Lifting the Fog Part 3: IT vs OT – When Two Worlds Collide
The factory floor was buzzing with activity until it wasn’t. In an instant, conveyor belts froze, robotic arms stiffened mid-motion, and critical systems went dark. There was no mechanical failure, no human error. Instead, a silent intruder had breached the company’s IT network and crossed into the heart of its operations, the OT environment. What began as a simple phishing email ended with production halted and safety at risk. This wasn’t just a data breach; this was a direct attack on the physical world.
Scenarios like this are no longer rare. As industries embrace digital transformation, the once-clear boundary between Information Technology (IT) and Operational Technology (OT) is disappearing. And with it comes a new frontier of cybersecurity challenges, especially for embedded systems at the crossroads of both worlds.
Looking Back: Where We’ve Been
In Part 1 of our Lifting the Fog series, we introduced the EU Cyber Resilience Act (CRA), a regulation ensuring that digital products, including embedded systems, meet strict cybersecurity requirements.
In Part 2 we explored cybersecurity fundamentals, from the difference between cybersecurity and functional safety, to the CIA Triad, and why asymmetric encryption is vital for protecting embedded devices.
Today, we dive into an often-overlooked topic: understanding IT and OT, their convergence, and why this intersection demands heightened cybersecurity awareness.
IT and OT: Two Worlds, One Future
What is IT?
Information Technology (IT) focuses on data, including its processing, storage, and transmission. Think of servers, databases, cloud services, and enterprise applications. IT systems are designed for flexibility, frequent updates, and prioritize confidentiality, integrity, and availability of information.
- Example: Corporate email servers, CRM systems, cloud storage.
- Typical Lifecycle: 3-5 years, with rapid technological advancements.
What is OT?
Operational Technology (OT), on the other hand, controls the physical world. It includes hardware and software to monitor and manage industrial processes like manufacturing lines, energy grids, and transportation systems. OT generally prioritizes availability and integrity over data confidentiality. Of course, this prioritization can be argued, but it’s generally the case.
Example: PLCs, SCADA systems, industrial robots.
Typical Lifecycle: 10-30 years, often running on legacy systems designed before cybersecurity was a concern.
Key Differences Between IT and OT
| Aspect | IT | OT |
|---|---|---|
| Focus | Data management & communication | Control of physical processes |
| Environment | Office, data centers | Factories, power plants, transport hubs |
| Lifecycle | Short (3-5 years) | Long (decades) |
| Security Goal | Confidentiality, Integrity, Availability | Availability, Integrity, Confidentiality |
| Technology | Standardized, easy to update | Proprietary, difficult to patch |
The Convergence: Opportunity Meets Risk
The rise of IoT, Industry 4.0, and digitalization is blurring the lines between IT and OT. Connecting OT systems to IT networks brings undeniable benefits:
- Real-time data analytics
- Predictive maintenance
- Improved operational efficiency
However, this convergence also opens the door to cyber threats that OT systems were never designed to face. Historically, OT environments were isolated, protected by so-called "air gaps." Today, connectivity is essential, but it comes at a price.
Cybersecurity in a Converged World
The infamous Stuxnet attack showcased how cyber threats could leap from digital domains into physical destruction. Malware designed to target industrial control systems disrupted Iranian nuclear centrifuges without a single physical bullet fired.
One of the core challenges in this converged landscape is that legacy OT systems were never designed with cybersecurity in mind. These systems often lack fundamental security features, making them vulnerable once connected to broader IT networks. Adding to this complexity is the significant risk of downtime when applying patches or updates. Many OT environments prioritize continuous operation, meaning even necessary security maintenance can be seen as a disruptive threat to productivity.
Furthermore, the rapid adoption of IoT devices and increased reliance on remote access have expanded the attack surface dramatically. Each connected device or remote entry point represents a potential vulnerability that cybercriminals can exploit. These evolving challenges make securing embedded hardware like Computer-on-Modules (COMs) more critical than ever, as they form the foundation upon which secure industrial solutions must be built.
Embedded systems are the glue binding IT and OT. Whether it's a smart sensor on a production line or a controller in a power grid, these devices must be designed with cybersecurity at their core. The Cyber Resilience Act doesn’t differentiate between IT or OT, it demands robust protection across both domains.
Failing to secure embedded systems in this converged environment could lead to more than data breaches, it could endanger lives, disrupt critical infrastructure, and halt entire industries.
Stay Tuned: Trust Starts at the Root
As IT and OT continue to merge, securing embedded systems becomes more complex and more critical. But where does security truly begin? In our next blog, we’ll uncover the foundation of digital trust by exploring the concept of the Root of Trust. Learn how security isn’t just software-deep but starts at the very heart of your hardware.
Stay informed, stay secure and join us as we continue Lifting the Fog on Cyber Security for embedded systems!
