IoT security fundamentals: IoT vs OT (Operational Technology)

September 24, 2020 by

Dimitar Kostadinov

Introduction: Knowing the Notions

 Industrial Internet of Things (IIoT) incorporates technologies such as machine learning, machine-to-machine (M2M) communication, sensor data, Big Data, etc. This article will focus predominantly on the consumer Internet of Things (IoT) and how it relates to Operational Technology (OT).

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

Get Started

Operational Technology (OT) is a term that defines a specific category of hardware and software whose purpose is to monitor and control the performance of physical devices. In a sense, OT is about task-specific systems that are tailored to the needs of particular industries. What is more important is that these systems support mission-critical operations that fall typically in the area of Engineering.

Above all, IoT products value convenience delivered to their users through a public cloud-based service. Although some consumer-type IoT devices have sensing capabilities, the functionality of these devices may vary considerably. On the other hand, OT deals with industrial operations where a sensor connected to a PLC or another industrial mechanism collects output data and sends it to a service provider – usually a private cloud that stores the proprietary data – for further analysis. The nature of this data can be about:

• Temperature
• Pressure
• Light
• Wind
• Humidity
• Vibration

Often the feedback extracted from the industrial environment may serve as an indication to calibrate properly a heater, pump controller, pressure balances, etc., which will lead in turn to optimization, partially or wholly, of particular operational processes, as well as more accurate fault detection.

In reality, with its features that allow visualization, data logging, passing of data, real-time control, etc., modern SCADA equipment is starting to resemble IoT technology. Nonetheless, IoT cannot be expected to perform well where some industrial processes take place – be that closing/opening valves or resetting actuators. This is the area of expertise of OT, since its industry-specific high-speed data collection (Data Acquisition) and control (Supervisory Control) is still unmatched. What is more likely for IoT is to play a supporting role when it comes to industrial processes.

Differences and Similarities in the Security Posture

 On paper, IoT security should be stronger than what IT assets rely on to safeguard them because connected devices are more likely to cause tangible consequences to the physical world. This is something that IoT and OT have in common, as attacks on critical infrastructure may also have palpable effects. Imagine a heart defibrillator that suddenly stops working or an electrical grid outage that leaves a smart-city megalopolis in darkness. You may say that in the first case only one person is affected, but if the right person is targeted – for example, a pilot of a commercial aircraft or an operator that opens and shuts floodgates of a dam – the consequences can affect many others.

But we do not have to look at imaginary scenarios to get a glimpse of what cyberattacks on IoT and OT assets may entail. The Mirai botnet hack powered by 150,000 hijacked IoT devices that crushed the Internet for a while in the United States and ransomware strains that can cripple entire industry sectors like NotPetya are good examples of some of the dangers that roam about in the cyberspace seeking to wreak havoc to unprotected IoT and OT systems.

Strictly speaking IoT is not concerned with operation safety because IoT products do not handle industrial processes. OT is a completely different story. It is a critical infrastructure where operation safety is paramount. What is more, IoT security revolves around “Integrity” and OT around “Availability”, if we take the CIA Triad into consideration.

Note that OT must always verify the network latency. Even a simple task such as installing an update that requires rebooting a system could be considered in some OT environments an undue hardship, a cause of downtime. For that reason, inter alia, OT policies are drafted so as to satisfy regulatory requirements concerning proper functioning and safety of ICSs (industrial control system) and SCADA (supervisory control and data acquisition) systems. 

One of the biggest security problems that IoT technology introduces into every organization is that it increases considerably the existing attack surface. If you wonder how, just think of the case when sensitive data from a casino’s high roller database was stolen with the initial compromise starting from a smart thermometer in an aquarium located in the lobby.

OT also extends the cyberattack surface, but probably not nearly as much as the IoT. Consequently, regardless of whether we talk about an IoT or OT end-device, each new element that is added to the network should be fully inspected for vulnerabilities.

According to CISO Rick Peters, "nine out of 10 surveyed organizations said they'd experienced at least one OT system intrusion in the past year — that's up from 19% in the year prior. What's more, 68% of those organizations experienced at least three or more intrusions — up from last year's 18% (Source: Industry Today)." And that was in 2019; after Coronavirus, more people are working from home, thus increasing further potential attack vectors.

Network and endpoint security are the traditional areas of focus of OT. Lately, however, there has been growing attention toward application security. For example, runtime application self-protection (RASP) is the new revolutionary step the result of precursor technologies such as web application firewalls (WAF) (also known as Layer 7 firewalls) and static application security testing (SAST).

Conclusion: Merging Technologies

 Despite the differences between the two technologies discussed in this article, OT usually implements IoT technologies in the production/manufacturing phase and some OT components themselves have become “smarter”, embracing characteristics typical of IT infrastructure.

Given the vast quantities of data connected devices are capturing, the need for interoperability and data transparency between IoT, IT and OT is glaring. ISVs, for one, address that need by providing a platform for macro-level control and analysis that can unite these technologies.

When we discuss IoT, we know that we are discussing how everything is connected to everything. This technology simply possesses the natural propensity to connect things like glue. Therefore, it will not come as a surprise if IoT delivers the technological platform where IT and OT will find a common ground.

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

Get Started

Sources

• Defining IT, OT and IIoT, IIoT World
• IoT Security vs. IT Security: What’s the difference?, IBM
• IoT vs IIoT differences you must know, IIoT World
• IT, OT and IoT: existential technology lifecycle management, CSO
• IT/OT convergence: The dilemma of the IoT perception gap, SAS
• IT/OT Security Convergence And Risk Mitigation, Forbes
• Rethinking IoT/OT Security to Mitigate Cyberthreats, Microsoft
• SCADA vs IoT, Smart Machines & Factories
• The IoT Convergence: How IT and OT Can Work Together to Secure the Internet of Things, Tipwire
• The Seven layers of IoT — IT vs OT debate and the role of IoT, Medium
• What is OT Security?, Infradata