Understand the best IT/OT convergence strategies

There are three possible ways to address the unique requirements of OT. The first is rarely practical:  Create a totally separate network for it. The second and third both accommodate OT differences using the same technology as IT networks. The second creates an OT partition, and the third prioritizes OT traffic within the IT framework. Sometimes, the two can be applied independently, but it’s best when they’re used together.

Partitioning IT/OT networks means creating a separate virtual network for each to isolate the OT traffic and manage connectivity. Admins can more easily prioritize OT traffic if it’s separated in a virtual network.

Creating a separate IP subnet for OT traffic is an obvious step. OT applications would normally deploy within an IP subnet, where each component would be given a private IP address that cannot be routed onto the internet. Selected components that require outside access can be exposed to the organization’s VPN. Today’s containers, particularly those built around Kubernetes, make this kind of structure easy to build and use.

Organizations often use private IP addresses only within IP subnets, but it’s possible to build them on a pan-application scale, moving all OT traffic to a private IP address. Only expose addresses for APIs that are referenced Sensors and controllers can also be protected if placed in the same address as the applications and hosts. Most of the interactions between control elements and OT applications will then take place within the private virtual network, and none of the sensor and controller addresses need to be exposed to the organization’s VPN or to the internet. In effect, this measure builds an almost-independent OT community that shares resources with IT applications, but is partitioned from those applications and their users.

The partitioning of OT networks using subnets or private IP addresses won’t make the applications invisible at the LAN level. For greater IT/OT isolation, it’s possible to actually segment the LAN to provide almost complete isolation. Virtual LAN technologies include the standard 802.11q specification and proprietary VLANs from vendors like Cisco. Recently, it’s become possible to build highly flexible VLANs of unlimited numbers and sizes using software-defined networking. The OpenFlow standard provides a means of controlling switches to create explicit VPNs. Organizations, including VMware, Juniper and Nokia, offer other methods.

VLANs are the most practical way to provide LAN partitioning of OT hosts and applications, because it can separate applications even within a data center. For the sensor and control part of an OT network, it’s sometimes easier to use a different physical LAN. Use wired Ethernet, Wi-Fi or a combination. OT sensors and controllers are usually located in limited areas, so LAN partitioning might be easier to do.