Differences between TI and TO

Posted date 13/07/2015

Autor

INCIBE (INCIBE)

The worlds of IT (Information Technology) and OT (Operational Technology) have traditionally remained independent of each other, but this really should not be the case given that nowadays both areas needs are becoming more and more similar. The needs and problems they have are becoming more and more alike and the experience each area boasts should be made available to the other.

imagen SCI

- Corporative IT Systems vs. Industrial Control Systems -

The majority of these differences are given below for a deeper understanding of the problems that divide the two.

Technology

One of their main differences is the predominant technology in each environment. Whilst in an industrial environment there are sensors, controllers, actuators, etc.; in a corporative one, there are databases, document management systems, etc. Therefore, the technological knowledge prevalent in each environment is completely different and represents a considerable disparity between them.

The needs of each are not comparable to those of the other, either. In the IT sector we find ourselves with an office environment in which the number of devices is similar to the number of people. However, in an OT environment there is usually a whole host of devices spread out over a large space and proportionally far fewer people. The working conditions in an OT environment are also quite tough (temperature, humidity, etc.) – in stark contrast to the conditions we would expect to find in an IT office.

Another thing to consider is the jargon used, which is linked to the technology. There is a language within industrial control systems, which is enriched by the variety of devices and processes that are run; differences can even be detected among employees from different sectors, given that they may work with different technology within their respective areas. IT, on the other hand seems more welcoming – though that is not to say less significant. Employees’ knowledge is general, although at times it may be more specific, and the vast majority of the professionals that work in the sector, or even in different sectors, can relate to it.

Focus on safety and security

As machines and devices are used heavily in OT working environments, both physical and processes safety are key. When we refer to safety, we mean protecting the environment, people and infrastructures against potential failures in the process. With IT systems, as lives are not at risk, we are referring to the more logical issue of security; in other words, protecting information with regard to any sort of risk that may threaten it, be it people, natural disasters, wear, etc.

Both safety and security measures seek to protect the Confidentiality, Integrity and Availability of the information in systems’ environments. But safety and security are seen differently in both environments and each area attempts to meet its safety and security objectives in different ways.

Whilst in IT environments confidentiality is the most important asset to protect, in OT environments availability is of utmost importance, given that enterprises can lose a lot of money as a result of a service outage in their systems or plants.

priorities OT

- Comparison of objectives -

Operating systems, software and protocols

Industrial control systems have a great deal of equipment for specific purposes with proprietary operating systems, in contrast to the IT world where there is a whole host of standard operating systems – most of which are Windows – and a lot of commercial software installed on each computer to meet employees’ needs.

There are also considerable differences in communication, as proprietary industrial protocols and, over the last few years, some TCPs/IPs are particularly prevalent in industrial control systems. Meanwhile, in IT, due to the main tasks carried out in an office, we encounter protocols associated to web browsing, in other words HTTP/HTTPS over TCP/IP.

Regulations

This is another aspect indicative of the considerable difference between the two areas. In the OT world, regulations are normally specific to each industrial sector, given that very few of them are in any way general; however, in IT, regulations are usually interchangeable and do not apply to just one sector but can be used regardless of the field the business operates in.

For instance, in the OT sector, compared to the rules and regulations for a bottling plant, those for a nuclear plant would be a different matter altogether, as they are quite specific to that sector and depend on the features of both the plant and the region it is located in.

In the IT sector, the regulations applied to a banking company could also apply to a power market company, with the exception of the differences in the activity each business carries out.

There are also differences among the regulatory bodies in each area: while you would expect to encounter international bodies for the IT environment, for the OT field, there are normally regulators for specific sectors, which are independent from one another.

For instance, a SCADA system that controls gas distribution in the US would be regulated by the AGA (American Gas Association), whilst a SCADA system for electricity distribution would be regulated by NERC (North American Electric Reliability Cooperation), even though SCADA’s equipment and purpose are similar in both cases.

In order for every one of us to coordinate our work better and unite in favour of more global safety and security, there is a lot of work to do and we all have to pull in the same direction. Therefore, raising awareness of industrial cybersecurity and sharing experiences and information between the IT and OT worlds is vital and represents a good starting point from which to move forward in this area.