IT, OT teams need to work together
Information technology (IT) and operations technology (OT) experts agreed that both sides can learn from one another and need to be willing to share and open up so both sides can benefit.
Cybersecurity is way too big for the manufacturing automation sector to handle on its own and that is why working with IT has so many benefits.
That convergence between information technology (IT) and operations technology (OT) is becoming clearer at events like the traditionally IT-centric Black Hat USA 2016 in Las Vegas. OT can learn from the advances IT has made in security over the past few decades.
One of the areas OT is learning to pick up on is the idea of speed.
"Speed is an important factor for security," said Jeff Moss, a computer researcher and founder of Black Hat and DEF CON security conferences, during the kick off to Black Hat USA 2016 in Las Vegas Wednesday. "Speed can be measured. Time it takes to remediate. How long to cleanup a breach. Speed is a key metric."
In fact, he said, when he ended up invited to give a talk at a chief executive roundtable, the top concern these leaders talked about was speed. They talked about speed to market; speed to react. The more secure an organization is, the more they are willing to push the envelope because a company feels confident in protection. "As we allow computers to take more risk, (you can gain a) speed advantage through confidence in your security."
"Speed has totally changed how we have to learn and adapt from our experiences," he said.
Kaminsky's keynote focused mainly on advanced technologies years away from OT, but in reality OT could learn from; if not the technology, just the idea of thinking differently.
One topic focused on a micro-sandboxing system that uses small virtual machines (VMs) to carry out sensitive tasks, limiting their ability to infect other parts of the system.
This idea limits the ability of the code running in the VM to communicate, and monitor what is going on inside to make sure there are no unexplained requests.
Another idea was a "magic browser," which could allow web designers to build webpages that allow functions in a known safe state.
"People are afraid of going on the Internet because they fear a security incident of some type," he said.
Lack of confidence
That fear is also leading to a lack of confidence in advances in technology.
"With the Internet of Things (IoT), people are assuming it is insecure out of the gate," Kaminsky said. "Usually an industry has time to get their act together. Those days are over. We are not taking all the lessons we have learned and then doing something about it."
Kaminsky talked about instead of keeping security a secret, users should release information.
"You are not competing on security," he said. "We should release code so it is out there. Don't be afraid of taking the knowledge exchange and make it more accessible to other people."
Sharing security information is something the OT industry can learn and work to advance.
Protecting the supply chain
At the Codenomicon event, there was a talk that had an OT angle to it entitled "Mitigating software supply chain risks—gaining trust of software in cyber assets."
Schneider Electric's director of cybersecurity and architecture Paul Forney talked about the supply chain and ensuring its security. One way of ensuring a secure supply chain, he said, was having an organization committed to a secure development lifecycle.
Traditionally, IT and OT has not been a strong relationship. But it is getting better—and stronger. For a secure manufacturing enterprise in the Industrial Internet of Things (IIoT) environment, IT and OT will have to work together.
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, firstname.lastname@example.org.
See additional stories from ISSSource about the IIoT linked below.
Control Engineering is hosting a webcast on October 20 on cybersecurity and the IIoT. Click here to register.