Industrial Internet Security Framework v 1.0 | Page 22

Security Framework 4: Distinguishing Aspects of Securing the IIoT Figure 4-1: IT/OT Convergence 4.2 SECURITY EVOLUTION IN IT AND OT Security to date has been mostly IT-centric. This view comes with some implicit assumptions about how risk is managed, that is, endpoints are adequately secured and communications between machines are protected. IT often assumes a client-server model, where clients and servers run multiple processes, and communicate using a well-known set of protocols such as IP, TCP or HTTP. Because of this homogeneity, security controls and monitoring assume a range of well-known attacks and attack models. The evaluation of risk in IT systems depends on the probability of a successful attack and the damage that would be caused, but this damage usually involves money or reputation and rarely accounts for other outcomes such as safety threats. As a result, from business decisions to implementation, OT security is overlooked. Attack types that are common in OT, such as physical attacks, are not part of policy, and network elements do n