The lines are blurring. More often than not, IT professionals are asked to be involved in the deployment, management, and monitoring of operational technology (OT) networks within their facilities. As IT OT convergence progresses, additional goals for energy efficiency, decarbonization, and cybersecurity make it essential for IT professionals to develop a deeper understanding of OT networks.
Let’s look at three big reasons a modern IT team should care about the role OT networks play in smart buildings, how those areas now include their skills and assets, and how to begin to bridge the gap between the two areas of expertise.
#1. IT OT Convergence Will Only Continue
Until a decade ago, IT and OT networks mostly ran on isolated networks. Physically separated by different communication lines (Ethernet vs. RS485 twisted wire), and logically separated by different networking protocols (e.g. TCP/IP vs. MS/TP), IT teams had no reason to concern themselves with any of the building systems like HVAC, lighting, or elevators that would typically fall under the umbrella of an OT network. These systems ran separate hardware and software that never crossed over into the realm of an IT network.
That was then. Today, the majority of OT networks have evolved to take advantage of the speed and scalability of IT infrastructure. With hardware capable of leveraging the same IP protocols (like BACnet/IP) and the same wired and wireless connections, OT networks are largely integrated within (and rely on) IP-driven systems.
What does that mean for the IT team? While they may not be responsible for the upkeep of OT systems themselves, as the caretakers of what’s now the OT network backbone, there’s a shared responsibility to ensure interoperability, performance, and uptime.
As a result, IT teams can expect to have more involvement in OT operations on-site, such as:
- Taking part in consultations and planning for new installations or upgrades to OT networks.
- Ensuring capacity and interoperability for OT networks across IT systems.
- Physically providing access to the IT network through port placement and switch/AP access.
- Expanding access to new OT network segments.
Dan Ronald, Head of Product for Application Integration at AWS explains, “As our buildings become more and more integrated, the two teams must come together in this ecosystem.”
OT Needs IT to Understand Them
OT network professionals rely on the experience that IT teams have with common network management and security to build a solid IP network foundation. But that in turn means IT partners must be willing to have an understanding of the unique needs of OT networks. For example, BACnet/IP will have different device discovery protocols like WHO-IS/I-AM that don’t go through routers. Instead, they need to access BACnet Broadcast Management Devices, which may be a function of another existing BACnet routing device.
There’s also the fact that BACnet devices need manual address assignments, which can lead to duplication issues that are hard to diagnose.
These are just some of the issues that highlight the need to establish a level of understanding with IT OT convergence requirements to provide the right kinds of support. Without it, most modern OT networks will fail—in a system that doesn’t have convenient failovers and backups.
#2. OT Networks Are Vulnerable to Cyberattacks
OT networks were developed for machine-to-machine communications in a closed-loop environment. And for the most part, they still are. As small, isolated communications systems dedicated to managing building automation systems (BAS), it was never envisioned that they would live within a globally connected network.
As a result, OT network devices are easy targets for malicious actors. Most OT networking hardware lacks even basic error correction and firewall capabilities. They cannot also be easily patched or updated to thwart evolving threats, commonly going years without any maintenance (note: not a routine we recommend!).
We’ve also developed a best practice guide for IT professionals on what a good OT network looks like. Read up on it here.
There are precedents for this type of breach as well. In 2013, hackers were able to infiltrate Target through the network access provided to an HVAC subcontractor. Because there was no internal firewall or security measures between the OT and IT networks, hackers gained free access to the larger network. The attackers succeeded in uploading card-stealing malicious software to a small number of cash registers within Target stores, then expanding their attack to all POS machines in the network ultimately siphoning off 40 million debit and credit card accounts over a few weeks. It is estimated the total cost of recovery was well over $100 million.
Cybersecurity firm Drogos points out that the definition of what constitutes a security risk has traditionally been different for OT network managers. “The traditional IT security risk equation does not account for the functional, real-world physical outputs of industrial processes. Because of the link to physical impacts and reliability, industrial cyber risk should include additional concepts from disaster recovery and business continuity.”
In short, OT systems should be thought of as just as critical as IT systems. If HVAC/Lighting systems stop working, occupant comfort, safety, and productivity are affected. But more often, easily compromised OT networks can become a gateway to IT systems, leading to potential security and financial risk. Without a conscious effort by IT teams to ensure OT networks are inside their envelope of protection, they will remain a serious security threat.
#3. IoT is Just OT
The Internet of Things (IoT)—the concept of networking thousands of previously unconnected devices to gather data about our physical space—has come to dominate the smart automation discussion. So much so that, in some circles, OT networks have been given the derivative moniker, “Industrial IoT, or IIoT.” Names aside, the foundational approach is unchanged: it’s a network of devices designed to monitor a variety of physical processes and events to inform feedback and control. That’s an OT system!
From a design and operational perspective, most professionals consider the IoT ecosystems an extension of OT networks. After all, it’s the OT network protocols that connect IoT devices to the larger network, and they are deployed, monitored, and maintained by OT teams and systems integration professionals.
What does that mean for the IT crowd? By leveraging the real-time data from IoT/OT systems through the advanced capabilities of IT systems, companies enable more informed decision-making, enhanced operational efficiency, and boosted productivity. For example, proactive maintenance schedules can be optimized by analyzing equipment data metrics, reducing downtime, and extending machinery lifespan. An integrated approach facilitates better resource management and process optimization, leading to cost savings and improved product quality.
The data from IoT sensors and hardware is just as valuable as the information from IT systems, so it must be provided the same laneways. OT networks were not designed to handle the influx of hundreds or thousands of IoT devices that can live within modern automated buildings, facilities, or campuses, but IP-based networks are. This is and will continue to be a driving factor behind IT OT convergence.
How many issues will you solve today?
Can IT and OT Teams Come Together?
All these arguments are great, but when it comes to actually creating change, where do we start? Fortunately, there are a few areas where IT teams can start to include their OT counterparts to create meaningful partnerships.
Treat it Like Onboarding
Just as OT networking-related terminology and methodology may be unfamiliar to IT professionals, the same is true on the other side. Many OT network experts have spent years focusing on their ecosystem, and for a long time, that didn’t include navigating IP-based technology. Most seasoned OT managers are going to know more about multimeters and HVAC controllers than routers and firewalls.
Consider what a person new to IT network management might need to onboard, then work with your OT partners to make sure they have access to it. At the same time, ask your counterparts to do the same. With a common understanding of the language, protocols, and needs of each side, you can begin to take a wider view of the new network that needs to be maintained.
OT network security firm txOne stresses the importance of integrated training as the key “human factor” in reducing knowledge gaps.
“Effective training programs and cross-disciplinary initiatives become paramount to bridge the knowledge gap and create a unified workforce capable of navigating the complex terrain of IT/OT convergence. In overcoming these human challenges, organizations can unlock the true potential of a seamlessly integrated technological ecosystem.”
Develop IT OT Network Convergence-Specific Response Plans
As we discussed, OT networks now represent a new and vulnerable attack vector to IT security teams. As they become part of the larger connected network you oversee, they need to be brought under your security coverage. And that means including them in your response planning.
Modern OT networks may rely on IT network backbones for function, but what they focus on, and what they consider critical functions, can be very different. Traditional response plans for IT-based networks tend to focus on protecting sensitive data or financial processes. That means creating redundancies—the idea that a failover system can take over instantaneously in the event of an outage.
It’s not quite the same for OT networks. Their focus is on protecting physical and environmental systems that by their nature don’t tend to have backups. If an elevator bank or HVAC system goes down, there isn’t a second set that can spin up to accommodate.
So when planning for incident response, make sure you’re consulting with those responsible for maintaining the OT network to understand their priorities in a crisis. The Government of Canada has put together an in-depth guide to creating response plans that specifically address IT OT convergence concerns. They specifically call out that need. “It is important to consider that the same specialists used during commissioning may also be required if the industrial control process is compromised or impacted by a cyber incident.”
Cybersecurity Postures That Includes OT Operations
- Build a defensible architecture. Start at the network edge and work your way in, using IT network mapping and monitoring tools to identify IT and OT data flows both within the network itself and to and from cloud environments.
- Implement network monitoring. Use OT-specific network monitoring tools like OptigoVN to expand your network observability to industrial assets. This allows you to scale and automate threat detection, identifies vulnerabilities easily for action, and supports incident response processes.
- Establish remote access authentication. Enable zero-trust and multi-factor authentication if possible, as the most effective control for remote access authentication. If that’s not possible, consider alternate controls like jump hosts with focused monitoring.
- Manage key vulnerabilities. Prioritize potential vulnerabilities that bridge IT and OT over vulnerabilities that reside deep within the network.
Network Segmentation. txOne sums up this concept best, “by isolating different segments, you can prevent the lateral movement of cyber threats.” Just like a fire-break in forestry, limiting the interaction between OT networks that don’t require internet access and IT systems that do, is just another best practice for shrinking possible breach points.
Extending Network Observability with OptigoVN
Optigo Visual Networks is a next-generation network monitoring software for BACnet OT networks that brings the deep network observability that IT professionals have come to expect from their platforms. With Site Scope add-ons, you gain mission-critical context into troubleshooting down to the device level.
Our network diagnostic tools quickly identify and resolve issues on OT systems, saving time and effort for IT and OT professionals. No more manual splitting or decoding of packet traffic needed.
Ready to experience the best way to extend IT-standard network monitoring and management to the OT systems in your networks? Contact us for a demo, or create your free account, and get started today!
