Yes, you read it correctly: Shadow OT, with an O. We have barely managed to deal with Shadow IT, and a new threat already looms at the horizon. Operational Technology (OT) has become as affordable and available as IT, which leads to yet another cause of IT management worries.
Once, not even so long ago, IT was so expensive that enterprises built entire departments to prioritize spending and efficiently manage those costly investments. Now, IT is so inexpensive that any individual who wants IT can buy it (or rent it) without even consulting the IT department. This is generally known as Shadow IT: information technology that the IT organization does not know about.
While many IT managers are still struggling to get this entire Shadow IT under control, we are already witnessing the same phenomenon with OT (Operational Technology): , the rise of the Internet of Things has led to many affordable solutions to everyday problems. These solutions are so appealing that the hospital staff gladly bypass the traditional purchase and integration process in order to enjoy the benefits more quickly and more easily. A scenario not unlike most Shadow IT stories.
One of my colleagues shared a story on a hospital in the US Northeast, where the nurses put motion and moisture detecting pads in thirty hospital beds on one ward, with remote monitors in the nurse’s station. Instead of walking into each room every hour or two overnight, nurses monitored the patients for signs of motion or possible spills centrally. This improved patient care. Patients who were sleeping soundly remained undisturbed, while those who needed attention got it quickly. The nurses had more time to manage paperwork, prepare medications, and attend to other duties. The experiment was so successful that sensors were installed on beds across the hospital – over 1,000 in total. But when the WiFi network needed for the communication was handed over to the IT department, this was not considered a very welcome present.
The risks associated with Shadow IT are generally known:
- it is not governed and may violate compliance regulations,
- it is not integrated into the organization’s information security program and may present additional attack surfaces,
- it is not covered by the IT organization’s functional strategies so it will not be backed up or included in the enterprise disaster recovery plan, and
- it is not included in the organization’s enterprise architecture so it may drive investment into counter-strategic channels.
- The same can be said about OT. The Internet of Things brings sensors, actuators, and programmable analytics within the budget of most organizations. These organizations are acquiring capabilities without any governance, security, centralized management or architecture. This wave of ungoverned OT will eventually end up in IT’s lap.
Shadow IT, and now Shadow OT, is an understandable phenomenon: people will always use available technology to solve business problems whether IT approves or not. Rather than trying to fight Shadow Technology it is better to embrace this creativity: provide tools and training to help power users make better choices. By opening the lines of communications, IT can improve the overall security and management of its technology portfolio, both IT and (I)OT, and look out for what may come next.