IT vs. OT: Differing Security Requirements in the Informational Technologies (IT) Environment and Technologies in Operational (OT) Environment

In traditional business environments, the IT department is considered the expert in all things termed “cyber security”. For most corporate cyber assets, this IT expertise is well placed to understand and address the threats, and to design methods to minimize vulnerabilities and respond to attacks. In general, corporate cyber assets are mostly concerned about the confidentiality of the information contained within computer systems, so most IT security focuses on preventing access to this sensitive data.

However, technologies in the operational (OT) environment can affect the management of the cyber-physical power system and can thus affect safety and reliability. Therefore, technologies in the OT environment have different requirements and constraints when applying security measures to ensure that these systems can continue to support the same power system safety and reliability levels. For instance, security measures must take into account the time latency requirements of systems in the OT environment, such as in substations the information flows can have latencies of less than a few milliseconds, while SCADA systems in control centers may need time latencies of seconds.

In the OT environment, deliberate cyber security incidents or inadvertent mistakes and failures of cyber assets can also have physical repercussions since power systems are “cyber-physical systems”. The repercussion with the greatest consequence is safety: the deliberate or inadvertent misoperation of a cyber asset could cause harm or even death. The second most important repercussion is the reliability of the power system to provide electrical energy or the gas system to provide gas energy to customers. Although these OT infrastructures have always been build with reliability of their physical assets (generators, breakers, transformers, power lines, gas lines) as the most critical design requirement, the reliability of the supporting cyber assets must nowadays also be designed to the same degree.

As illustrated in the Figure, for IT environments, confidentiality of sensitive business and customer information is usually the most important, but in comparison for OT environments, the availability, authentication, authorization, and data integrity of power system information are usually the more critical requirements, since power data is typically not sensitive.

With their experience in focusing on energy system reliability, it is often the experts in operations who best understand what responses to cyber asset incidents may or may not be appropriate, and, combined with IT cyber expertise, how best to utilize engineering methods and operations of the “physical” energy systems to minimize the impacts of such cyber asset incidents.

Operational environments have some very specific security challenges. For instance, high availability of both physical and cyber assets requires engineering designs with the focus on redundancy, high reliability, high performance requirements of these assets. The security requirements of the OT environment may necessitate changes in network configurations and information flows, such as use of security perimeters, demilitarized zones, and firewalls. In addition, very high speed, real-time processes, involving peer-to-peer interactions, autonomous actions, time sensitivity, and other characteristics, require different security solutions to those typically used in IT, for instance, requiring only authentication and not encryption.

At the same time, operational constraints must be taken into account in these designs. For instance, constraints on equipment resources (timing, bandwidth, network access) can impact the cyber security procedures and technologies that could be used. In particular, heavy encryption techniques or on-line access to certificate authorities are generally not possible for operational assets. Additionally, the timing for system maintenance and equipment updates or upgrades is constrained by power system operational requirements, such as only having short windows during the spring or fall for taking equipment out of service for such updates.

Another constraining element for applying cyber security measures reflects the large numbers of legacy equipment with long life cycles that cannot be easily upgraded to include cyber security techniques. Therefore other security measures must be found, such as virtual private networks or methods to isolate or segregate the devices. In addition, given the criticality of power system operations, security should not prevent operational actions, particularly emergency actions, so “break the glass” scenarios must also be built into security procedures.

The major change is the need to utilize Internet-of-Things (IoT) networks and technologies, in particular to interact with customer sites for monitoring and managing distributed energy resources (DER) and communicating with smart meters. This use of IoT implies that utilities can no longer rely only on their own proprietary communication networks, but must nonetheless still apply cyber security techniques to the interactions across public networks using well-known communication technologies.