October 24, 2016

IT and OT in the Internet of Things

Information, and operations. In the past, these were seen as two distinct and discrete elements of organisations’ technology – IT, and OT.

The former deals with the processing, transmission and storage of data, while the latter is about physical processes and production – the devices and sensors in a factory, for example.

However, as we move ever further into the era of the Internet of Things (IoT), IT and OT are being pushed closer and closer together. Computers, tablets and smartphones are no longer the only devices using operating systems and the Internet Protocol. It is becoming just as likely that a machine in a processing plant will be connected to the IT infrastructure as the computer on an employee’s desk.

Conversations around the IoT and information security often (understandably) focus on the ‘things’ being connected in the IoT. How secure are they? How can their security be bolstered, and maintained? What risks might they introduce to the network?

These are undoubtedly important questions – but equally important, and sometimes neglected, are questions around the melding together of IT and OT. How does this increasing overlap and convergence affect information security?

Who owns what?

The first thing to consider is that IT and OT have historically been looked after by different personnel – and security responsibilities are likely to have sat firmly in the IT team.

Consequently, any convergence of IT and OT – no matter how minor – is likely to cause confusion over ownership. Suddenly, the IT security team is responsible for securing a whole new set of devices – and yet the ongoing management of those devices is still the responsibility of the OT team.

It is easy to see gaps where responsibility, knowledge and understanding can fall. With no black and white distinctions between departments and scenarios, and no blueprints for new distinctions of labour, it is more important than ever, when undertaking new IoT deployments, for departments to communicate well with each other.

The IT security team needs to understand exactly and entirely which devices are part of the infrastructure it is expected to protect. It needs a comprehensive, intelligent and real-time map of connectivity across the entire organisation. And it needs clear lines of communication with the OT team, so that questions can be quickly answered and ownership of different elements can be immediately agreed.

A question of encryption

So those are the human lines of communication. But you also need to think about the digital ones.

Each new operational device added to the corporate network introduces new paths along which data is transmitted – and comprehensive IT security means protecting information in transit as well as in storage.

This is where you need to think seriously about encryption. It might be standard practice to encrypt emails containing financial information, but what about data sent between a physical sensor and a computer?

In a complex, dynamic IOT environment, perimeter protection alone is no longer enough – policy-driven encryption is the only way of delivering truly end-to-end security. And, once again, this requires absolute cooperation between the IT and the OT departments.

From IT and OT to…T?

It seems likely that as the IoT becomes ever more sophisticated and an integral part of how businesses operate, that the separate spheres of IT and OT will break down and dissolve. Technology can no longer be divided neatly into information and operations.

A single, centralised technology team of the future is likely to be the cleanest, simplest way of delivering unified IoT security, and savvy businesses will start planning towards such a scenario now.

Darron Antill