Introduction

Today’s technology is defined by two terms, information technology (IT) and operational technology (OT). IT is the use of hardware and software to create, store, transmit and retrieve data; it typically includes computers that can act as a server or client, networking devices that are used for routing the traffic, virtual software to reduce the need for hardware and applications to provide a front end to the client to perform various tasks.

On the other hand, OT is the use of hardware and software to detect, monitor or control the physical devices, processes, and events in an enterprise. OT is used primarily used in Industrial Control Systems (ICS) for manufacturing and automation. 

Companies using both IT and OT often fail to securely integrate them. In this article, we will have a look at how IT, which is a subsection of information systems, and ICS, which is a subsection of OT, are different from each other.

The differences between ICS and IT

1. Security objective

IT is more data-centric, where the key requirement is Confidentiality, Integrity and Availability (CIA). On the other hand, ICS is more concerned with Availability and Integrity. Confidentiality is the lowest priority.

Let’s consider an example for the above points:

Imagine an internet banking facility provided by a bank. It’s important to have confidentiality and integrity in net banking. An adversary sniffing or modifying the net banking traffic is a problem, but even if net banking is not available for a few minutes, loss is minimal.

Now, let’s imagine a power grid. Availability is the power grid’s key requirement, as a disruption in the power supply can have a huge impact on the entire grid’s consumers. Power disruption may directly impact IT operations as well, as IT uses electricity. It’s important to note that ICS safety is a constant requirement along with CIA.

2. Network topology

IT environments are large, with a number of devices and servers. These servers are segregated based on the importance and need. The environment is dynamic, with IP being allocated from the DHCP server. In contrast, ICS setup is comparatively small, with a limited number of assets and mostly static IP addresses. Dynamic IP addresses may hamper operations.

3. Physical component

IT systems primarily consist of servers, network devices and workstations. These components are often protected by firewalls, antiviruses, IPS and web application firewalls. 

ICS, on the other hand, has proprietary products. Other than desktop and servers, the rest of the platforms are embedded and vendor-specific. There are limited security products available for ICS networks. 

The lifetime of IT and ICS components varies. IT component life may range from three to five years, but ICS component life ranges from 15 to 20+ years.

4. Patch management

IT and ICS have different patch management processes. IT has patch management control where the patches are pushed as they are released. On the other hand, ICS patches are released on time, but due to a lack of operational downtime the patches are rarely applied. Consequently, ICS software is obsolete and critically vulnerable to attack. 

5. Encryption and authentication

Encryption is commonly used in IT setups to protect sensitive data passing over the network. Similarly, authentication is required in IT to provide access to resources. Authentication and encryption are required in applications like net banking, email or any other entities who share and manage sensitive data. 

Authentication and encryption aren’t priorities for ICS, despite their overall security benefits. In fact, implementing authentication and encryption processes often increases equipment overhead costs and slows operations.

6. Security testing

IT security testing is different from ICS security testing. Applying IT testing methodology on ICS may crash fragile ICS setups. Simply running an Nmap scan with various options like service and OS fingerprinting, script-based vulnerability detection, full port TCP and UDP scan, or Nessus scan can crash a simple PLC, hampering plant operations.

7. Environmental factors

Assets related to IT are hosted in a data center where environmental factors like temperature, humidity and cleanliness are controlled. These facilities have an automatic backup and human support staff. 

ICS setups may be distributed across different locations. The components of the setup are exposed to temperature, pressure and humidity extremes and fluctuations. 

Summary

To summarize the difference between IT and ICS:

Area IT ICS
Security Objective Confidentiality
Integrity
Availability
Availability
Safety
Integrity
Confidentiality
Component Lifetime 3-5 years 15-20+ years
Patches Timely Difficult/slow
Performance Must be fast
Non-real time
Must be real-time
Security Testing Standard approach Specialized approach
Antivirus Common Difficult
Security Awareness Good Poor
Component Location Usually local components
Controlled temperature environment
Can be local or isolated and remote
In a dynamic environment like high/low temperature or high/low pressure/humidity
Protocol Standard TCP/IP protocol which includes authentication and encryption Vendor-specific protocols with
no security
Impact No impact on the environment
No threat to human life
Possible impact on environment and threat to human life

Conclusion

IT and OT seem similar but are not the same. IT and OT are set up, used and controlled differently but often converge. What works for one might harm the other, so security measures are also different for IT and OT. 

Understanding these differences is key to keeping these systems secure and avoiding conflict between IT and ICS administrators.

Sources

  1. Guide to Industrial Control Systems (ICS) Security, NIST
  2. Information Technologies (IT) Vs Operational Technologies (OT), Randed
  3. What is the difference between IT and OT?, Coolfire Solutions

Be Safe

Section Guide

Satyam
Singh

View more articles from Satyam

As you grow in your cybersecurity career, Infosec Skills is the platform to ensure your skills are scaled to outsmart the latest cyber threats.

Section Guide

Satyam
Singh

View more articles from Satyam