Articles | 07.14.21
By Matthew Pacobit, Senior Director of Regulatory Affairs
After posting the article Cybersecurity in Power Plants – Is my facility vulnerable? we received additional questions asking how OT or Operational Technology is different from IT business networks. This article will explain some of those differences and why they are important when considering cybersecurity.
Operational vs. Business Networks
Let’s first consider the structure of business networks because that is what most people are familiar with. Business networks are typically a collection of independent systems (computers) all running software from either Windows or Linux. Each computer is able to communicate with other computers through the business network, and each computer controls who it is talking to. For example, when you browse the internet you type in a web address which instructs your computer to initiate a request for information from a server. There are some exceptions to this generalized description of the structure of business networks, but for the purpose of this analysis they are not essential (even though I know there are some IT professional pulling out their hair in frustration with this oversimplification). One of the key characteristics of this structure is that it allows for enterprise-type solutions for virus protection and patching because all the machines on the business network run the same operating system. However, what happens if all the machines are not independent systems and do not run the same operating system?
This brings us to Operational Technology, which again will be discussed very generically as there are countless types in existence. Operational networks do not just use the Windows PC that you see in the control room, but instead interface with field devices and field networks running a variety of proprietary software and/or operating systems. These could include systems from companies such as Emerson, GE, Siemens, Mitsubishi, Allen Bradley, and Bently Nevada to name a few. Even within these vendors there can be different systems such as Emerson’s Ovation system and Emerson’s heart communication implementation on their Rosemount transmitters. Normally, these different systems are run by a central controller. They are not designed for their own independent reliability, but for the overall reliability of the plant or system that they are operating. In practice, this means that if the central controller detects something is wrong, it will fail to the backup controller. What causes this to happen varies widely by system design and manufacturer.
Due to the differences in the way business and operational networks are setup and function, we must take different approaches to how we secure these systems. For example, you can run a network detect tool on a business network with minimal risk of causing any issues, but if you run that same tool on an operations network you could bring down the entire network and the plant with it. While this may not happen every time, there is a much greater risk on the operational networks due to the differences in structure. Another good example is patching. There are several Windows patches that cannot be loaded onto certain operational networks because they will cause significant issues to the network.
Therefore, it is crucial when you are looking at securing your operational networks to make sure you are using someone with knowledge and experience with OT and who understands why and how they are different from business networks.
For help and information about protecting your operational or business network and data systems, contact one of our experts.