Debate over IT, OT and Control Systems
Though this argument has stemmed well over a decade, it continues to plague the SCADA/ICS security community with what appears to be a simple, yet difficult challenge – where are the lines drawn between these three very distinct areas of influence, control, and more importantly, roles and responsibilities?
Though all four (4) models show unique characteristics, functionalities and importance of reasons for explaining their existence, there is something to be said about why they are and continue to be uniquely different.
One Size Fits All?
Although the current movement is to focus on networking and information-centric aspects of cyber systems, there are two (2) glaring and significant factors that clearly distinguish IT vs. OT vs. control systems - operations (processing) and safety (security of processing).
The “CIA Triad” focuses solely on information, prioritized most to least significant as:
The “SRP Triad” focuses on safety and availablity of systems for processing, as opposed to information, prioritized most to least significant as:
At some point in history, engineering was both responsible and actually performed tasks on control systems equipment. Today, engineering is responsible, but may or may not perform actual technical tasks on control systems equipment (aside from designing and revising designed processes).
For more information, please visit http://srpmodel.infracritical.com.
Dale Peterson’s IT/OT vs Engineering Model
Mr. Peterson asserts that there is an easier method of cross-training skillsets, conditions to their existence, and why his area of “contention is that it (is) easier to teach and convert IT/IT security talent to OT/OT security talent than it is to convert engineers and automation professionals to OT/OT security talent.”
Clearly, his model is primarily focused on the networking aspect of the increasing number of network-based SCADA/ICS environments, and their deployments.
What his model lacks is the primary reason as to why control systems exist – process. It is all about process; more specifically, it is all about the operation – not information. It is here that his model loses focus or significance as to why SCADA/ICS environments should be secured.
Joe Weiss’ Network vs IT/OT vs ICS vs Engineering Model
Mr. Weiss has argued for many years of a knowledge-based model in which network, IT, OT, control systems and engineering intersect. His model shows clearly defined lines of deliniation as to who are the subject-matter experts, and more importantly, the roles and responsibilities.
Identifying clear roles and responsibilities within any given organization shows who owns, operates, and maintains command and control (C2) over SCADA/ICS equipment, its operation(s), both onsite-premised and distributed.
For establishing any training or awareness program, Mr. Weiss’ model can be seen as a suitable model to help visualize such roles and responsibilities. One item to note, however, is that there appears to be a paradigm shift to the left whereby the hands-on aspect of cybersecurity of process control systems are increasingly falling under the auspicious of IT rather than engineering. After discussing this issue with Mr. Weiss, he is in agreement of this shift, and has thus (with his permission) authorized to create a modified version of his model to be produced as thus (see alternative version shown below).
Mr. Weiss’ conclusion is that any progress of involving and collaborating engineering with IT has drawn further skepticism from the community of interest such that any progression made, has in fact, regressed even further imposing even greater responsibilities upon IT.
Infracritical’s Hybridized Model
This model is a variation of both Mr. Peterson’s and Mr. Weiss’ models, as one deals with the breakdown of network-based SCADA/ICS environments, whereas the other demonstrates clearly defined roles and responsibilities insofar as to training, awareness, and roles for both network and non-network-based SCADA/ICS environments.
However, one nagging question remains – where does cybersecurity versus operational security (OPSEC) roles and responsibilities (with any given organization) – begin and end? This leaves out Mr. Peterson’s model as his model focuses primarily on network-based operational functions.
Whereas both of Mr. Weiss’ models have some merit such that any interactions between disparaged groups can cohesively and cooperatively work together with clearly defined roles and responsibilities between all factions. For this very reason, Infracritical’s model incorporates Mr. Weiss’ models, further expounding on areas of responsibilities of cybersecurity versus non-cybersecurity. Additionally, Infracritical further broke down areas of expertise, knowledge, and roles insofar as to (primarily) its security aspects. It is our opinion that OT is equivalent and subset to IT. Although it is contained within IT, it’s sole purpose is to provide networking or networking-like capabilities to SCADA/ICS environments (e.g.; onsite-premised networking switches and firewalls, serial-to-Ethernet converters, and more).
With engineering, OPSEC limits its scope to process and operational conditions of a plant’s operation(s) – not how data is transmitted to/from everything that is interconnected. Although engineering does provide support, contributing to systems that are typically the responsibility of IT, OT, and real-time systems groups, there continues to be a need for a translator who can converse with all levels of expertise (see alternative model shown below).
* It should be noted that real-time systems staff may consist of either IT, or engineering, or both - as subject matter experts. This creates a groundswell, nudging movement in a direction leading to the hybridized model that is so deperately needed to embrace cybersecurity within SCADA/ICS environments.
However, this may not always be necessarily the circumstance as real-time systems may supplement engineering subject matter experts with IT staff who may have (or had) some engineering experience and/or formal training or education pertinent to engineering. Thus, the cultural and knowledge chasm continues to widen.
Comparison of Physical and Safety Models
One of the more often argued comparisons of control systems versus non-control systems are the physical versus non-physical attributes, not forgetting the safety versus the non-safety attributes.
For Internet-of-Things (IoT), they really have no physical control over objects as they merely bridge between web-based and controller-based interfaces; the controller-based interface is the device which has physical control over objects. With safety controls, IoT devices have absolutely no safety capabilities - nor should they.
For Industrial Internet-of-Things (IIoT), some manufacturers have incorporated safety capabilities into their devices; however, it should be noted that these devices may not be completely validated against industry-accepted safety specifications or standards. Simply put - 'caveat emptor', or buyer beware.
If human lives are at risk, we strongly suggest that you reconsider your decision(s).
Shown below are graphics comparing these two significant attributes.
Physical vs. Non-Physical. With control systems, they control physical objects - such as pumps, valves, switches (electrical, mechanical, pneumatic, et. al), relays, actuators, variable speed drives (such as motors for winches or hoists), etc. Neither IT-based systems, nor OT-based systems have physical access nor control over such objects.
Safety vs. Non-Safety. With control systems, they play an even greater part in that they perform safety functions, such as emergency stop motors, or control sensory equipment that detect issues with flow (electrical, air, liquids, et. al) control, or have built-in sensory capabilities within pumps, valves, relays, etc. The fact is, with safety management, neither IT-based nor OT-based systems have any safety capabilities over such objects - nor should they.
What does this all mean?
One important note to make is that – no one model is superior over another. Anyone who takes preference of one over the other model does not perceive the entire factor(s) of systems that are involved. Further training or awareness programs will need to be solidified to outline their interactions with one another, as there does not appear to be one conclusive nor decisive ICS paradigm model that is all-encompassing and comprehensive. Thus, the arguments continue – still – decades later.
After the successful publishing of his First Edition book, Bob Radvanovsky teamed up with Allan McDougall and have produced three more editions together; the Fourth Edition (released in October 2018) presents a culmination of ongoing research and real-work experience, building upon previous editions.
Since the First Edition of this work, the domain has seen significant evolutions in terms of operational needs, environmental challenges and threats – both emerging and evolving. This work expands upon the previous works and maintains its focus on those efforts vital to securing the safety and security of populations.
The continued evolution of modelling critical business systems, their environments, and interactions with society, has played an important role with following social importance, along with its movement.
The latest version of their work may be found at Amazon.
Since the First Edition of their book, both Bob Radvanovsky and Jake Brodsky have continued expanding on their comprehensive handbook that covers fundamental security concepts, methodologies, and relevant information pertaining to supervisory control and data acquisition (SCADA) and other industrial control systems used in utility and industrial facilities worldwide. A community-based effort, it collects differing expert perspectives, ideas, and attitudes regarding securing SCADA and control systems environments toward establishing a strategy that can be established and utilized.
For the Second Edition, their book includes six new chapters, six revised chapters, and numerous additional figures, photos, and illustrations. The Second Edition serves as a primer or baseline guide for SCADA and industrial control systems security. The book is divided into five focused sections addressing topics in:
- Social implications and impacts
- Governance and management
- Architecture and modeling
- Commissioning and operations
- The future of SCADA and control systems security
The book also includes four case studies of well-known public cyber security-related incidents. The latest version of their work may be found at Amazon.