SIGNAL Executive Video: Extending Cybersecurity to Physical Systems
Cybersecurity is one of the key growth skills of the modern age, but there is a major difference between providing security for purely online or electronic systems and those that interact with the physical world.
The distinction between information technology (IT) and operational technology (OT) is an important facet for cybersecurity operations, Carey Miller, managing director of Deloitte and Touche’s Cyber and Strategic Risk Practice, told SIGNAL Magazine Senior Editor Kimberly Underwood in a SIGNAL Executive Video Series discussion.
IT and OT work closely with each other and often overlap. Miller noted that many ecosystems commonly thought of as residing exclusively in cyberspace actually includes both of these categories.
By definition, IT systems focus more on the transmission, storing and processing of data while OT systems focus on controlling physical processes. OT systems predominate in areas such as critical infrastructure, industrial processes and weapons systems. “Things that directly interact with the physical world,” Miller said.
There are three major differences between IT and OT: life cycle, access and adversarial intent.
Regarding life cycle, many organizations have the opportunity to replace or upgrade their IT systems every three to five years, but OT systems can have life cycles of 20 to 40 years or more, Miller said.
Access is another issue. OT systems aren’t designed for a traditional “patch” like IT systems use when an error or weakness is discovered. “They’re not often that accessible, they’re sometimes not easily and automatically updated or refreshed,” Miller explained.
Adversarial intent is also important. Miller notes that in IT systems, the target for hackers is data that can be accessed, modified or denied.” In OT the target is the process itself. “If the adversary can control or change the process, then they can have direct impact on the physical world, often with much higher consequences,” she said.
OT systems also present a cybersecurity challenge because they are substantially different from pure IT-based systems. Because OT systems control physical processes, the knowledge requirements to properly operate and maintain them are very different and diverse, Miller said.
Because OT systems are often systems of systems, cybersecurity teams must contain individuals with a variety of skills and expertise, especially in different engineering and technology specification for systems they are protecting.
This also means that cybersecurity personnel need tools “that are tailored to the domain that they’re operating in and the systems that they’re working in,” Miller said.