THE CONVERGENCE OF Information

Technology and Operational Technology.

A NEW INDUSTRIAL REVOLUTION.

EXECUTIVE SUMMARY
Historically, industrial processes and the technology that supports their operation (Operational Technology (OT)) have been
isolated from connectivity with the outside world. However, in recent years an increasing number of industrial processes, utilities
and factories have become interconnected with each other and their Enterprise LANs. In the hope of increasing efficiency, driving
cost savings, improving decision making capability and enhancing competitiveness, Information Technology (IT) previously only
found in Enterprise Networks is now being implemented within industrial networks. As a result, industrial systems are now exposed
to risks and dangers that were never considered in their original design: the threat of malware and cyber attack.
In this white paper we will evaluate the exciting business benefits that are driving the convergence of IT and OT,
and consider the challenges that IT and OT managers may face when setting out to secure the converged network.

A NEW INDUSTRIAL REVOLUTION

As the twenty-first century rolls before us, how many people stop to wonder where everything that makes our lives possible,
actually comes from?
Who provides our water? The electricity? The chemicals? The oil, the gas?
We accept that our modern life is powered and made possible by the output of multiple industrial processes that provide the
products and resources we require and the energy we consume. Apart from those who work in these industries, few, if any of us,
give it any further thought.
Yet, perhaps we should.
Thanks to the growth of the internet, the cloud, the flourishing ubiquity of IP (Internet Protocol) based communications and the
desire to share information and connect everyone, everything and everywhere together, a revolution is taking place around us,
that will have significant impact upon us all.

BAE Systems Applied Intelligence

SEPARATE WORLDS
Ever since the industrial revolution, new industries have spawned and developed: processes have been made more efficient,
productivity from industrial processes has grown, efficiencies have increased, and new services, utilities and products have fuelled
the development of all our societies. To monitor, manage and oversee these industrial processes, industrial control systems (ICS)
and operational technology have been implemented which ensure that these industries operate day in, day out, continuously
producing the services, utilities, fuel, chemicals and manufactured goods that we need.
Traditionally most OT has existed and operated in silos, isolated and not connected to each other or the outside world. Although the
OT managers may have been responsible for running specialized technology peculiar to each of their industries, one thing
they have all shared in common has been their focus on the integrity, efficiency, reliability and safety of the systems they control.
Then along came networking and the Internet Protocol (IP).
In the cities, people sitting in offices became connected together, began to share information, and started working with computers.
Specialized software and business applications began to revolutionize the world of business and commerce, and companies grew
and flourished. Experts in IT became the gurus who understood how computers connected together, how the software and hardware
of company networks functioned, and how LANs and WANs could enable companies to share information between each other.
In the head offices of the companies who run the industries we depend upon, IT managers oversaw the growth of interconnectivity
between their employees and systems, and implemented, managed and ran the IT infrastructure upon which all Corporate and
Enterprise networks now depend.
And then came the internet.
Suddenly, the world was connected. Within a few short years, individuals, employees and companies the world over, were IP
enabled. This made it possible to communicate with each other, to share information, to do business in a global, virtual environment
that broke down barriers and facilitated further, rapid growth.
Two separate worlds had developed:
The world of Operational Technology that drives, manages and controls the industries upon which we depend
The world of Information Technology which enables our businesses, the internet and our ability to share data
and information
In companies that own and manage large industrial operations, the Enterprise networks of the corporation had until recently been
separate from the industrial plants and processes that were core to their business, with little or no virtual or physical connectivity
between them, and very little direct control.

SECURITY CONSIDERATIONS IN THE

SEPARATE WORLDS OF IT AND OT
The worlds of IT and OT have evolved with different considerations and priorities.
Whereas IT systems are designed to connect with each other, industrial systems were isolated and locked-down
In an IT network, components are typically deployed with an expected lifetime of between three to five years. In an
industrial network, devices/components may be expected to last from between five to twenty years, perhaps longer
IT systems are designed with the capability for regular updating and maintenance, whereas with OT systems, maintenance
windows and the ability to upgrade and replace components are far rarer: once operational, they often run continuously
with minimum scheduled downtime every second offline can cost the operating company thousands of dollars
Information security has long been defined by the need to preserve the confidentiality, integrity and availability of
information. Over many decades, other properties, such as authenticity, accountability, non-repudiation and reliability have
also been included. Many frameworks and approaches have evolved for IT security but almost all have either explicitly or
implicitly put confidentiality ahead of all other attributes. OT designers on the other hand are driven to ensure that
their plants and process controls are safe, efficient and continuously available. With some industry-specific exceptions,
confidentiality of data is not a major cause for concern for OT.

To Converge or not converge, that is the question Advantages & Disadvantages

The ability to share and connect disparate systems and data processors together using networking technology based upon the
IP protocol has changed our world. For businesses, bringing people, systems, and offices online (i.e. connected via IP routable
networks) has facilitated communication and data sharing that has enhanced productivity, cut product development and delivery
timescales, shortened problem resolution cycles, enhanced competitiveness and brought tremendous operational efficiencies.
For companies that own industrial concerns, and whose businesses are still segmented into the two distinct domains of IT and
OT, there are also significant advantages that could potentially be gained by increasing the connectivity between IT and OT, and
gradually converging the domains together:
Increased efficiency
Enhanced productivity
Enhanced profits
Greater control.
OT facilitates the real-time processing of vast amounts of data, which enables automated control systems to make decisions
and issue local commands that regulate, control or change the industrial processes they manage. In a non-IP enabled industrial
system, management systems are not provided with the real-time feedback data that helps them construct a global view of
operations.
However, if it were possible to introduce IT technology into OT systems, such that the information flow between management and
supervisory control systems could be enhanced, supervisory networks and management systems would have far greater control:
the more timely, accurate information they would receive would assist them in making more effective decisions. IT would also
enable them to have a greater, more accurate and real-time view of multiple geographically dispersed industrial systems and to
respond more powerfully to any change in a process that may occur, or as required by real-time world events.

BAE Systems Applied Intelligence

An Industry View on Convergence: Oil and Gas

The business requirements driving convergence in the different vertical markets vary from one industry to another. As an
example, let us look at the Oil and Gas market, for which the convergence of IT and OT is seen as offering significant benefits
that could help address some of the many challenges this sector is now facing.
Within the Oil and Gas sector, it is becoming increasingly harder to access the new and remaining oil and gas
reserves, creating significant new challenges:
The need for improved Operational excellence. The increasing difficulty that companies are
experiencing in profitably extracting oil and gas from existing fields, naturally fosters a greater focus
on efficiency and effectiveness in production. Within the industry this is driving a culture of high
performance and changing the way the business is managed
Capital project effectiveness, skills shortage and changes in working cultures. With access to
what is termed easy oil (and gas) becoming rarer, the scale of the projects being undertaken and
the investments being made to acquire natural resources from more challenging fields has increased.
The scale and complexity of the projects introduce new safety and security challenges, along with the
problem of recruiting sufficient workers willing to work in hazardous, remote locations, where a skills
shortage has become a global issue. The skills shortages in local populations leads to a high degree
of foreign workers
Oil and gas reserve replenishment. The continued pressure to find new oil and gas reserves leads to
more oil and gas operations in offshore and remote locations, all of which are more difficult to protect
Business resilience. With the increase in the physical and cyber security threats faced by the industry,
there is now greater awareness of the need to ensure operations are resilient and demonstrate a
suitable degree of system redundancy.
In response to all of these challenges, wherever possible, the Oil and Gas industry is seeking to imbed greater connectivity
into its operational structures. This would provide components, systems and people the ability to communicate and share
information with each other in ways not possible before.
In particular, utilization of electronic and information technology within OT systems, facilitates greater centralized control,
safety and security monitoring.
The development and implementation of systems which will provide real-time information to improve business performance,
and greater automation of industrial processes, are now central to the vision of the digital oil fields
of the future.

THE INEVITABILITY OF CONVERGENCE

For many companies, not just those in Oil and Gas, convergence between IT and OT domains is inevitable: it may not have
happened yet, but the potential benefits it will offer cannot be ignored, especially if competitors are already embarking on
a convergence program and threaten to benefit from their actions other companies cannot afford to be left behind.
For many companies, convergence is already happening, for example: Components of Industrial processes (PLCs, HMIs, Historians) are being made IP aware, facilitating remote control
and management directly by OT managers and for upgrading and maintenance by third party vendors
Remote workers in the field are being equipped with laptops that can communicate with the control systems or the corporate
network, increasing productivity and enabling decisions to be made faster, and significantly reducing capex and opex costs
Control systems (SCADA/DCS) are being implemented that communicate with HMIs, PLCS, MTUs, RTUs and Historians
using protocols based upon TCP/IP, which will also be able to communicate directly with corporate networks
Management systems in the Enterprise are establishing links to view data in the historians in the supervisory
and industrial systems
However, increasingly, there is a realization that convergence brings risks and costs of its own, and ultimately, there is the
possibility that the benefits gained could be outweighed by the new risks introduced.
In consideration of the fact that hitherto, many industrial systems were intentionally isolated, what is the cost of the added
security that needs to be applied to make new interconnected architectures safe to operate?
What would be the cost of a cyber attack, loss of service or a disaster which could be caused by the enablement of such
connectivity?

Increasingly, there is a realization

that IT/OT convergence brings
risks and costs of its own that
must be addressed.

BAE Systems Applied Intelligence

CONVERGENCE: WHAT ARE THE RISKS?

The more exposed to external systems and the outside world an industrial system becomes, the greater is the threat that OT is
exposed to, and the greater is the risk of operational disruption. From the experience of those IT managers tasked with securing
the Enterprise network, the greatest risk now facing IP enabled OT networks or OT networks that touch and link to external IPenabled systems, will undoubtedly be the threat of malware or cyber attack. In addition, there is a greater risk of an individual with
insider knowledge using his skills to manipulate a system to detrimental effect. Furthermore, there is also the risk of a process
error or unintentional numerical error propagating through a system and causing damage: within a normal IT environment, such
process errors may have limited effect, however in the converged network, IT process changes require greater planning and must
be planned carefully with due consideration for the OT environment into which the IT has been deployed, understanding that the
OT technology surrounding it can be very sensitive to the rebooting of servers, installation of software or the application of patches.
Historically, communications between elements of control loops in industrial systems were enacted using non-routable protocols.
There was no consideration for IP networking between industrial network components and different sites. As such, the vast majority
of malware, which made use of IP, could not propagate in the core of industrial systems: isolation effectively meant protection.
Unfortunately, once devices become IP compatible and communication between network components is made possible, within
any two hierarchically flat networks that connect together, almost every device within both or all networks are now exposed to each
other: if there exists a single possible entry point for malware to penetrate a system, that ingress point becomes the Achilles Heel
of all networks that touch each other. Once inside, the malware or attacker will have the capability to spread or penetrate further.
Security experts in the world of IT operations have long since been forced to accept that malware now has the ability to touch and
connect to almost any network-connected element in the world. In addition, despite any and all cyber security precautions that
they may put in place, the reality is that if someone wants to perpetrate a successful cyber attack against a piece of IT, they will
succeed: it is only dependent upon how long they have to do it, and the amount of resource they have to apply to the task. Where
the motivation is high, they will find a way.
It is important that OT managers now begin to share this reality, because it will also apply to them too: for the converged network,
the risks that IT and OT share are now both similar, not necessarily in how an attack may be perpetrated, but that at some time or
other it will be attacked.
Furthermore, cyber attackers identify and target the weakest links they can find. For legacy industrial systems which were previously
not connected to the outside world and were built without considerations for cyber security, in a converged network, OT may often
contain the weakest link. Hence, the focus of the cyber attacker may shift away from the Enterprise to the weakest links within OT,
where he/she has greatest chance of success.

It is important that OT managers now share this reality:

it is inevitable that some cyber attacks against OT
systems will be successful.
7

SECURITY FOR THE CONVERGED

NETWORK
In many industrial networks, convergence is already happening, either by plan or unintentionally, through the innocent upgrading
of existing components with IP enabled devices or the intentional implementation of IP connections between different areas of a
network.
Whereas it is right to be cautious and concerned about the increased risks that convergence between IT and OT will bring, the
good news is that security solutions which are appropriate for the environment of the converged IT and OT world already exist.
Nevertheless, there are several significant challenges in navigating a safe path to the implementation of secure converged IT
and OT networks.

EDUCATING EMPLOYEES AND OT WORKERS

Historically, OT and ICS have emerged and evolved from a time when the risk of cyber attack was minimal or non-existent, and
networks were isolated, locked-down, and remote. Pre-convergence, in the world of OT, cyber attacks and malware threats were
not considered, because there was no clear and present threat to consider.
In the world of IT, it took many years of education and awareness generation to make employees security conscious, helping
everyone to understand the risk of cyber attacks and malware. There will be similar challenges in educating those who work in OT
and industry, made more complex by the fact that the systems and the attack vectors may be different.
The first main challenge is therefore for those involved in convergence to become aware and knowledgeable about the full extent of
any risk that convergence may expose them to: even though they may be familiar with their increased risk profile, it is possible that
lack of awareness of the full extent or the nature of the cyber threat could lull some engineers into a false sense of security. In fact
one of the challenges of security professionals targeted with helping to implement and strengthen cyber defences in OT and ICS,
is that many managers of ICS could still be unaware that components of their industrial processes could be vulnerable to attack,
without full understanding of the vectors by which they could be attacked or how malware could impact their systems.
Furthermore, in securing OT, it will not simply be a case of taking security systems designed for IT and mapping them and
implementing them in OT networks. Security architectures for OT will need to be carefully considered - for example, the role of
a firewall in IT networks is clear, yet their applicability in OT networks should be carefully evaluated: other solutions more akin
to the needs of securing communications between network areas within industrial systems may be more appropriate.
When considering how best to secure OT, consideration must be given to understanding what the critical processes and systems
are, and what threats they face. By prioritising these, security controls which are implemented must address the threats most
relevant to an organization, system or process.
As security managers start to raise awareness internally, they may encounter a resistance to change, with attitudes of employees
and industrial workers needing to be altered through education and awareness generating campaigns. As awareness of the issues is
increased, companies will need to encourage (and later enforce) adherence to strict security processes and industry guidelines that
will be introduced.
Initial resistance to change is understandable. Particularly where uninformed workers are highly motivated to do their job but see
new security procedures and devices as counter-productive steps taken to prevent them doing what they are paid to do.
For those working in OT and designing new systems, cyber security has to become a primary consideration. Where recent legislation
and guidelines have been introduced, they must be followed (e.g. Utilities NERC CIP for power generators and suppliers/NEI 0809
for Nuclear Power facilities). For other previously unregulated industries (Oil and Gas/Manufacturing etc.), new security standards
and procedures specific and appropriate to each industry will have to be agreed and implemented, and become a part of all daily
considerations. e.g. the NIST Cyber Security Framework, a voluntary cross industry framework that is being adopted by the non
regulated industries in response to a presidential executive order.

As security managers start to raise awareness internally,

they may encounter a resistance to change. Education
about the threat is critical to overcome this.
8

BAE Systems Applied Intelligence

THE CHALLENGE OF HOW TO MAKE OLD INDUSTRIAL NETWORKS SECURE

Once a system, factory or process is built and tested, and is operational, it quickly embeds itself into the critical structures
of the organizations that operate them. When this happens, it is common to let them run, and run, and run. Some factories,
systems or processes have been running for ten, twenty, even thirty years, sometimes without interruption. Some ICSs, factories
and utility plants currently operating may still have the same systems (and lack of security) in place that they were originally
commissioned with.
In some industrial processes, systems or part of systems have been designed and supplied as bespoke, turnkey solutions
by vendors, with complex commercial arrangements covering supply chain responsibilities for processes, design, installation,
commissioning, ongoing service and upgrades. Making changes to these solutions to make them more secure, could involve
discussions with multiple partners and complex legal considerations, taking significant time and resource to implement.
Change, even for the better, may not be easy.
As a result, many industrial systems and processes critical to company and often national interests are currently dependent
upon a great deal of ageing and vulnerable systems: many of these systems cannot simply be taken offline to improve or
upgrade them because of the significant loss of revenue that lost production would incur, and they cannot be replaced by
more modern equipment because the cost would be prohibitive.
This creates several problems, as discussed below.

Patching OT networks becomes a risk trade-off: what

is the risk that a system left unpatched will be hit by
malware, versus the risk that by trying to secure the
process/system, you break the process you are trying
to secure?
Applying Patches to known Vulnerabilities
As those in the world of IT already know, the vast majority of malware and cyber attacks are launched by exploiting vulnerabilities in
software systems. The necessity to patch networks for known vulnerabilities with authorized software patches is well recognized by
IT security professionals: remove the vulnerability, and the risk is immediately reduced. However, in many live industrial processes,
there are two main hurdles to applying patches.
First, in critical systems, patches can only be applied in specific maintenance windows during which processes may be interrupted.
Often the time allowed and the urgency of other issues requiring maintenance, means that patching may not happen, or is delayed.
Secondly, with old systems, and systems which have operated continuously for long periods of time, there is a reluctance to touch
them at all, because of the very real possibility that if an old system is interrupted, and stopped, it might not start again.
Thirdly, before a patch should be applied, it should be approved and tested, either by the vendor, or the OT manager, or both. In
the world of IT, patches would first normally be tested in a laboratory testbed, or test network. In the industrial world of OT, this is
not as simple to do: being able to recreate a truly representative system on which to gauge the impact of any patch represents a
significant challenge. And without prior testing, how can an OT manager be sure a patch wont break their systems?
In these circumstances, it becomes a risk trade-off: what is the risk that a system left unpatched will be hit by malware, versus the
risk that by trying to secure the process/ system, you actually break the very process you are trying to secure?

Reluctance to change existing systems

The lack of awareness of security issues, coupled with an understandable reluctance to alter systems and industrial processes
that have worked for many years, can lead to situations where new technology is attached to or overlaid on top of pre-existing
systems. New technology is simply bolted on to the network, without due consideration of the risks that the new technology
may introduce to the systems already in place.

Who is responsible for security and where?

As the worlds of IT and OT converge, who will be responsible for the security in the different parts of the wider network? Will
organizations set up one new group tasked with cyber security for the whole organization, including interfaces with partners/suppliers,
or will there remain a divide between those responsible for IT security and those responsible for making OT secure? Will there be
consultation between the two groups? Will they hold separate budgets? Clearly, those in IT who have been mitigating the cyber risk
within their Enterprise networks and IT operations have years of valuable experience to share with those in OT.
And between these groups, who will manage the security risk posed by the supply chain: the wording of contracts and legal
documents that cover the business engagements between the OT customer and equipment and services supplier? And who will
work with the supplier to ensure that their solutions are technically fit for purpose, safe and secure to implement and use within
the unique ecosystem of each industrial system?
If the groups remain separate, where will the demarcation lines be for responsibilities and budget spend?
On a final note in this brief discussion, we should address the question of resource and budget allocation; even if the
responsibilities between security groups are defined, consideration must be given by executive managers to ensure that sufficient
resource and budget will exist for those who need it. If not, convergence may take place, exposing security weaknesses that even
with the best intention, no one will have the ability or resource to fix.

Executive managers responsible

for convergence must ensure
that resource and budget exists
for securing both IT and OT.

10

BAE Systems Applied Intelligence

SUMMARY AND CONCLUSION

In this white paper we have looked at the two worlds of IT and OT, examined their history, and discussed the benefits and issues
that arise through convergence of those worlds.
For those working in the IT and OT industry, we are entering an exciting but challenging time.
Convergence will bring great benefits and competitive advantage to businesses that understand the key issues and take steps
to resolve them. These steps include: Recognising that whilst the primary security concerns in IT and OT are different - confidentiality in IT versus availability and
integrity of systems in OT - the cyber threat now extends to them both
Educating business leaders and employees to the nature of the threat that their systems are exposed to and the potential
business impacts that could result from a security incident
Identifying the appropriate technologies across the IT and OT estates that will secure data, protect critical systems and
processes and successfully mitigate the risks faced by both environments
Ensuring that there is clear accountability for those responsible for security and systems across IT and OT in the converged
network, and that they have the resources and funding to carry out their tasks.
In the next white paper in this series we will look in more detail at the specific security issues created by the convergence
between IT and OT systems and will examine in more detail the nature of the threats we face.
To learn how BAE Systems Applied Intelligence can help your company improve your security posture, and to learn more about
new solutions we have developed to protect critical national infrastructures, industrial systems and processes, please contact your
local BAE Systems representative.
Follow the link below for more information on IndustrialProtect:
www.baesystems.com/industrialprotect

11

ABOUT US
BAE Systems Applied Intelligence delivers solutions which help our clients to protect and enhance their critical assets in the
connected world. Leading enterprises and government departments use our solutions to protect and enhance their physical
infrastructure, nations and people, mission-critical systems, valuable intellectual property, corporate information, reputation
and customer relationships, and competitive advantage and financial success.
We operate in three key domains of expertise:
Cyber Security helping our clients across the complete cyber security risk lifecycle
Financial Crime identifying, combating and preventing financial threats, risk, loss or penalties
Communications Intelligence providing sophisticated network intelligence, protection and controls
We enable organizations to be more agile, increase trust and operate more confidently. Our solutions help to strengthen national
security and resilience, for a safer world. They enable enterprises to manage their business risks, optimize their operations and
comply with regulatory obligations.
We are part of BAE Systems, a global defense, aerospace and security company delivering a wide range of products and services
including advanced electronics, security and information technology solutions.

T: +1 (617) 737 4170

E: learn@baesystems.com
W: www.baesystems.com/ai
www.twitter.com/baesystems_ai
www.linkedin.com/company/baesystemsai

Victim of a cyber attack? Contact our emergency

response team on:
UK Freephone: 0808 168 6647
Australia: 1800 825 411
International: +44 1483 817491
E: cyberresponse@baesystems.com
Certified Service
Cyber Incident Response

Copyright BAE Systems plc 2014. All rights reserved.

BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Applied Intelligence Limited registered in England &
Wales (No.1337451) with its registered office at Surrey Research Park, Guildford, England, GU2 7RQ. No part of this document may be copied, reproduced, adapted or redistributed in any
form or by any means without the express prior written consent of BAE Systems Applied Intelligence.

CYNEUWPEN_BEAU0814_ITOT_v1

For more information contact:

BAE Systems Applied Intelligence
265 Franklin Street
Boston
MA 02110
USA