Cyber Threats
IT issues factory security 1: Gap of IT and OT
This series discusses the challenges IT teams face when they are assigned the task of overseeing cybersecurity in factories. The first article looks at the fundamental purpose of a system, which can give rise to various differences between IT and OT.
Posts in this series
In the cybersecurity industry, key words such as "smart factories," the "Industrial Internet of Things (IIoT)," and "Industry 4.0" have come to the fore. The business environment that the manufacturing industry operates in is undergoing drastic changes and entering a transition period. Nowadays, it may be difficult to find companies that do not include Digital Transformation (DX) or the Internet of Things (IoT) in their strategies. Manufacturing companies need to include cybersecurity not only in the information technology (IT) domain, but also in the operational technology (OT) one as well. More and more IT security teams are finding ways to take responsibility and gain control over security in factories and other OT domains. Even though the words "system" and "network" effectively have the same meaning, OTs look completely different from the perspective of those who have lived in the IT world. This three part series of articles discusses the challenges that IT departments face when they are assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges.
The first article looks at the fundamental purpose of a system, which can give rise to various differences and barriers between IT and OT.
Differences in the purpose of a system
In terms of factory security, the IT department tends to have the impression that there is no system inventory and that security is being neglected due to operations being prioritised. In contrast, the factory team holds the following opinion of the security policy adopted by the IT department or head office: "We cannot stop some systems even if we are told to apply patches uniformly" and "We cannot change the system even if we are told to install security software on the devices." To determine why this gap in perception is created and what difficulties are involved in eliminating it, let's consider the purpose of the system in a little more detail. The first thing we should note is that, in the manufacturing industry, IT deals with "information and processing" while OT deals with the "production of physical goods" as the targets for the respective systems. An IT system can be considered a technology that is used to replace information and its processing with digital solutions or provide support for intellectual production activities. On the other hand, OT is a technology that is used to produce the goods themselves by operating the system.
Cybersecurity involves adopting measures to counter cyber threats, which constitute an obstacle to the fulfilment of the system's purpose. Regardless of whether it is IT or OT, we need to consider what exactly we need to protect based on the purpose of the system.
IT for mission critical tasks
Before we examine what role OT systems will play in the factories of the future and what form of cybersecurity they will require, we need to reconsider traditional IT systems and their role in business. Based on their degree of mission criticality and whether they are internal or external, traditional IT systems can be broadly classified into the following categories: "Core," "Commercial," "Information," "Administration," and "Web."
Figure 1: IT system classifications (Trend Micro)
Investment in IT and cybersecurity will increase in line with the increasingly important role that IT systems play in the performance of mission-critical operations or the provision of commercial services to customers. Broken down by industry, IT investment in Japan tends to be largest in the fields of finance and information services. The Japan Users Association of Information Systems (JUAS), one of Japan's largest user communities, reported that the ratio of IT budgets to sales in the financial industry is about 3 times the average, while that in the service industry is about 1.5 times the average*1. The security investment portion of the IT budget is said to be around 10%, and this figure is more likely to vary based on individual company policies than on inter-industry differences. In a survey that Trend Micro conducted as an index for measuring the comprehensiveness of security measures*2, financial services ranked first and information services ranked second, with both of these industries receiving relatively high scores.
Graph 1: Security Measure Comprehensiveness Scores (by Industry)
Source: Trend Micro's "2019 Security Survey of Corporate Organizations in Japan"
Cyber attacks in the IT industry tend to target information, and they affect the information processing procedures and their results. In industries where a company's main business activities and products are digital, the level of information security is relatively high in terms of confidentiality, integrity, and availability (CIA). This is the desired result. In manufacturing, medical care, health care, and other industries that have relatively low scores, however, it is necessary to raise the level of security as the IT-based mission-critical work in the relevant industry progresses.
*1 Japan Users Association of Information Systems: "2019 Corporate IT Trends Survey Report," April 2019.
https://juas.or.jp/cms/media/2017/02/it19_ppt.pdf
*2 Trend Micro: "2019 Security Survey of Corporate Organizations in Japan," October 2019.
https://resources.trendmicro.com/jp-docdownload-form-m164-web-sor2019.html
Purpose and requirements of an OT system
A factory's production process starts with the design stage and then progresses on to parts procurement, inventory management, and production and inspection operations before ending with distribution to the desired location. The production management system that looks at the entire process falls within the IT domain because it handles information, but processes that handle physical objects operate as part of an OT system.
Figure 2: OT and IT processes in a factory (Trend Micro)
The requirements of an OT system can generally be defined as follows: safety, operations, and quality. In the manufacturing and processing procedures that are carried out at a production site, we often deal with heavy equipment and chemical substances that people are unlikely to encounter in their daily lives and may pose a health risk. In terms of safety then, we must start by ensuring that employees are not scared about the possibility of accidents being caused by system malfunctions, operational errors, and occupational accidents. If we examine the product distribution process in terms of operations, it is clear that operations can affect customer delivery times if they are delayed, that they translate directly into business sales, and that the production time counts as a cost. In terms of quality, it should be noted that defective products are themselves a form of waste and excessive inspection processes are costly.
Incidentally, many people seem to think of the "safety first" slogan when they imagine a factory site, but what comes second if safety is first? In fact, the complete slogan is said to be "Safety first, quality second, production third." This conveys the message that you must not sacrifice safety even for quality and production, both of which are important business goals. Safety and productivity are inherently contradictory factors. The more secure the processes that you employ are, the greater the amount of time and effort you will need to invest.
Smart factories that use IoT are expected to enjoy increased productivity while at the same time ensuring safety, operations, and quality. In addition, smart factories, as well as their production processes, have become an indispensable element in supporting the entire business value chain. As a result, there is growing hope that companies will become more adaptable to environmental changes and that IoT will become a driver of business growth.
Considering security from the perspective of the entire business, not the conflict between IT and OT
Given the above, perhaps we should look at the systems and security employed by smart factories from the perspective of a higher purpose rather than in terms of the conflict between IT and OT. Based on a business plan detailing when and what should be achieved by DX and IoT at the management level, a system plan has been formulated with the aim of realising greater efficiency and added value through the leveraging of information, as expected of smart factories. We need to define security to protect such information and processes. The security of smart factories requires not only maintaining the original factors of safety, operations, and quality and improving efficiency, but also avoiding any interruption to the business activities associated with both IT and OT and making sure that no growth opportunities are missed.
In this article, we have highlighted the missions of the OT systems that IT departments need to understand before they pursue factory security. Before countermeasures are considered, it is important that you recognise the differences in the objectives of the systems and understand the higher-level objectives within your company in order to advance to the start line. In the next article, we will analyse the first challenges that IT departments face when it comes to factory security in terms of the following and examine clues that may lead to a solution: people (organisations), processes (operations), and technology (systems).