9 Ways IT and OT say the same thing but mean totally different things..
In corporate IT, antivirus is old news. It’s dead easy to deploy, and updating is nearly always automatic. IT teams have full control over customisation and can either be asset-based or enterprise-based.
In OT environments, the memory requirements imposed by many antivirus solutions are too great for the low-grade components often found in SCADA systems. The legacy systems found across large infrastructure mean that any antivirus solution has to be aftermarket and is therefore not attuned to the specific nuances found within an ICS network, and their use usually necessitates exclusion folders to stop the quarantine of mission-critical files.
2. Patch Management
Patch management in corporate IT is again much more modern and pain-free than in the OT world. In enterprise networks, a centralised IT team can define whether they would like fully automated, remote updates or full control over exactly what is being installed. Patch installation can be as simple as downloading a file and restarting a workstation, and in extreme cases might take place over a weekend.
The outlook is not as bright for OT specialists, however. Patches are nearly always OEM-specific, and won’t be guaranteed to work with the rest of the system in place. The timeline to successful installation can take weeks or months, while impact assessments are conducted and any bugs ironed out. Infrastructure owner/operators have to decide their own level of acceptable risk, and often operate software many versions behind the latest release to ensure stability.
3. Support Lifetime
Corporate IT has it good here too. Hardware is often replaced every 2-3 years, and the whole process is reasonably vendor-neutral. Upgrades are as normal as trading your car in at the end of a lease.
In ICS, it is entirely feasible that a piece of hardware is expected to last 20-30 years, and this will usually be replaced with a product from the same vendor. Discontinued products, or a vendor being acquired, creates real security concerns for infrastructure owner/operators.
4. Change Management
The very thought of change strikes fear deep into the hearts of ICS/SCADA engineers. It is a very serious proposition and can cost millions per day in downtime if not carried out properly, so must be scheduled strategically in line with other maintenance required so as not to disturb production/other output.
It’s still a headache for enterprise IT, however. It’s a process which is undertaken much more regularly, and it’s not uncommon for enterprises to be one or two major OS versions behind the current one in order to maintain stability. When required, it’s aligned with minimum-use periods, usually overnight or at weekends.
5. Asset Classification
You only have to look at the burgeoning market for “asset discovery” tools to understand that accurate asset inventory is very rare in ICS. Proper inventory is usually only performed in line with stringent audits, if at all, and there is a substantial disconnect between asset value and appropriate security countermeasures.
In corporate IT, it’s a very different story. A full asset inventory is performed every year, or more frequently, the results of which will drive budget for the next year.
6. Incident Response / Forensics
The differences here can be measured in terms of prioritising system resumption over a detailed, forensic investigation of an incident. Obviously, in OT environments, downtime has very tangible consequences – and comes with a very large price tag.
However, in corporate IT, it’s much harder to quantify the real impact of business interruption, and given a higher frequency of attacks, it is easier to dedicate time to investigating incidents properly with the aim of stopping future attempts.
7. Physical & Environmental Security
Here is where critical infrastructure trumps its enterprise counterparts: against almost every conceivable metric, physical security of ICS environments is usually a great deal more mature. Expect sophisticated identity access management systems with tiered access to only those that need it, video surveillance, security patrols and more.
In the enterprise space, it can be excellent – think of locked-down data centres – but equally, modern, open-plan offices often present security challenges.
8. Secure Systems Development
Secure development in corporate IT is an integral part of the development process, and this is driven by increased awareness of the need for baked-in security by enterprise customers.
However, in OT, security has historically not been an integral part of the development process. This leads to problems where complex infrastructure can be running on outdated ICS software that is very hard to retrofit with greater security compliance.
9. Security Compliance
Compliance is a much greater issue in ICS environments owing to the nature of the industry within which they operate. There is very tight regulation, especially in Europe, within the civil nuclear sector, for instance, and sector-specific guidance issued per ‘critical’ sector. The US defines 16 sectors as critical through the Department for Homeland Security.
In enterprise IT, there is not the same regulatory oversight, although in certain sectors/regions compliance with overarching data protection regulations is binding.