Sometimes it’s easy to get stuck in on a well-discussed topic, and forget some folks may not be as versed. Nowhere is this more obvious than talking about the full-fledged convergence of OT networks into larger IT systems (aka IT/OT convergence!).
This episode, we’re tackling some general questions around the concepts of IT and OT networks co-existing, for those on the IT side who may not be familiar with OT networks, and those new to the industry who’ll need to understand these concepts going forward!
Thanks for sending in all your questions! If you’d like us to tackle a particular topic, send them our way. We love digging deep to help make your BACnet/OT networks more reliable.
Send us a message on LinkedIn, Reddit, or Bluesky, or email us at marketing[at]optigo.net .
Want to get the latest episodes the moment they get published? Subscribe to our YouTube channel, and you get access to videos days before we post them here!
Here’s What Ping Covers in Episode 10:
- What exactly IS an OT network, and how is it different from an IT network?
- How can OT and IT teams collaborate without finger-pointing?
- What kind of security risks do OT networks introduce, and how can I deal with them?
Transcript
1. That’s probably one of the most important questions we probably should’ve answered from the beginning! There’s no real hard definition to an OT network. I think it was many years ago when many of us, including myself, were looking to distinguish a network that connects operational technology devices like security cameras, access control, building automation devices, lighting control devices, waste management devices.
And in many cases, we found ourselves not able to use an IT network for whatever reason. Very often is that the IT network didn’t extend to where the devices needed to be. Maybe the IT network was already too busy to then also be used for a new service that previously did not need a network. So it’s a tough question, but I think the answer is simply a network that is dedicated to connecting these operational technology devices.
There’s nothing fundamentally different between an IT network and an OT network from a structure point of view. But it is very different from its requirements, its usage. An IT network would tend to be very bursty. Nine to five, Monday to Friday will be extremely busy. Whereas in a network that runs lighting control, building automation, security systems, yes, there’s some burstiness, but it’s much more steady state. In an IT network, you can deal with drop packets, right? Your email takes a little longer to send. You get a couple of pixels on your Zoom call or the voice call dropped a couple of clicks in it. Not a big deal.
But when you are trying to update a weekend schedule to a bunch of controllers and that doesn’t take. That’s not great, right? A lightning control that misses a command, not great. A security system that doesn’t work perfectly, not good.
So to summarize again, fundamentally, structure-wise, technology-wise, and the OT network and IT network will not necessarily be very different, the network itself, but the expectation, the usage, the quality of service, the service needs to render, the SLA around it, that could be very different. The OT network may be the responsibility of the IT team, that’s great, or it may not be, and that’s very different.
2. The biggest factor for success I’ve seen over the years, and we’ve seen a lot of great organization, both at end customers and system integrators have had great success working with IT teams. And it always came down to one thing: finding that champion that bridges between the two.
Or often we’ll find that champion coming from the IT world, the IT department, the IT service team realizes that this building automation, this building system, this operational technology arm of the business needs support. Maybe started with they needed a lot of servers to be brought up and then realized that they needed ports and places that IT didn’t serve.
But really when the IT team puts in place a champion, someone that would take the time to learn the terminologies, learn the priorities, learn the schedule and projects of these operational technology teams, that’s the number one thing I found to success in collaboration. It comes down to understanding what a BBMD is, right? Helping the building automation team understand what is a DHCP IP reservation? What is the difference between a VPN and a Zero Trust Network? Now, these are very important topics, but if we don’t find someone that becomes that bridge, between the two, then we’re always speaking different languages.
Bring them in early, right? If you have a project that you get going, if you are system integrator, you’re working with a customer and on the customer side, there’s no one from the IT team, ask them to bring someone to IT right away. And maybe that first conversation doesn’t have a lot of weight in it. Maybe you still just need one IP address and you’ll build a network after that. But even just introducing yourself, that goes a long way. So trust that even though in the past we’ve had friction, if we take the time to explain our priorities, our needs, most of the time they are down to help us. And it’s only when we approach them when it’s too late, then it’s normal that they get annoyed at us. We do all need to step up and learn a little bit more about general IT topics, Cloud versus private versus on-premise.
Understand the difference between a router and a switch. Understand that their schedules for maintenance is different than yours. That you can’t ask for a Windows 2000 server. And understand that, you know, if they put security rules around you, it’s protect you protect them. It’s annoying. Yeah, perhaps it might make your job a little longer to accomplish, but it’s now a normal standard thing to do.
3. First of all, cybersecurity is very complex. It is definitely the layers of the onion. The more layers you have, the more you can protect that information that’s in the middle. But cybersecurity can also be thought as five pillars. Assets, know what you have. Detect when something changes. Protect the data that you want to protect. Have a plan to recover when an incident happens.
And respond, sorry. Last one is respond. Know how you will respond when an incident happens. So those five pillars, the last two, respond and recover are much more human policies. know, have a practice plan. What happens if the worst case scenario happens? How do you communicate it and then how do you respond and recover from it? But the first three are very technology oriented. they can be very technology oriented.
And so let’s start with that. When we introduce building automation system into IT systems, we’re introducing a huge amount of unknown. What I mean by that is the IT team, they really understand computers, servers, internet access, all these things. They don’t know what a BBMD is. They don’t certainly don’t know what MS/TP is. They don’t understand why you still need that old server that you had from 20 years ago. You’re introducing incredible amount of unknown and that’s very uncomfortable.
So one of the pillars of cybersecurity is know what you have, right? If you have a home and you want to protect your home and you lock two doors, but you actually have three, your home is not that well protected. Same idea. So in terms of cybersecurity, help elevate the knowledge of what you’re introducing by reducing and therefore reducing the unknown factor, right? I would say the scanning tools that IT team have will not scan through MS/TP, ARCNET, Modbus, LON, and so it introduces an incredible amount of unknown. And that’s when you need to look at operational technology, building automation specific tools, like of course Optigo Visual Networks to help understand what is part of that system. There’s two big Achille’s Heel, I would say, in building automation or BACnet specifically.
BBMDs without going into a ton of detail BBMDs can become basically the directory assistance of BACnet systems. If the BBMD is exposed, technically speaking, once that’s exposed, a hacker can gain access to entire BACnet system. So protect, make sure that the BBMD is well protected. Make sure that there’s firewalls around it that if the IT team can help you monitor the traffic going in and out of the BBMD, do that. The anomalies around that could reveal a lot. The second would be anything that’s non-IP. Again, the IT have developed incredible tools and knowledge around IP-based systems. But when you now tack on a BACnet router and then on the side of this MS/TP and that MS/TP goes on ceiling tiles and that means that someone can pop it up, plug in an RS45 into a laptop and leverage that connection into the rest of your system, that becomes an insider attack. That firewall that protects the outside world to the inside world doesn’t protect that MS/TP communication into it. So to summarize, think help elevate the understanding of what you are introducing because that level of unknown is very uneasy. When it comes to protecting, I would protect your BBMD and form device is another function of BBMDs, be very careful with that.
I think probably the most important concept of cybersecurity is understand that the level of effort depends on the level of sensitivity of the information you’re trying to protect. The cybersecurity profile around a shoe store won’t be the same thing around a healthcare provider and around governmental or financial.
So you may have to adapt, you can’t use the same plan for all of them and understand that in some context you will have to put more emphasis on cybersecurity, and which means that you might have to give up a little bit of availability, access to the data. Whereas in some cases, the cybersecurity profile is not as stringent, and so you can increase your access to the information, access to the system, and so that balance understanding what you’re designing for.
