Blog 04: Part 03 – IT = OT

Posted on by

There is quite a buzz recently about the addition of “operations technology” within the purview of IT at many organizations. I say recent, even though the Gartner article (G00214810) in with this section’s readings is dated 2011.  But I guess it’s their job to predict future trends.  Good Job!

So, the idea with OT with respect to manufacturing environments is threefold:

  • 1) Integration – This one is not a new idea. SCADA architecture has been around for a while now, however what I have noticed being a recent trend is the ability of machinery and equipment to be networked “out of the box” without needing to purchase additional hardware or software licenses.  Much like the proliferation of IoT devices, the thinking seems to be “When in doubt, put a NIC in it!”
  • 2) Risk Reduction – Hand in hand with the explosion of all these new hosts on the network comes dealing with the associated risks involved.  In my experience, these shop floor devices interface with the network in one of two ways.  A) Indirectly – via a dedicated PC running proprietary interface software and sometimes equipped with a specialty hardware interface.  The PC often “comes with” the machine and is supported by the vendor.  B) The piece of equipment has an embedded version of Windows or Linux built in and can interface with the network directly.  In both these scenarios the risk is derived from having un-managed hosts on your network.  Security tools designed for consumer versions of Windows don’t work on the embedded flavors of the OS and are non-existent on the Linux side.  (This would be fine if it wasn’t always a horribly outdated and un-patched Linux distro on the machine.)  So, because of this additional risk, it is good practice to segment these devices from the rest of the network either logically or physically.
  • 3) Standardization – This one is currently the weakest of the three and hopefully will be fleshed out better in the near future.  Most of the risks I mentioned in #2 would be minimized if all of these devices shared a common operating system or even a common communications protocol.  I feel like in the IoT space manufactures are still jockeying to have THEIR protocol become the next standard, so it kind of feels like a “walled garden” type situation where in a sense you’re locked into a specific manufacturer.  There already exists a (fairly new) standard ISO 20922:2016 however now vendors will actually need to adopt it.

My advice to EAs working on OT architectures in the near future are to concentrate on a robust and secure network.  Dedicated, heavily fire-walled, and segemented is the way to go.  Keep the entire shop floor firewalled off from the corporate network.  Keep equipment from different manufacturers separated in their own VLANS.  And within those VLANs segment different communications protocols within their own subnets.

 

Leave a Reply

Your email address will not be published. Required fields are marked *