Why OT has different needs than IT

Too basic to write down?

Last week, a contact from the critical infrastructure sector called me because he had a management meeting at the end of the week. He wanted to explain to management why OT has different needs than IT regarding both operations and security.

IT (information technology) moves data and OT (operational technology) moves physical processes, that much is clear. In the ICS security community, we’ve all talked so much about “IT vs OT” that we’re tired of it. There have been myriads of presentations on the topic, and fortunately, the most important ICS security conferences state that they do not accept any more “IT vs OT” content.

Thus, my first reaction was “sure, we can help out!”. A second later, I realized I did not have any concise summary on the “IT vs OT” topic handy. But I thought that was just me. Programming is googling, and so is finding a summary on one of the most discussed topics in my industry, I figured — refusing to believe that I would need to reinvent the wheel.

I did go further than googling though. I asked Twitter and Beer ISAC if they knew of any short, to-the-point document or graphic summarizing the main differences between IT and OT and why they result in different needs regarding operations and security. While much to my surprise no one pointed me to a one-page-summary that I was sure had to exist (and maybe does, but no one knows where), a lot of people answered with their views of what causes the biggest differences between IT and OT.

I did my best to distill everything into a one-page-summary, which I’m sharing below. Most likely, it is not complete —feel free to point out what you think is missing, so the next time one of us gets asked about an “IT vs OT” one-pager, we can swiftly pull something out of our drawers.

Thanks to everyone who participated in the discussion! Here’s the original twitter thread:

Translations of the “IT vs OT” one-pager:

• Polish: Blogpost at SEQRED.pl (direct link to image)

Update March 16, 2020:

Thanks to everyone who helped improve the IT vs OT one-pager during the last two weeks!
The following changes were made. Also, I added some links to further reading at the end of this article.

Operation environment:

• Added “easy to access” for IT and “could be hard to reach” for OT.
  (added from NIST SP 800–82r2, thanks to Anton Shipulin!)

Life cycle / dynamism:

• Added for IT: Large, scalable, flexible networks with hundreds / thousands of components.
• Added for OT: More static topology with a smaller number of components.
  (added from ISA InTech May 2014, thanks to Michael Lester)

Priorities in operation:

• High troughtput in data transmission added for IT,
• Determinsm of functions, integrity of data, real-time data transmission without delay or jitter added for OT.
  (thanks to Michael Effertz and Anton Shipulin!)

Regulations / compliance:

• Typo corrected. “Manafement” is no more.
  (thanks to everyone!)
• At “Public interest in addition to commercial interest”: added “if critical infrastructure or large hazard potential”
  (thanks to Jan Ludwig Tiedemann!)

Further reading

This one-pager is by no means the only resource to learn about differences in IT and OT. Here are links to good reads on the topic:

1. ISA InTech, May 2014: Top 10 Differences Between ICS and IT Cybersecurity
2. NIST SP 800–82r2, ch. 2.4: Comparing ICS and IT systems security

I’ve included most points from NIST SP 800–82 in the graphic by now.

The ISA InTech article contains some more detailed implementation differences regarding network topologies and segmentation and user accounts that I did not include as I feared they are hard to generalize, even though they are definitely useful information.

Thanks to Michael Lester and Anton Shipulin for pointing me towards the above publications.