IT vs OT: We spoke to the UK’s former maritime counter-terrorism commander and military government adviser to COBR about why so many cybersecurity solutions are ineffective
Cybersecurity is obviously a hot topic right now. But Nigel Somerville MBE MC, Managing Director of Cyber Prism Maritime, believes that there is a fundamental problem with the way most products tackle it. We interviewed Somerville alongside Keith Chappell, Technical Director of Cyber Prism and former Technical Business Director of L-3 TRL, to find out more. Cyber Prism Maritime offers an innovative solution to a critical cyber security vulnerability on yachts and ships.
Explain to us what IT is, what OT is, and the difference between them?
KC: Operational Technology (OT) refers to control systems which manage operations as opposed to Information Technology (IT) systems which manage data and administrative tasks. Operational systems include Navigation, Helm, Engines, Stability, HVAC, Power, Communications, AVI, and Cameras.Typically, IT systems have opposing priorities to those of OT. IT systems need to be Confidential, of High Integrity and Available (CIA) in that order.
For example, it is more important that your bank details are protected than the transaction data be correct and that that the transaction can be made.The loss of your bank details (Confidentiality) could lead to multiple fraudulent transactions of unknown value, an Integrity issue could lead to a single erroneous transaction, and lack of the Availability of the system could only lead to the safe but inconvenient situation of no transaction.
OT systems are in reverse. They must be always Available; they are usually configured to mitigate the risks of Integrity failures and Confidentially is rarely an issue in these systems (AIC). As an example, the Availability of the system to steer the vessel is vital, the Integrity of the control input can be checked (too fast, too severe etc.), and the fact that a steering input has been made need not be Confidential.
NS: IT systems evolve rapidly and are relatively cheap allowing them to be replaced/regularly upgraded to keep pace with new technologies but also to allow shortcomings, especially those related to cyber security, to be managed.
OT systems until recently were never designed to be connected to IT systems and, being considerably more expensive, evolve at a much slower pace. Unfortunately, this means that they remain vulnerable to cyber security issues for much longer, if indeed these issues are ever addressed.