Managing Operational Technology Identities in the Industry 4.0 Era

The Fourth Industrial Revolution Brings Challenges and Benefits to Today’s Businesses

In 2015, Klaus Schwab, executive chairman of the World Economic Forum, announced that we are now in the Fourth Industrial Revolution.

The First Industrial Revolution used water and steam power to help move production from manual to mechanical. The proliferation of railways, telegraph lines, and electricity defined the Second, speeding the transfer of ideas and enabling mass production. In the Third, companies used electronics and information technology (IT) to automate production. 

Now, artificial intelligence, the Internet of Things (IoT), cloud computing, and other technologies automate data exchange and further evolve the manufacturing processes. Welcome to the Fourth Industrial Revolution.

Over the past several decades, industries have transitioned from using analog and pneumatic controls to programmable logic controllers (PLCs), distributed control systems (DCSs), supervisory control and data acquisition (SCADA) technologies. While most organizations only think about these types of controls when they think of Operational Technology (OT), the advent of IoT has broadened its definition to include any technology that is non-Windows or Linux-based. 

Over time, IoT has changed the landscape of the industry. IP-enabled networks connect the OT side and the information technology (IT) side. New sensor technologies, advanced robotics, and OT devices allow IoT systems to provide even more data to analyze and act on — but can also decrease visibility. 

As these new technologies have come online, they have provided personnel with an ever-increasing volume of industrial data to monitor, optimize, and control. However, the convergence of IT and OT systems also bring significant benefits.

Capitalizing on Digital Transformation in the New Age

Differences in IT and OT functions, technology stacks, and cultures have created significant barriers to IT-OT convergence in the past. Historically, the lack of connectivity of OT to other systems provided a level of security because devices needed to be physically accessed to alter their programming. But, OT environments’ separate purpose-built applications have obscured enterprise visibility.

This air-gapped architecture (or security by isolation) helps prevent intrusion into things such as a robotic arm that could wreak havoc if shut down — or if programmed not to complete its task. A more dramatic example would be preventing an outsider from remotely shutting down a power grid.

Now that we are in the Fourth Industrial Revolution, IT-OT convergence is gaining momentum. Companies can capitalize on the benefits of digital transformation and newly available information provided by OT in the following ways: 

• Improved technology management
• Increased productivity 
• Enhanced agility
• First-mover advantages
• Decreased costs

So, What Does This Mean for Identity?

Each new system added to the IT network is a new identity. Throw in anyone who needs access to an OT system or terminal — and any IoT device that connects to the network or talks to other systems — and you’ve significantly increased your need for oversight. 

This expanding ecosystem introduces additional vulnerabilities and drastically alters the threat landscape. In many instances, network security solutions may not detect IoT connections or provide visibility into the extent of an organization’s threat landscape.

More Identities, More Challenges 

How can organizations maintain security and simplify overall management without slowing things down? Traditional identity access management (IAM) solutions have cobbled together disparate technologies with disparate management systems. On-premises systems were not built for cloud environments and can impose additional management and visibility challenges. None of this helps simplify daily governance and administration.

These new challenges require organizations to take a converged approach to identity management to succeed. Identity Governance and Administration (IGA) systems must provide complete visibility, risk insight, and governance for OT domains. Modern cloud-based IGA systems can help companies adapt and solve high-priority use cases, including: 

• Onboarding individual OT sites with patterns built for future use 
• Providing visibility and governance of OT accounts and IoT device
• Extending governance across multiple OT sites in a repeatable pattern
• Accounting for the entire identity lifecycle within OT environments (joiner, mover, and leaver)

Saviynt Enterprise Identity Cloud (EIC) Converges IT-OT Identity Management

Saviynt EIC extends IGA to OT environments to account for all lifecycle management use cases, including revocation of access to OT systems upon immediate termination. With Saviynt, you can extend standard IGA use cases to OT environments and configure OT-specific use cases.

Customers Already See the Benefits

In Australia, Saviynt EIC is helping a utility customer automate certification checks to ensure proper access to gas turbines. Saviynt also helped the customer configure separate integrations to OT-specific Active Directory domains. They integrate OT-specific applications through built-in active directory (AD) integrations, providing closed-loop remediation via the same channel.

In another example, a Saviynt customer in the energy sector needed to constantly monitor its internal power plant systems and gas exploration facilities. Saviynt not only ensured the right people with the right credentials could enter and exit the power plant gates — but also that they could enter and exit internal systems through clear firewall demarcations between IT and OT. These systems were running on completely different protocols, such as SCADA.

Embracing a New Model to Manage IT & OT Assets

If you’re looking to secure OT environments as they converge, Saviynt can help. Saviynt EIC employs a virtual private cloud (VPC) approach to launch isolated networks specific to customers — and to their unique cloud environment. EIC defines multiple subnets to further group instances and sets up routing and security to control incoming and outgoing traffic flows for each instance.

This model provides the ability to configure specific instances to handle corporate IT and OT-specific assets and use cases. You can control communication between instances and data flows based on local regulations — and configure different OT/Asset environments with limited access via VPC configurations.

Saviynt EIC utilizes a superior, cluster-based multi-tenant architecture to provide maximum security. This ensures complete isolation from the internet or public access. Saviynt EIC also provides dedicated access needed via IPsec VPN tunnels — and for high volumes of users/transactions that demand low latency and specific performance requirements.

Saviynt EIC provides:

• 360° visibility of all IT-OT identities connected to your network on-premises, in the cloud, or hybrid environments
• Streamlined administration
• Reduced attack footprint
• Automated last mile provisioning for onboarding disconnected applications
• Accelerated time to market through better decision making

The new era of Industry 4.0 brings tremendous opportunities. With Saviynt, businesses can overcome the challenges and reap the benefits with greater efficiency and security.