Home » Research  |  IT vs OT |  When Facing The Insider Threat What Happend | Free Software vs Open Source | ask me |

Priscilla Felicia Harmanus · 1993 from the Netherlands · Last update: 28 may 2020

Information Technology vs. Operational Technology

Where the physical and digital world come together

bridging IT and OT

Differences between IT and OT environments

Traditionally, OT and IT networks have historically been kept separate.

In earlier days, ICS where standalone systems and protocols were most of the time proprietary. There was less ICS security awareness needed. Because these protocols were hard to understand, but more important because systems were never, or almost never connected to the internet. The last years, more and more ICS are internet ready and also actually connected to the internet. With this, the old systems are indirectly also unlocked to the internet. Fig. 1-1 illustrates the gap between IT(Information Technology) and OT(Operational Technology).
Poster: Cybersecurity for Industrial Automation from VKA We know that our dependence on the internet also creates risks. These cyber threats not only affect our office automation, but also the industrial automation systems (ICS / SCADA). For example, VKA supports Rijkswaterstaat in keeping its bridges, tunnels and sluices safe. But these threats also apply in many other industries, such as (mass) production companies and hospitals.

For a long time, SCADA systems were protected with obscurity and isolation. The systems were not connected to the Internet and the console commands were difficult for hackers to manipulate. However, with increasing proliferation of networking and development of GUI command and control environment, it has become much easier for hackers to penetrate into the once secure SCADA world and to disrupt and disable the operation of expensive equipment causing huge losses to the industry. The hackers can attack SCADA system to obtain access to SCADA master control station, compromise RTU (Remote Terminal Unit) or local PLC (Programmable Logic Controller), spoof RTU and send incorrect data to master control station, shutdown RTU and modify RTU control program [1]. The losses caused by such intrusions run into millions of dollars with potential health and safety hazards for large populations. Therefore, it has become increasingly important to provide security to the SCADA systems.

Open source software has been established as a viable alternative to the commercial software through the efforts of thousands of volunteers coordinating the development work through Internet communications. Most of the open source software uses the well tested Linux platform and released under GNU public license. Several security tools have been developed with open license

Linux evolved in a completely different way. From nearly the beginning, it was rather casually hacked on by huge numbers of volunteers coordinating only through the Internet. Quality was maintained not by rigid standards or autocracy but by the naively simple strategy of releasing every week and getting feedback from hundreds of users within days, creating a sort of rapid Darwinian selection on the mutations introduced by developers. To the amazement of almost everyone, this worked quite well.

Automation will permeate everywhere. Linux, by its very nature, has the opportunity to dominate universal automation. Over the long run, the evolutionary track of software created by interested users is stronger because any software survives according to the degree it fits into its ecological niche. Linux consumers build Linux. As long as the community can sustain sufficient self-organization, adaptive success is guaranteed. The ecological strategy of proprietary vendors is far different. These vendors try hard to adapt their products into ecological contexts they control, manipulating the consumer by positive marketing as well as by more disingenuous tactics. While carefully reading the tea leaves of user preferences, they cook the leaves with calculated marketing campaigns.

How does Linux lose against the interests of these proprietary vendors? One good way to fail is to lose touch with the very community Linux is being built for and by. This effect can be discerned in the disorganization brought about by disrespect and infighting amongst key groups and individuals of the open source and free software communities. Self-interest leads to survival, but out of balance only narrows the relevance of Linux and may even lead to its downfall. As often as not, the Linux community is its own worst enemy.

The combination of zero royalties and low hardware costs enable the prerequisite infrastructure of large projects to be built cost effectively. Furthermore, maintenance and upgrade costs can be controlled by the project more efficiently. While software evolution is more rapid under Linux than under commercial operating systems, each project nonetheless can select the upgrades and maintenance which are appropriate to its own specific requirements without arbitrary vendor upgrades and artificial external costs. Support cannot be withdrawn because a complete snapshot of the source code used for the project is always available.

For example, many large-scale projects exist which have been developed in the public domain but which are tied to a proprietary infrastructure. In one such case, the U.S. Weather Service has built a large, public domain source system for weather forecasting based upon Hewlett Packard's (HP) proprietary Unix operating system and compilers. The costs of implementing a national-scale forecasting system on high-priced HP equipment would be prohibitive to all but the wealthiest countries. However, with some effort, the entire code base could be converted to Linux and built using standard open compilers such as g . Several template facilities might need to be reworked against the template limitations of g , and data byte order assumptions embedded in some parts of the code must be resolved, but in theory such a conversion could be completed successfully. Then a top-rate automated weather tracking and early-warning system could be implemented wherever raw data could be obtained to feed the forecasting software. Although obtaining raw weather data is not trivial, literally hundreds of programmer-years worth of work on a world-class front-end weather system already has been provided. Once available under Linux, modern weather forecasting services could begin to become available to developing nations worldwide.

Product development also benefits from the same factors. Any number of commercial products can be built without the traditional dependencies on external licensing and support. The control of Linux-based software products can be fully vested in the project itself. Projects can be jump started with fewer legal and financial dependencies. New products can be built by virtually any source in the global development community and can compete on technical merit with few licensing constraints and no royalty encumbrances. Some examples might be a Linux version of the popular modem multiplexers such as Webramp, or Linux-based PDAs, office Intranet and file servers, etc. Linux is highly suited for building any software or firmware product that is service oriented and capable of being remotely, especially Web managed.

But can product developers basing their work on GNU Public License (GPL) open source software such as Linux still protect their valuable intellectual property, their inventions? If they have incorporated GPL source software, then they typically must provide their own product's source code also. In some cases this will not be a problem. Where it is, then the developer should build their product using dynamic libraries if possible. If dynamic libraries are not sufficient, then alternative open source software, such as FreeBSD, could be used as a basis for their product. However, hoarding inventions contradicts the spirit as well as the many advantages of Linux and open source software. While fully adhering to open source practice, vendors such as Red Hat have implemented a business model that emphasizes other product differentiators including packaging, ease of use, configuration utilities, and service, etc. Large projects can greatly benefit from open source practice since they are normally sold based on expertise and long-term maintainability. When the complete project source code is available, the lifecycle stability of the entire project is enhanced.

How I discovered Free Software and met RMS 


How to install proprietary closed software in Ubuntu

 

Home » Research  |  IT vs OT |  When Facing The Insider Threat What Happend | Free Software vs Open Source | ask me |

Traditionally, OT and IT networks have historically been kept separate GOOGLE SEARCH!.

The Internet Of ThingsIoT


Vroeger waren ICS standalone systemen. En protocollen waren meestal gepatenteerd. Er was minder ICS-beveiligingsbewustzijn nodig. Omdat deze protocollen moeilijk te begrijpen waren, maar belangrijker omdat systemen nooit of bijna nooit met internet waren verbonden. De laatste jaren zijn steeds meer ICS internet ready en ook daadwerkelijk verbonden met internet. Hiermee zijn de verouderde systemen indirect ook "unlocked" voor het internet.
Informatie Technologie vs. Operationeel Technology

In earlier days, ICS where standalone systems and protocols were most of the time proprietary. There was less ICS security awareness needed. Because these protocols were hard to understand, but more important because systems were never, or almost never connected to the internet. The last years, more and more ICS are internet ready and also actually connected to the internet. With this, the old systems are indirectly also unlocked to the internet. 

Information Technology vs. Operational Technology


• In procesautomatisering van oudsher veel nadruk op fysieke (toegangs)beveiliging. (Toegangscontrole is ook digitaal) *
• Koppeling OT - IT (kantooromgeving) geeft verhoogde kans op cybersecurity risico’s *
• Groeiend aantal verbindingen / connecties doet complexiteit toenemen
• Risico procesautomatisering is risico IT plus risico OT (optelsom risico’s)
• Menselijke factor is ook in OT omgevingen het grootste risico *
• Verschuiving Safety naar Security (kan ook safety mee gemoeid zijn)

Binnen de industrie is het personeelstekort het grootst bij bedrijven die werkzaam zijn in de machine-industrie en de reparatie en installatie van machines

> Recommended readings


 

Als hackers toegang krijgen tot dergelijke systemen kunnen ze mogelijk controle krijgen over kritieke infrastructuur, zoals de bediening van bruggen en sluizen.

 

Home » Research  |  IT vs OT |  When Facing The Insider Threat What Happend | Free Software vs Open Source | ask me |