Security Framework
2 : Motivation
critical infrastructure . With a geographically distributed IIoT system , care must be taken to ensure that disruption of an isolated system does not cascade to have global effects .
Organizations must take these risks seriously ; they must use their expertise to make their IIoT systems trustworthy . The use of sensors and actuators in an industrial environment is not the typical Information Technology ( IT ) experience , nor are systems that span many organizations and organizational systems . IT and OT prioritize system characteristics differently . For example , resilience in IT is less important than in OT , and security is less important in OT than in IT , as illustrated in Figure 2-1 . These characteristics interact with each other , and can conflict . In IIoT systems , these system characteristics must converge and be reconciled with each other into overall system trustworthiness .
Figure 2-1 : Convergence of IT and OT Trustworthiness
IIoT organizations must place increased importance on safety and resilience beyond the levels expected in many traditional IT environments . IIoT systems may also have data flows that include intermediaries and involve multiple organizations , requiring more sophisticated security approaches than , for example , link encryption . Unfortunately , IT departments rarely speak the same language as those concerned with control systems and OT . The two perceive risk differently , and they cannot be combined for positive gain without a balanced consideration of their differing motivations .
The highest priority of many OT systems is safety : do not cause injury or death , do not put public at risk and protect the environment from harm . The second and third priorities are often quality of production and meeting production targets , which depend on the reliability and resilience of the system . Reliability and resilience are required to prevent the interruption of society-critical processes such as the electric grid , and to avoid idling machinery that represents large investments in physical infrastructure . Security aspects are considered in OT , but given that most systems are not connected it is mostly physical security . ( Some industries , such as healthcare , must protect patient data .) Security concepts such as user-based access control applies less often in OT systems than they do in IT .
IIC : PUB : G4 : V1.0 : PB : 20160926 - 14 -