IT, OT teams need to work together

Information technology (IT) and operations technology (OT) experts agreed that both sides can learn from one another and need to be willing to share and open up so both sides can benefit.


Cybersecurity is way too big for the manufacturing automation sector to handle on its own and that is why working with IT has so many benefits.

That convergence between information technology (IT) and operations technology (OT) is becoming clearer at events like the traditionally IT-centric Black Hat USA 2016 in Las Vegas. OT can learn from the advances IT has made in security over the past few decades.

One of the areas OT is learning to pick up on is the idea of speed.

"Speed is an important factor for security," said Jeff Moss, a computer researcher and founder of Black Hat and DEF CON security conferences, during the kick off to Black Hat USA 2016 in Las Vegas Wednesday. "Speed can be measured. Time it takes to remediate. How long to cleanup a breach. Speed is a key metric."

In fact, he said, when he ended up invited to give a talk at a chief executive roundtable, the top concern these leaders talked about was speed. They talked about speed to market; speed to react. The more secure an organization is, the more they are willing to push the envelope because a company feels confident in protection. "As we allow computers to take more risk, (you can gain a) speed advantage through confidence in your security."

Dan Kaminsky, a security researcher and chief scientist of White Ops, which specializes in detecting malware activity via JavaScript, started off his keynote address by agreeing with Moss.

"Speed has totally changed how we have to learn and adapt from our experiences," he said.

Kaminsky's keynote focused mainly on advanced technologies years away from OT, but in reality OT could learn from; if not the technology, just the idea of thinking differently.

One topic focused on a micro-sandboxing system that uses small virtual machines (VMs) to carry out sensitive tasks, limiting their ability to infect other parts of the system.

This idea limits the ability of the code running in the VM to communicate, and monitor what is going on inside to make sure there are no unexplained requests.

Another idea was a "magic browser," which could allow web designers to build webpages that allow functions in a known safe state.

"People are afraid of going on the Internet because they fear a security incident of some type," he said.

Lack of confidence

That fear is also leading to a lack of confidence in advances in technology.

"With the Internet of Things (IoT), people are assuming it is insecure out of the gate," Kaminsky said. "Usually an industry has time to get their act together. Those days are over. We are not taking all the lessons we have learned and then doing something about it."

Kaminsky talked about instead of keeping security a secret, users should release information.

"You are not competing on security," he said. "We should release code so it is out there. Don't be afraid of taking the knowledge exchange and make it more accessible to other people."

Sharing security information is something the OT industry can learn and work to advance.

Protecting the supply chain

At the Codenomicon event, there was a talk that had an OT angle to it entitled "Mitigating software supply chain risks—gaining trust of software in cyber assets."

Schneider Electric's director of cybersecurity and architecture Paul Forney talked about the supply chain and ensuring its security. One way of ensuring a secure supply chain, he said, was having an organization committed to a secure development lifecycle. 

Traditionally, IT and OT has not been a strong relationship. But it is getting better—and stronger. For a secure manufacturing enterprise in the Industrial Internet of Things (IIoT) environment, IT and OT will have to work together.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on Edited by Chris Vavra, production editor, CFE Media, Control

ONLINE extra

See additional stories from ISSSource about the IIoT linked below.

Control Engineering is hosting a webcast on October 20 on cybersecurity and the IIoT. Click here to register.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me