This blog post is an excerpt from GovLoop’s recent guide, “Your Guide to U.S. Critical Infrastructure.”
Threats to critical infrastructure come in every shape and size. Physical threats from malicious actors and environmental instability are always concerns, while threats in cyberspace are mounting every day. Add onto those risks the fact that government funds are diminishing while critical assets are aging, and the challenge of maintaining security can seem overwhelming.
To understand how organizations can take a smarter, more efficient approach to securing critical assets, we spoke with David Doll, Industry Principal at OSIsoft. OSIsoft provides an open enterprise infrastructure for agencies to connect sensor-based data, systems, and people. The company’s PI System captures data from virtually everything – from temperature sensors to meters and railroad cars - and serves it up in real time so people can save energy, prevent accidents, or gain insight into their processes.
Doll said the first step to better security is to understand the key difference between operational technology (OT) and information technology (IT). He explained that difference with a security analogy: “When an IT system is hacked, you lose information. It could be very important information, but it’s information. When an OT system is hacked, things can shut down. Things can go boom. It’s a different level of problem.”
Another difference is in the nature of the data itself. “IT systems use relational databases to store information. It’s rows and columns and schemas, nice and clean. OT systems rely on sensors and use time-series data. It’s messy and unpredictable. For certain analyses, companies may need to capture hundreds of thousands events per second. If you try to use IT technologies to handle raw OT data, you are going to struggle and create big problems for yourself.”
To understand that difference and how it should be incorporated into operational decisions, Doll suggested looking to private sector owners and operators of critical infrastructure. “There’s a lot of lessons out there from industrial companies that have been tackling these issues for decades so the federal space doesn’t need to reinvent the wheel,” he said.
Many companies have created a middle layer in their infrastructure that organizes their operational; systems to allow for interoperability while protecting OT from IT failures. This approach is more than just applying firewalls to IT endpoints; it requires deploying a data platform between the IT and OT layers of your infrastructure that connects information to users and to the information systems they feed and rely upon.
“Most vendors ignore this critical aspect because it’s just not what they do,” said Doll. “They’re either selling new sensor technologies or they’re making visualization and dashboard products – both of which can demo very easily and install quickly. But when you ignore that middle layer, you’re creating problems and adding risk.”
Another OT security technique is to link OT and IT networks through one-way connections like diodes or video channels. That way, companies can see what’s happening in operations while insulating assets like transformers or pipelines from viruses or other attacks on IT networks.
OT companies also need to think more deeply about security when they deploy assets. Doll explained that every connection to an OT system is added risk and every disparate database increases complexity. These new IoT solutions that allow monitoring over the internet each create a new attack point, a new threat. And when each smart sensor or control system creates another island of data, it’s very difficult to have a complete view of what’s going on – another factor of risk.
Owners and operators of critical infrastructure need to monitor and maintain their assets with real-time sensor data. People can make quicker and more informed decisions, understanding which critical infrastructure systems require attention or resources to safeguard. Doll described it as “getting the raw data turned into information and in front of the right people, in time to have an impact.”
“Whether you need new dashboards tomorrow or install new technology next year, you can build on top of your same data infrastructure without going back to square one,” Doll said.
Ultimately, creating a data infrastructure between IT and OT systems allows agencies to more efficiently manage and secure critical assets. It creates a middle layer from which everything can be integrated and monitored, creating more connections without increasing risk.
“That’s what OSIsoft has been doing for over three decades,” Doll concluded. “We’re delivering a scalable, reliable data layer that will connect all of your IoT data sources. It can connect all of your existing, disparate systems and support your future initiatives, things you haven’t even thought of yet. This enables government agencies to gain real-time insight so they can continuously monitor, continuously improve, and continuously secure their critical infrastructure.”