We’ve seen significant confusion around the differences between OT, IoT, IIoT, and related acronyms. Here’s a short explainer of what these terms are and why that matters.
This is also a bit of an opinion piece, so while I will cite numerous other sources, note that this is still a hotly contested topic. 🌶️
Let’s start with OT, or “Operational Technology”
OT, or ICS, or SCADA, or PCN?
First: this blog is not about the differences between ICS, SCADA, DCS, PCN, or any other type of control system out there (it’s been argued about for decades on SCADASEC; maybe a good topic for another time).
But when did we start using “OT” as a general, all-encompassing term for all control systems?
Funny enough, that’s a hard one to explain. Playing around with Google and time bounds on searches, it’s difficult to find the origin of the term “operational technology.”
There’s the FBI article from 2008, but that’s closer to “surveillance van” tech than power generation.
Or the fascinating (/s) read from 1981 about Mass Balance in regards to water treatment, citing the “Office of Program Operations (EPA), Cincinnati, Ohio. National Training and Operational Technology Center.” (https://files.eric.ed.gov/fulltext/ED221394.pdf)
But what we do know is that sometime in the late 00s to early 10s, “OT” became synonymous with control systems, but not information technology (IT) or enterprise IT.
This was around the time of the mythical “convergence,” where even I was giving presentations on this subject. (Spoiler alert – convergence was old in 2014, and it’s even older now: https://www.cisa.gov/uscert/ics/June-2014-Whitepaper-and-Presentation-Submissions).
But for OT, these definitions are useful:
“Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.”
“Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment).”
I’ll mention “IT/OT convergence” here (a whole other topic for sure) because it did one thing really well: it thrust operational technology into the alphabet soup of enterprise cyber security. Around this time, and to make things even more complicated, the term “Internet of Things” began to grow in popularity, with Amazon’s Alexa announced in 2014.
Now we had more things that were connected to the internet. 😱 Part of why I feel “OT” took off as the lead term instead of ICS is, frankly, because it matched “IT” so well. IT, OT, and IoT all started to be discussed in tandem — and for a while, the community understood that these systems were all completely different.
For IT, the security community had clear boundaries and guides. IT was “enterprise” or “business” networks and systems that, for the most part, were logical in nature (not controlling physical processes).
But OT systems were seeing a modernization boom, and we now had enterprise “assets” such as Windows servers, Windows workstations, Cisco networking gear, and others residing within the OT enclave.
Enterprise-type hardware and software were now responsible for managing the control system. Convergence and the entry of the Internet of Things only served to make things more complicated.
Some useful definitions for the Internet of Things:
“The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”
“The term IoT, or Internet of Things, refers to the collective network of connected devices and the technology that facilitates communication between devices and the cloud, as well as between the devices themselves.”
What it Does, not Where it Is…
Here lies the confusion: What if I have enterprise systems in my OT enclave? What if I have IoT-connected devices in enterprise? I propose that what a system does is as important, or more so, than where it resides.
For instance, if you have an internet-connected toaster that happens to sit in a control center, is that:
- A) IT
- B) OT
- C) IoT
- D) A Bad Idea?
The answer is “C” (and possibly “D,” depending on your risk tolerance and toast requirements). What makes this IoT device really IoT? Well, for one, remember that the “I” in IoT stands for internet. So some sort of internet connection is necessary (or the remote, SaaS-like service that comes with IoT). Does the toaster’s physical location make it OT? No, and hopefully, it’s not on the OT network.
Other IoT features from our definitions include embedded & device. But really, the function of this device is what makes it IoT: I have my toaster app that can control the device’s settings from around the world.
Let’s look at OT — If I have a PLC connected to the OT network, performing OT functions like monitoring pressure, temperature, etc., and it’s sitting along a pipeline, is this device:
- A) IT
- B) OT
- C) IoT
Well, given its function is directly supporting the OT environment, that may be enough for it to fall solely under “B.”
But what about all those enterprise systems supporting OT? Tricky, right? This PLC is also technically an embedded device, but does that make it IoT? Well, unless it’s connected to the internet (looks nervously at Shodan), it’s not IoT.
Even if the PLC was sitting in an office building controlling an HVAC system, that wouldn’t make it IT.
IT / OT / IoT Relationship Status: It’s Complicated
As you can see, it starts to get complicated if you focus on where the device lives. Confusion abounds… and we haven’t even dipped into the “Industrial IoT,” “IIoT,” or newfangled “XIoT” terms!
But remember — IoT toasters don’t magically become OT just because they’re in the power plant. How you address the security of these different systems must also be defined regardless of location.
The purpose of this over-analysis of terms is to help everyone better understand how these systems and subsystems should be approached and protected.
It’s important first to know that these systems are, in fact, different. Therefore, the security of these systems should be approached in unique ways.
Tailor your consulting, assessments, testing, and technology to your specific needs in IT, OT, and IoT. We definitely do not want there to be any mistaking an IoT toaster 🍞 for a power plant PLC as we work together to secure our environments.