critical networks. The engineering profession has a significant role to play in safeguarding critical infrastructure and ensuring the protection of public safety.
<< photo by Levi Frey >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Malicious Malware: Unraveling Transparent Tribe’s Deceptive YouTube Tactics
- “Unprotected Networks: Examining the Vulnerability of 12,000 Juniper Firewalls to RCE Exploit”
- “ICC Faces Cybersecurity Breach: The Alarming Reality of Global Hacking Threats”
- Emerging Threat: DHS Raises Red Flag on AI-Driven Attacks Targeting Critical Infrastructure
- The Shadowy Intrusion: Chinese Redfly Group’s 6-Month Campaign of Disruption on a Nation’s Critical Grid
- The Rise of Cybersecurity: Safeguarding Trust in Critical Infrastructure
