IT and OT are merging in networked production. This brings opportunities for efficiency, as well as insights. But security risks caused by attacks on OT systems demand new strategies.
As production becomes more networked, IT and OT are growing closer together. This merging of operative technology (OT) on the shop floor and IT systems designed for production planning and corporate management means greater efficiency, flexible control, and better insights into production metrics. But at the same time, the Industrial Internet of Things (IIoT) increases operative complexity. Furthermore, networked OT is becoming increasingly vulnerable to security risks that were previously known only in IT. As a consequence, attacks on OT systems are becoming more frequent and more professional, and OT can become a weak point in overall systems and threaten entire networks. That’s why defending against cyberattacks and preventing technically induced outages demands new strategies and new expertise in production.
In practice, IT and OT are still operated by separate departments with different briefs. This can cause unclear responsibilities and conflicting goals. It’s often difficult to determine who is responsible for maintaining, updating, and monitoring these shared systems. This can cause conflicts and incomplete processes, especially when systems fail, or security incidents occur.
Standardization plays a key role in establishing clear responsibilities in IT/OT convergence and minimizing conflicting goals. Learn more in our video (2 min., 25 sec.) with Oliver Müller, Senior Manager at BOSCH.
The convergence of IT and OT is producing clear points of conflict that can manifest in different ways. Diverging demands on network infrastructure, industrial security, and data management only serve to amplify these conflicts.
Manufacturing companies are subject to numerous regulations and standards. Soon we will have NIS-2, yet another set of regulations governing information security. Businesses will have to ensure that all their systems comply with these regulations. Here are some important examples of international laws and guidelines that relate to IT (information technology) and OT (operational technology):
The new EU Network and Information Security Directive. Its regulations will apply to many manufacturing companies, critical infrastructure operators, and digital service providers, and will require high levels of security for networks and information systems. The Directive entails, among other things, cybersecurity requirements and provisions demanding that security incidents are reported.
This is an internationally recognized standard for information security management systems (ISMS). The standard can be applied to both IT and OT environments, with the aim of establishing complete security management systems.
This series of standards addresses cybersecurity in industrial automation systems. It defines requirements and recommendations on how to securely develop, implement, and operate OT systems. This means it relates to IT as well as OT aspects.
Networking in production requires that all of the systems involved comply with a recommended set of cybersecurity standards. In practice, many OT systems are outdated, which means they’re not designed to support the integration of modern IT systems. Potential vulnerabilities can become doorways into entire automation networks. That’s why IT tends to consider OT a major source of potential vulnerabilities. Other potential reasons:
Lack of segmentation
OT networks are often inadequately shielded. This means that critical systems and control devices may be connected to other networks or the internet. That in turn increases the risk of unauthorized access and malware infection.
Insufficient authentication and access control
Most OT environments have always been autonomous and employ weak or insecure authentication and access control mechanisms, despite increasing networking. This can facilitate unauthorized access to control devices and allow the manipulation and interruption of industrial processes.
Insecure remote access and inadequate overall monitoring
Insecure remote access in OT opens up opportunities for attack. Highly networked environments are often inadequately secured, and remote access can endanger not only OT but also central corporate systems. A lack of overall monitoring in OT systems permits undetected security incidents and attacks and hinders effective countermeasures.