IT and OT/ICS: a comparison
With regard to security, a distinction must be made between different types of technology or networks:
- IT Information Technology Office (accounting, sales, management, ...).
Here, the ISO 27001 standard for the plant owner is typically applied. - "Intermediate Layer" Factory Backbone (inventory management etc.).
Enterprise Resource Planning (ERP) or Product Lifecycle Management (PLM) domain, no classic automation.
Here, the ISO 27001 standard is typically applied. - OT Operational Technology Production area / Factory Floor with its machines and plants (ICS).
Here, the IEC 62443 standard is typically applied.
The following figure illustrates the so-called "Automation Pyramid" with these network types:
In terms of security, these technology areas must not be considered separated from each other. Rather, they must be considered in conjunction. In order to completely serve security in OT, the measures defined by IT must be extended by additional relevant activities.
In the field of automation, the focus is on physical processes such as drilling, measuring, assembling, etc. Plants are operated as long as they allow economical production. The life cycle is much longer than in an IT environment. The broader challenges in automation are apparent: Any disruption leads to reduced productivity. In addition, the possibilities for eliminating vulnerabilities are limited, since restarts are only feasible to a limited extent and every change to an automation system entails the risk of further malfunctions.
Comparison: IT and OT
When comparing the areas of IT and the industrial automation world (OT/ICS), requirements apply as shown in the table below.
ICS Security | IT Security [1] | |
Priorities | Availability Integrity Confidentiality |
Confidentiality & Availability Integrity |
Property: Availability | 100 % required | 99% sufficient [1] |
Property: Restart | Difficult | Possible |
Property: Patch Management | Significant challenge | Automated possible |
Hardware life cycle | 7 to 20 years | 3 to 5 years |
- With regard to IT security, you may need to distinguish the requirements for the IT backbone and work places. Experience shows that 99 percent availability of the ERP system can result in the factory being inoperable 3.5 days per year.
From this consideration it becomes evident: Besides an effective access control (user authentication, access restriction by user roles, etc.) to prevent unauthorized access to OT (ICS) systems, the availability of data (and thus the application) has a higher priority in industrial OT environments compared to office IT systems.
Any loss or corruption of data, caused by a malicious/intentional or negligent/unintentional act must not affect the functionality and availability of an automation application.
Conclusion: Even though the selection and implementation of security measures in IT and ICS environments differ, all elements are required for value creation. A holistic approach is necessary. This is because it is irrelevant in the economic outcome whether production comes to a standstill because of a cyber security incident in the manufacturing process or because of the failure of a central service (such as the ERP system).