The Gray Area Between IoT and OT
Post 1 of 2, by Francis Cianfrocca
You’ve heard the terms OT (“operational technology”) and IoT (“Internet of Things”). There’s some gray area on what exactly these terms mean, but the distinctions among them are important.
“IoT” started popping up as a buzz-word about 10 years ago. Cisco in particular grabbed onto the term in a reasonably successful attempt to define the market.
“OT” started going mainstream about six years ago. Gartner was an early user of the term. They basically used it to mean “anything that isn’t IT,” with particular reference to industrial production assets. Since Gartner’s customers are IT leadership, they were responding to questions like “what should I do about all the industrial equipment that’s showing up in my networks?”
In most companies, OT represents well-established capital expenditures and well-honed industrial processes. It won’t really change much, except for the Industrial IoT (“IIoT”) layer that appears here and there to carry telemetry and other data out of OT spaces, and to support various kinds of digitization efforts. There are interesting moves afoot to “virtualize” industrial control systems, but that will take years.
On the other hand, IoT is growing explosively and is changing everything about how people do business. To some extent, it’s being held back by security concerns, but that’s not really going to stop it. The whole way we do network security falls apart in IoT, because of scale, diversity of devices, and the fluidity of IoT network connections. This is the realm where InsightCyber, with our NetRadar suite, and even newer technologies we are investing in, is working to innovate in radical ways.
IIoT, which straddles IoT and OT, has struggled to break into the mainstream of corporate investment and cybersecurity strategy. IIoT has roots in the branding efforts of organizations like the Industrial Internet Consortium and General Electric, which were early visionaries of the concept that the future of industrial production is fully digital. There is some truth to this, but reality won’t match the original vision.
Useful Ways to Distinguish
A useful way to distinguish OT from IoT is this:
OT consists of traditional industrial machines and control systems, running on Ethernet-based networks that are not managed by IT. (Ethernet began to supplant earlier, serial-bus control networks beginning around 1995.)
IoT consists of non-traditional computing devices (“smart things”), running on IP-based networks that are managed by IT.
A lot of familiar experiences fall right out of these rules of thumb. For example: OT networks are managed by people who tend to distrust corporate IT - and specifically IT security - because they’re afraid of losing control of critical systems to people that don’t fully understand them. Of course, OT managers will also tell you that they face no cyber risks because nothing bad has ever happened to them!
On the other hand, IoT is the Wild West. It's akin to the BYOD trend running amok with unfamiliar devices popping up all over the place, and very little monitoring or security to control them. In the post-pandemic world, this trend is multiplied by all the home devices people run on the home networks they telework from.
No Meaningful Network Boundary
With the IoT, there will be no meaningful network boundaries, because traditional security controls cut against the basic economics of IoT. (The few exceptions, like the abortive efforts in smart cities to run thousands of devices through cloud-based VPNs, just prove the rule.)
We need significant security monitoring to migrate directly onto the seamless, open networks that the IoT will use. The IoT will simply grow far too fast for anyone to implement security strategies based on today’s reactive models of defend-your-perimeter and whack-a-mole.
The Internet of the near-future will be even more full of devices doing everything from full-biometric payments to connected car, with security that is barely better than we have today. The businesses of the world just aren’t going to let a multi-trillion dollar global transformation get stopped by security concerns.
And like every significant change that ever happens, the security underneath this will be both unlike anything people are thinking now, and completely obvious in retrospect after it arrives.
Francis Cianfrocca is Founder and CEO of InsightCyber. Part 2 will look at risk-based approaches to managing OT and IoT.