ICT design focus: Balancing the mix of IT and OT

Nov. 10, 2021
Information technology (IT) and operational technology (OT) systems can be quite separate – yet both must be properly secured and managed, especially within enterprise smart building operational frameworks.

By Andrew Froehlich

Information technology (IT) and operational technology (OT) are quite different – yet both must be properly secured and managed within smart building operational frameworks.

In recent years, OT systems, which have traditionally been physically segregated and managed separately from IT, are now beginning to be placed together on a single converged network. Because of this, many building operators are presented with new questions on how they can best secure this mixture of IT and OT within a single network architecture.

Let’s look at a few methods that can help with this task.

Logical segmentation

Just because IT and OT equipment shares the same physical network doesn’t mean that traffic flows cannot be securely segmented. The use of network firewalls or access lists configured on routers/switches are two common methods that can be used to logically separate IT from OT systems on the wired Ethernet network.

Similarly, IT and OT components that connect to networks using WI-Fi can use separate SSID’s and associated access rules to logically separate IT from OT traffic so that a compromised system on one side will not impact the other.

Granular remote access controls

In many cases, third-party managed service partners are responsible for the overall maintenance and upkeep of smart building technologies. As such, these partners typically request remote access in the form of VPN connectivity. This way, the partner can monitor and manage the technologies from afar as opposed to coming on site each time maintenance or upgrades need to be performed.

While remote access VPN has been around for years, it’s often been implemented in a way that’s less than secure. In many cases, access is far too open and allows these third party service providers the ability to access the entire network as opposed to just the specific network subnets and IT/OT components for which they are responsible.

This can lead to a situation where if VPN credentials were compromised, bad actors could gain full access to the entire smart building infrastructure. In turn, this could lead to a situation where the entire network is compromised as opposed to just a small subset.

To counter this, remote access configurations should include the use of granular access controls that limit what networked components can be accessed. In many cases, access to only a handful of IT/OT devices is required. Thus, access control lists should be created that allow remote access users the ability to reach those specific IP addresses with a “deny any” rule at the end to restrict all other access across the smart building network.

End-to-end visibility

Cybersecurity is an incredibly difficult task without the proper levels of infrastructure visibility. Basic network monitoring that leverages ICMP (ping), the simple network management protocol (SNMP) and flow-based monitoring is the absolute minimum when it comes to monitoring devices from an operational standpoint.

However, there are also several security-focused tools that can provide further insights into whether devices or networks have been compromised. Examples of these types of tools include security information and event management (SIEM), security orchestration, automation and response (SOAR) and network detection and response (NDR). These tools collect pertinent security-related information such as device logs, event errors and network telemetry information that is then analyzed to identify possible security threats.

More advanced systems incorporate artificial intelligence (AI) to identify the root cause of an issue and even go so far as to recommend how security administrators can quickly remediate a cybersecurity incident.

Beware: IT is ahead of OT from a cybersecurity perspective

It’s important to note that in 2021, operational technologies lag enterprise information technology from a cybersecurity perspective. OT vendors are not yet experts in the field of data security – and it certainly shows.

That means that extra planning must be performed to wrap additional security around OT. Failing to do so can not only risk a breach of OT equipment, but it could also potentially bleed over into IT, causing even more harm.

Thus, be aware that while co-mingling of IT and OT can ultimately save time and money within a smart building, it must be done in a way that considers the inherent flaws of OT that still exist today.

As a highly regarded network architect and trusted IT consultant with worldwide contacts, Andrew Froehlich counts over two decades of experience and possesses multiple industry certifications in the field of enterprise networking. Andrew is the founder and president of Colorado-based West Gate Networks, which specializes in enterprise network architectures and data center build-outs. He’s also the founder of an enterprise IT research and analysis firm, InfraMomentum. As the author of two Cisco certification study guides published by Sybex, he is a regular contributor to multiple enterprise IT-related websites and trade journals with insights into rapidly changing developments in the IT industry.

Sponsored Recommendations

Cat 6A Frequently Asked Questions

April 29, 2024
At CommScope we know about network change and the importance of getting it right. Conclusion Category 6A cabling and connectivity.

Revolutionize Your Network with Propel Fiber Modules

Oct. 24, 2023
Four sizes of interchangeable Propel fiber modules provide the breadth of capabilities for virtually any configuration.

Elevate Your Network with Propel High-Density Panels

Oct. 24, 2023
Propel Series Sliding Fiber Optic Panels

Constellation™ - Explore power and data products

Oct. 24, 2023
Discover the Essentials for Building Your Power and Data System!