Industrial Internet Security Framework v 1.0 | Page 22
Security Framework
4: Distinguishing Aspects of Securing the IIoT
Figure 4-1: IT/OT Convergence
4.2
SECURITY EVOLUTION IN IT AND OT
Security to date has been mostly IT-centric. This view comes with some implicit assumptions
about how risk is managed, that is, endpoints are adequately secured and communications
between machines are protected. IT often assumes a client-server model, where clients and
servers run multiple processes, and communicate using a well-known set of protocols such as IP,
TCP or HTTP. Because of this homogeneity, security controls and monitoring assume a range of
well-known attacks and attack models.
The evaluation of risk in IT systems depends on the probability of a successful attack and the
damage that would be caused, but this damage usually involves money or reputation and rarely
accounts for other outcomes such as safety threats. As a result, from business decisions to
implementation, OT security is overlooked. Attack types that are common in OT, such as physical
attacks, are not part of policy, and network elements do n