IT/OT convergence needs conflict resolution from both sides
Information technology (IT) and operations technology (OT) are both responsible for resolving potential cybersecurity risks. However, both groups have different approaches and mindsets on the topic that are incompatible when they are brought together, which can lead to conflict.
Pre-internet, the line between IT and OT was clear. The line has been blurred as technology has brought connectivity to nearly every device on the plant floor and in field locations. That enhanced connectivity is connecting IT and OT in new ways and, as a result, they are starting to converge.
Instead of conflicting with one another, which has been the standard mindset, they must start resolving their issues for their sake and the sake of the company as a whole.
IT and OT are resisting convergence happening all around them, said Luigi De Bernardini, chief executive of Autoware, a manufacturing execution system (MES) and smart manufacturing automation firm in Italy. When working with clients in large manufacturing automation projects he found that, "Many manufacturers still see strong resistance to bringing information and operational technologies together, with mistrust coming from both sides."
De Bernardini said that must change. "Continuing to operate separately not only slows the adoption of solutions based on technologies that fall outside of industrial control system (ICS) operations’ comfort zone, but also exposes companies to fault or security risks that could significantly impact production."
IT and OT are very different worlds with very different responsibilities. Fundamentally, IT secures data. An intentional or unintentional cyber threat could result in the loss of intellectual property, corporate financials, and employee or customer information-and the ripple effect can be costly, ranging from $200K to $4M per incident.
In contrast, OT uses ICS logic to execute control processes, which produces a physical impact. A cyber threat could have devastating physical consequences to critical infrastructure and services, employees, human life, and safety and the environment-as has been shown in numerous publicized incidents.
The different priorities of IT and OT are key to understanding why conflicts arise so easily between the two groups. IT’s top priority is to protect the data. OT’s priority is to protect the availability and integrity of the process, with security (confidentiality) coming last.
The security solutions each group might choose for the ICS operations environment may be different due to several variables such a regulatory and compliance requirements, network architectures, performance/production requirements, employee and environmental safety considerations, risk tolerance, and management and security goals.
Each group has a bias and a specific perspective when considering ICS cyber risks and consequences.
IT’s top priority is protecting data such as intellectual property, corporate financials, employee, or customer private data. They figuratively look across the demilitarized zone (DMZ) thinking of the many changes that could bring a stronger security posture to OT environments. IT’s potential solutions include:
- Stronger network segmentation
- Access control lists to restrict and manage permissions and access to key resources
- Geographic or organizational groupings of data and assets
- Strong password hygiene
- Routine patching processes (automated and with much higher frequency)
- Security policies to apply everywhere.
OT’s top priorities revolve around availability. When considering suggestions from IT to secure ICS environments, OT will often invoke cybersecurity inertia to assure control processes and production yield are not placed at risk. Reasonable explanations for why ICS security cannot be implemented are:
- Fragile programmable logic controllers (PLCs) may not have enough memory to handle high traffic, such as a broadcast storm or unexpected function codes that cause a reboot.
- Not all patches, even those released by ICS vendors, are required. It takes time to assess whether even the ICS-CERT advisories are appropriate for the devices in place.
- Anti-virus or automatic patching is atypical and requires considerable testing, scheduling, and may even require vendor participation to assure warranties stay intact.
- Flat network architectures are favored, with minimal or no subnets or secure zones to isolate unrelated systems and processes. In this way, OT can minimize performance latency that could disrupt time-sensitive processes, and all resources are easily available to operators should they need to quickly pivot to manage another set of systems and processes.
- Shared credentials are common on many types of systems, new and legacy. This allows users to quickly gain access without strong password hygiene and frequent password changes that are difficult to keep everyone in sync.
- Remote access is ideal for staff to connect from home or even vendors to connect from the internet to conduct maintenance or diagnostics on equipment.
Protecting information is important, but production losses translate into business losses. Cyber threats that can disrupt production, cause damage, affect visibility and control, or jeopardize safety also could affect business profitability. Changes by IT are not appropriate or allowed. Further, OT is still skeptical of the real risk to their ICS operations and control processes, believing the risks and consequences to be hype and rarities.
Rather than endure a major security breach that affects confidentiality or operations, companies should consider these three actions to reduce conflict and mistrust with IT and OT convergence while increasing ICS security at the same time.
1. Get strategic alignment at the highest levels.
De Bernardini said most of his clients, "Still have two strongly separated departments for operations and IT. They have different people, goals, policies, and projects."
De Bernardini recommends starting with reorganizing IT and OT departments to be strategically aligned and unified. He suggests at least the chief information officer (CIO)/chief information security officer (CISO), and chief operations officer (COO) should have, "Partly common and overlapping goals and targets, which would force them to work cooperatively."
The CIO/CISO must also accept complete responsibility for the cybersecurity of the ICS and for any safety incidents, reliability incidents, or equipment damage caused directly or indirectly by cyber incidents.
2. Coordinate a joint task force.
NIST SP800-82r2 and De Bernardini recommend creating a joint task force as a cross-functional cybersecurity team to share varied domain knowledge and experience to evaluate and mitigate risk to the ICS. NIST goes so far as to specifically name titles that should be a part of this cybersecurity task force, which should include:
- A member of the IT staff
- A control engineer
- A control system operator
- A network and system security expert
- A member of the management staff
- A member of the physical security department.
The task force should also consult: a site management/facility superintendent, a control system vendor and/or a system integrator and the CIO/CISO.
3. Develop pilot projects and a governing structure.
One of the first things the joint cybersecurity task force can do is to identify pilot projects that both groups can work on together. The task force can compile a list of the most critical ICS assets that absolutely must be secured and begin to assess what needs to be done.
These pilot projects are designed to offer value with a low-risk benchmark to help the company train and progressively build a specific mix of shared IT/OT skills. This also will aid in determining how to jointly reduce conflict when deciding on steps toward improving ICS security.
De Bernardini said the joint cybersecurity team should have, "Joint governance and responsibility to execute projects, harmonize duplicated or overlapping systems and processes, and promote the development of the interdisciplinary skills that are now missing in most companies."
Marathon, not a sprint
Mitigating the conflicts inherent in IT and OT convergence and improving ICS security doesn’t happen overnight.
Managers need to learn to share goals, jointly evaluate business risks and consequences, and train the broader group on shared skills, which will ultimately lead to appropriate ICS security products, processes, policies, and people.
The two collaborating and cooperating departments need to extend their skills to adapting the IT security project models for use in operations with consideration of all the differences inherent in their security priorities and risk biases.
While there are many cultural and structural challenges that come from bringing IT and OT together, the long-term benefits far outweigh any difficulties that might arise in the beginning.
Katherine Brocklehurst is with Belden’s Industrial IT group. Her area of responsibility covers industrial networking equipment and cybersecurity products across four product lines and multiple market segments. She has 20 years of experience in network security, most recently with Tripwire. This article originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Hannah Cox, content specialist, CFE Media, firstname.lastname@example.org.
- Information technology (IT) and operations technology (OT) have different goals and agenda, but they need to work together in today’s modern environment.
- IT’s main priority is protecting data and company assets and OT’s main priority is making sure work processes are not hampered or slowed.
- Strategic alignment, a joint task force, and pilot projects are three ways to get the two sides to work together and resolve potential conflicts.
What other methods/strategies could be used to get the IT and OT to work together?