ICT design focus: Balancing the mix of IT and OT

By Andrew Froehlich

Information technology (IT) and operational technology (OT) are quite different – yet both must be properly secured and managed within smart building operational frameworks.

In recent years, OT systems, which have traditionally been physically segregated and managed separately from IT, are now beginning to be placed together on a single converged network. Because of this, many building operators are presented with new questions on how they can best secure this mixture of IT and OT within a single network architecture.

Let’s look at a few methods that can help with this task.

Logical segmentation

Just because IT and OT equipment shares the same physical network doesn’t mean that traffic flows cannot be securely segmented. The use of network firewalls or access lists configured on routers/switches are two common methods that can be used to logically separate IT from OT systems on the wired Ethernet network.

Similarly, IT and OT components that connect to networks using WI-Fi can use separate SSID’s and associated access rules to logically separate IT from OT traffic so that a compromised system on one side will not impact the other.

Granular remote access controls

In many cases, third-party managed service partners are responsible for the overall maintenance and upkeep of smart building technologies. As such, these partners typically request remote access in the form of VPN connectivity. This way, the partner can monitor and manage the technologies from afar as opposed to coming on site each time maintenance or upgrades need to be performed.

While remote access VPN has been around for years, it’s often been implemented in a way that’s less than secure. In many cases, access is far too open and allows these third party service providers the ability to access the entire network as opposed to just the specific network subnets and IT/OT components for which they are responsible.

This can lead to a situation where if VPN credentials were compromised, bad actors could gain full access to the entire smart building infrastructure. In turn, this could lead to a situation where the entire network is compromised as opposed to just a small subset.

To counter this, remote access configurations should include the use of granular access controls that limit what networked components can be accessed. In many cases, access to only a handful of IT/OT devices is required. Thus, access control lists should be created that allow remote access users the ability to reach those specific IP addresses with a “deny any” rule at the end to restrict all other access across the smart building network.

End-to-end visibility

Cybersecurity is an incredibly difficult task without the proper levels of infrastructure visibility. Basic network monitoring that leverages ICMP (ping), the simple network management protocol (SNMP) and flow-based monitoring is the absolute minimum when it comes to monitoring devices from an operational standpoint.

However, there are also several security-focused tools that can provide further insights into whether devices or networks have been compromised. Examples of these types of tools include security information and event management (SIEM), security orchestration, automation and response (SOAR) and network detection and response (NDR). These tools collect pertinent security-related information such as device logs, event errors and network telemetry information that is then analyzed to identify possible security threats.

More advanced systems incorporate artificial intelligence (AI) to identify the root cause of an issue and even go so far as to recommend how security administrators can quickly remediate a cybersecurity incident.

Beware: IT is ahead of OT from a cybersecurity perspective

It’s important to note that in 2021, operational technologies lag enterprise information technology from a cybersecurity perspective. OT vendors are not yet experts in the field of data security – and it certainly shows.

That means that extra planning must be performed to wrap additional security around OT. Failing to do so can not only risk a breach of OT equipment, but it could also potentially bleed over into IT, causing even more harm.

Thus, be aware that while co-mingling of IT and OT can ultimately save time and money within a smart building, it must be done in a way that considers the inherent flaws of OT that still exist today.