It’s a relatively new term

OT is a relatively new term as far as I can tell. I’ve only really heard it being used in the last couple of years. However, some technologies and ideas which have been around for a while fall under the OT umbrella. These terms include, but are far from limited to: embedded systems, telemetry, Automation & Control, ICS (Industrial Control Systems), SCADA (Supervisory Control and Data Acquisition).

This new umbrella term is very useful to show that the discipline is related to, but separate from, IT.

Where OT is used

OT is used to automate processes and manage infrastructure. Most of the activity is machine-to-machine (M2M) operation and communications, whereby systems mainly act autonomously with little human interaction or intervention.

Use cases include the systems that operate and monitor factories, utilities and communications networks. At Terzo, we’re often working on systems which are designed to work at remote sites, where humans are either rarely or never present, and which are likely to be connected to a central system via some form of communications that’s not necessarily 100% reliable.

As user intervention only happens occasionally, a key component of OT is operating safely. An OT computer might be operating a manufacturing process without any human operator, but something could go wrong. What happens if part of the machinery fails? Or something gets trapped in the machinery? Or the power fails? Or the communications to the site fails? The design of the system must include “fail safes” such that if the system fails, or part of it fails, the system can either continue running (maybe in a reduced capacity), or failover to a safe mode where it might not be operational but at least it’s causing no harm to people or the environment.

How it compares to IT

‘OT’ is a useful shorthand because it includes all of these related disciplines and use cases. It’s also useful because it introduces the idea that this group of technologies are distinct, but related to, IT.

Much of the overlap between IT and OT is around the underlying technologies – the hardware and the bits and bytes that go into developing the software. Many of the skills and techniques used in one are interchangeable with the other.

Security is a big issue for both IT and OT. Whilst there is a big overlap across the two, very often a threat assessment will identify different risks. In the IT world, the leaking of confidential information will very usually be a critical risk. For OT, this is less of an issue, but a hacker taking control of a remote system connected to a real-world process often appears on OT risk registers, something that IT doesn’t usually need to consider. Patch rates massively differ between IT and OT. IT can normally roll out a patch to all its servers and users within days, if not hours. With OT, remote patching often isn’t available and may even be undesirable. Systems have a very long asset life – 20+ years is not uncommon – it may not even be possible to patch for known vulnerabilities.

Summary

OT is related to IT, but they also have some big differences. OT is largely hidden from the everyday user, but underpins much of our modern way of living.

 

Neil Tubman, Terzo Digital, October 2016