Cyber security expert Frances Cleveland has identified the key concepts for protecting cyber physical systems. She was leading an interactive briefing session on the differences between protecting IT and OT (operational technology) systems at the IEC General Meeting.
The Zoom meeting was streamed live on Facebook to make it available to a wider audience.
Cleveland explained that IT security was mostly concerned with protecting the confidentiality of information and preventing access to sensitive data. However, technologies in the operational (OT) environment have different requirements and constraints.
“The one thing that I want to point out here is that typically, not a hundred percent, typically IT focuses on preventing access to sensitive data,” she said. “In the OT environment, it’s mostly availability and integrity of the data because you’re trying to have safe and reliable operations rather than sensitive and private information protection”.
For example, our reliance on the efficient and continuous supply of power means that any loss of electricity would carry heavy implications for a wide range of vital services. The aim is therefore to ensure that these systems can continue to support the same levels of safety and reliability.
Cleveland identified five critical concepts: resilience; security by design; the fundamental importance of understanding the difference between information technology (IT) and operational technology (OT); risk assessment, risk mitigation, and continuous update of processes; and the role of international standards.
Resilience should be the overall strategy for ensuring business continuity. When focusing on resilience in general, organizations must consider safety, security, and reliability of the processes and the delivery of their services.
Resilience includes security measures that can mitigate impacts, not only before incidents (identify and prevent), but also during such incidents (detect and respond) and after incidents have been resolved (recover).
Security by design is the most cost-effective approach to security. Security is vital for all critical infrastructures and should be designed into systems and operations from the beginning, rather than being applied after the systems have been implemented.
IT and OT are similar but different. Technologies in operational environments have many differing security constraints and requirements from IT environments.
Risk assessment, risk mitigation, and continuous update of processes are fundamental to improving security. Based on an organization’s business requirements, its security risk exposure must be determined (human safety, physical, functional, environmental, financial, societal, reputational) for all its business processes.
Cyber security standards and best practice guidelines for cyber physical (OT) environments should be used to support the risk management process and establish timely security programmes and policies.
Read more: The five pillars of cyber security