OT or operational technology is often mentioned in contexts that refer to industrial environments, factories, and power plants. But what about the shells of the factories, the hospitals, or the server rooms of the most critical IT solutions? Their operations are all for sure secured by physical structures but the proper indoor air conditions, access control, and fire safety are ensured with operational technology.
So, OT is everywhere - from Earth to Mars and beyond. OT is big and powerful - maybe bigger than IT itself. And as in factories, production lines, and power plants, “OT of the built environment equals systems and solutions, equipment, processes, and services used to run the built environment to function in accordance with the intended use. OT systems often use the same technological platforms, equipment, IoT, and network solutions as IT systems” even though they might physically look a bit different than laptops and servers. (Hanna Pikkusaari & Juha Viinikka)
And how does OT differ from IT? Not much. But one particular feature is prioritization. In an IT environment it’s quite easy to prioritize the solutions by business requirements; by business criticality, customer satisfaction, reputation damage, maximum estimated loss etc. But in an OT environment (e.g. in buildings and in production lines) there is always life to be considered. One day the “life” is the CEO of the company with influential guests approaching the door that has to open at 9 PM sharp but the remote connection is down because of a network disconnection. IT’s major incident management (MIM) team does not consider this as a major incident worth escalating because the solution functions as it should during a network outage. At the same time the OT team knows that the door has to be opened unobtrusively and just in time. But just like a miracle, the network connections are restored and the remote control activated. Nobody notices the outage. Nobody knows the reason. (Btw, this is a true story.)
But another day life is people running the wrong direction heading towards the fire or fish freezing to death in an aquarium when the heating is off and it’s minus degrees Celsius outside. One day the life is someone checking the server room when the carbon dioxide fire extinguisher is triggered by a reason or an accident. When the problem is minor, the priority is not high even though the process would not function at all at a certain time. But when the problem is major the priority exceeds all IT prioritization - it may be about life and death. This is why OT is very hard to prioritize and hard to understand for a straightforward MIM team. This is why OT needs its own trustworthy and strong leadership.
Other differences are e.g. the way OT is organized. It actually may not have been organized at all. Why would someone use resources to build up an organization to be responsible for the technology that is just the minor (read: major), necessary, and annoying part of a construction project increasing complexity with the dependencies between IT, IoT, cloud solutions, outsourced teams, EU GDPR, non-European countries etc? Or why would someone be interested in that part of cybersecurity that is cut out (accidentally) from the IT cybersecurity team’s responsibilities but for that reason cause a threat to the entire business?
So, there are some differences between IT and OT but the goals of OT should follow a company’s strategy towards a courageously set vision as IT does. The management and organization should follow the company values as IT does. And the success must be described and measurable as in any smartly set business case.
This is OT. By popular demand.