The Three Pillars of OT Security - A new vision of cyber security for tomorrow’s interconnected systems
With growing volumes of real-time data continually generated, an increasingly complex range of inter’ and intra-connected ‘smart’ and industrial-based assets to consider, and new threats emerging on a near-daily basis, OT security must evolve, encompassing more than traditional IT security techniques, traditional CCTV, and physical access control systems.
Complicating things further, the boundary between OT (Operational Technology) and IT (Information Technology) continues to be challenged. As a result, those responsible for critical OT systems are increasingly reliant on IT to assimilate, validate, and disseminate information on the performance and security of their assets.
With this in mind, a new approach is needed – one that enables the benefits that come from the secure, frictionless flow of real-time data, improving operational efficiency, and preserving the ironclad integrity of critical infrastructure and assets – all while maintaining the freedom to grow and innovate. It’s a lot to consider, but based on our ongoing work at Vysiion, and conversations with leaders across the CNI sector, establishing this new approach and model is imperative.
In fact, we’ve already been nurturing it for more than 28 years…
A ‘Secure by Design’ approach, refined for over 28 years
Vysiion have been deeply involved in the build and networking of OT assets since 1996, enabling the safe and reliable communication of the real-time critical data that CNI providers rely on to make key operational decisions. Right at the point of our company’s inception, it became clear to us that such systems would be key to the CNI sector’s continued growth in the years ahead.
Indeed, one of our early projects involved designing and delivering a solution to trip HV circuit breakers on the UK electricity network when a fault condition was detected, for which the whole process needed to be initiated, communicated, and validated in less than 15ms. The potential consequences of an incorrect communication were huge, not just in terms of costs, but also the inherent safety and integrity of the wider system.
The early insights gained from such projects formed the foundation of our ‘Secure by Design’ approach to the networks and platforms our CNI customer base depends on, and the solutions we continue to develop in support of their evolving requirements.
Establishing a robust methodology for IT and OT convergence
With the convergence of IT and OT seen as an intrinsic part of most OT digital platforms, a methodical approach to the design of technology infrastructure is vital throughout every stage of the project lifecycle – from design through to implementation, and the ensuing long-term support of these critical systems, and components. This means deep knowledge of OT assets is essential, including their criticality and operational purpose, the nature of the data they generate, and how this is validated, shared, accessed, and utilised.
The lifecycles of these assets must also be established at the earliest opportunity. OT systems need to be highly available and capable of operating in harsh environmental conditions, frequently dispersed across remote sites that require multiple communication bearers, from dark fibre optic links, to wireless technology and narrow band radio – the implementation and support of which must be factored into the wider project lifecycle.
Once this knowledge base has been established, the basic principles of the well-established Purdue model should be applied, ensuing that the OT infrastructure is logically segmented, firewalls are used to gate and authenticate traffic between systems and the IT environment, and secure methods of remote connectivity (such as a DMZ) are implemented to maintain control of user access.
This methodical approach allows multiple aspects of interconnected OT and IT systems to be optimised, with high-performance connectivity and the secure, seamless dissemination of critical data delivering tangible operational improvements. In the long run, this controlled digital transformation, and preservation of data integrity, will allow the CNI sector to embrace AI and ML technologies, opening the door to further secure automation and innovation.
Taking a strategic view of the future
A methodical approach also needs to be strategic, consider the need to integrate both new and legacy systems and the challenges involved. Do not assume all assets will be new, and do not underestimate the challenges involved in bringing together what are likely to be two very different approaches to cyber security!
The key difference between IT and OT systems is that many of the assets within an OT environment must be 100% available to protect the integrity of the process and systems they support. Performing uncontrolled and automated patches and firmware updates on a critical OT asset that then requires a reboot to apply – or even just a few seconds of downtime – is not an option.
A hybrid approach to cyber security that addresses the pre-requisites of both IT and OT, encompassing both new and legacy assets, will therefore be key to the sector’s continued success in the years ahead. The NIS-2/UK directive, IEC62443, the Purdue model, and CAF are active ingredients in preserving the integrity of the networks and platforms that underpin the next generation of efficient, safe, and resilient operational technology systems, managed by those responsible for the UK’s critical national infrastructure.
Transforming the UK’s critical infrastructure
Taken as a whole, these three elements – the ‘Secure by Design’ model, a methodical approach to design and deployment, and a strategic view of technological innovation – ensure the integrity of tomorrow’s interconnected systems.
As we have seen many times since Vysiion’s earliest days, this will be a consultative and informative journey rather than a one-off project, but if approached intelligently, with an open mind about what is possible, we will be part of an exciting journey, and the birth of a whole new approach to the design and delivery of the highly available critical infrastructure that will prove fundamental to the growth, prosperity, and protection of the UK economy.
Cyber Security updates
Sign-up to get the latest updates and opportunities from our Cyber Security programme.