What is OT Anyway? | Introducing OT Security Spotlight
Andrew Ginter
VP Industrial Security, Author, CS2AI Founding Fellow, Industrial Security Podcast co-host, MS, CISSP, ISP, ITCP
What does the term OT really mean? What did it mean 20 years ago? What does it mean today?
Welcome to the first edition of OT Security Spotlight! Every other week, I hope to shine a light on an essential topic for ICS professionals. From breaking down regulations to exploring best practices, I hope to explore basic through advanced topics in protecting important physical operations from cyber attacks.
Please subscribe to avoid missing updates and do leave comments with questions, feedback and suggestions for future topics.
Today's topic - what is OT? Where to begin...
The field of automation engineering has been around for almost as long as the engineering profession has existed. More recently, in 2005, the Gartner Group coined the term “operational technology” (OT). In the beginning, the term was used by IT teams to mean, more or less, “all that industrial and engineering stuff that we IT people do not understand.” Engineers of course did not use the term, at least initially, because they generally did understand very thoroughly “all that engineering stuff.”
Engineers have very recently started to use the “OT” term, primarily when interacting with enterprise security teams. Engineers use the term to refer to the computers and networks that control important, complex, and often dangerous physical processes. Many of these physical processes constitute critical industrial infrastructures, such as water treatment systems, passenger rail systems, and the electric grid. These physical processes are powerful tools, and their misoperation generally has unacceptable physical consequences. Preventing such misoperation is the goal of OT cyber risk management.
“Engineers use the term to refer to the computers and networks that control important, complex, and often dangerous physical processes.”
Arcane Terminology
Thus, while the term “OT risk” is new, people were monitoring, controlling and to some extent automating physical processes with dials, gauges, and analog control loops before there were computers, and have been using computers to assist with such control almost since the first computers were invented. As with any old field, the terminology is arcane. The first computers used in operations were so woefully under-powered that each computer could do only one kind of thing, and so every little thing that an automation computer did was given a different name.
For example, control systems are sometimes called SCADA systems, where SCADA stands for “Supervisory Control and Data Acquisition.” A SCADA system is an industrial control system that uses a wide-area network (WAN) to communicate over long distances. Electric grids, pipelines and water distribution systems use SCADA systems. In contrast, “DCS” stands for “Distributed Control System.” A DCS is an industrial control system where no WAN is involved, and where the entire physical process is contained in one site. Power plants, refineries and chemical plants use DCSs. Historically, SCADA systems and DCSs were different – one kind of software could not control the other kind of process. Nowadays, general-purpose control systems have all the features of both SCADA systems and DCSs, making the difference between the two terms more usage than technology.
The modern term encompassing DCSs, SCADA systems and all other kinds of control systems is “industrial control system” (ICS), but there are many variations of the term. The IEC 62443 standards insist on calling these systems “industrial control and automation systems” (IACS). Many refineries call their control systems Process Control Networks (PCNs). Building owners and operators call their control systems Building Automation Systems. And rail system operators call some of their control systems switching systems, others operational control systems (OCC), and yet others signalling systems – in that industry, the term “OT” is only just starting to be used.
领英推荐
Process vs. Discrete Manufacturing
Industrial processes can be classified as well. Critical industrial infrastructures are generally examples of “process industries.” In process industries, the material being manipulated is more or less “goo” at some point in the physical process: water purification systems manipulate water, refineries manipulate oil, and pipelines move fluids. Electric grids are considered process industries as well, because electricity is produced in a continuous stream that can be modelled as more or less a fluid. Even transportation and traffic control systems are considered by many to be process systems, though this pushes the concept a bit.
Within process industries, there are batch industries and continuous industries. Batch industries, such as mining and pharmaceuticals, are industries where the production line does not run continuously. Instead, the physical process produces identifiable batches of outputs. Continuous industries, such as water treatment plants, power plants and offshore oil platforms, consume inputs and produce outputs more or less constantly. Worst case consequences of cyber sabotage in process industries can be spectacular. These industries are sometimes called “boomable” industries – with one of the main jobs of the control system being to stay “left of boom”.
Discrete manufacturing is the opposite of process manufacturing. While process industries work with continuous inputs to produce continuous or discrete outputs, discrete manufacturing assembles small, discrete inputs into larger discrete outputs, such as automobiles, aircraft, and home appliances. There are many similarities between process and discrete manufacturing, but there are significant differences as well. Discrete manufacturing often consists of individual machines or “production cells,” each with a technician responsible for operating and/or repairing machines in the cell. Each machine tends to have its own small, local “human-machine interface” (HMI).
Whereas process industries are often “boomable,” worst case consequences of cyber attacks on discrete manufacturing tend to be threats to product quality – which can be very important in fields such as aircraft manufacturing – and threats to individual technicians operating the equipment. A machine that turns on while a technician has their hand or body inside the machine while servicing it, can injure or kill the person, but generally poses no threat to other technicians in the plant, nor to public safety.
Human-Machine Interface (HMI)
An important aspect common to all SCADA systems is the human operator. Control systems for important industrial facilities almost always have human oversight. System operators are charged with ensuring the safe and reliable operation of the physical process. These operators use tools known as human-machine interface (HMI) software. This software almost always includes a graphical visualization of the state of the physical process, and often includes other elements such as alarm managers and historical trending tools called process historians.
In many industries, by policy and sometimes by law, process operators are required to permit the physical process to operate only if they have a high degree of confidence that the process is operating safely. If the operator ever loses such confidence, for example because their displays freeze, or a message pops up saying, “you have been hacked,” they must act. An affected operator may transfer control of the process to a secondary or redundant HMI or control system. However, if after some seconds or minutes the operator is still not sufficiently confident of the correct and safe operation of the physical process, then that operator must return the process to a known-safe state – most often by triggering an emergency shutdown of the physical process.
This means that most often, the simplest way that cyber attacks can cause physical consequences is for the attack to impair the operation of some part of an operator’s HMI or the systems supporting the HMI. The simplest physical consequences of such attacks are shutdowns of the physical process. A problem with such shutdowns is that industrial processes very often can be shut down much faster than they start up. Physical operations can take days to recover full production again after an emergency shutdown. In some cases, regulatory approvals must be obtained before restarting physical processes, delaying plant restarts by as much as months. Worse, emergency shutdowns often put physical stress on industrial equipment, stress that can lead to either immediate equipment failures, further delaying restarts, or to premature equipment aging.
OT Security Priorities
While safe and reliable operations are the top priority in almost all industrial networks, confidentiality can be a priority as well. For example, pharmaceutical firms often regard the detailed processes used to manufacture their outputs as closely held trade secrets. Discrete manufacturers sometimes regard the programs and settings for industrial robots and other manufacturing equipment the same way. Enterprise security teams have an important role to play in protecting this information.
The bottom line? There is enormous variety in the field of “OT” systems, and that variety, especially the differences in worst-case consequences of compromise – drive requirements for OT security and OT risk management systems.
To dig deeper, click here to request a free copy of my latest book, Engineering-Grade OT Security: A manager’s guide.
Cyber Security Enthusiast
6 个月Insightful! Looking forward to reading more on this
Systems Maintenance Principal Engineer National Grid Corporation of the Philippines | Operational Technology Engineer | Professional Electronics Engineer (PECE)
6 个月Insightful!
VP North America | Head of Cybersecurity
6 个月Hi Andrew, great kick-off article which still managed to have some new input for me. I very much look forward to future editions.
IT/OT Executive Cybersecurity Leader (CISO) and Adjunct Professor
6 个月Great initiative Andrew. BZ