The dark side of the IT/OT integration equation
Are operations cyber-vulnerable due to lack of resources, lack of understanding or both?
IT/OT integration insights
- The risk of cyber threats to industrial networks is increasing faster than the ability of organizations to train adequate cybersecurity talent, especially in operations technology (OT).
- IT and OT have distinct and often conflicting security priorities, leading to vulnerabilities in industrial control systems (ICS) due to differences in focus and understanding.
- Addressing the cybersecurity challenge in OT requires a multi-pronged approach, including workforce education, adoption of cybersecurity frameworks, implementation of IT best practices and collaboration with industry experts.
The risk of adverse cyber events impacting industrial networks is rising faster than organizations can train talent to address the challenge. How does a company acquire qualified operations technology (OT) cybersecurity protection? The answer isn’t as straightforward as one might wish.
Let’s start with the basics. OT cybersecurity and industrial control systems (ICS) themselves may at first seem unfamiliar. Once the concept of OT cybersecurity is established — before tackling talent or resource determination – agreement is needed around its ownership.
IT traditionally handled enterprise network security. A closed-loop network of industrial equipment, including programmable logic controllers (PLCs) and supervisory control (SCADA) wasn’t an IT consideration. OT teams focused on ensuring that production was up and running efficiently, continuously and at full capacity.
Remote monitoring and support of plant-floor operations altered the level of risk to industrial environments. Original equipment manufacturers (OEMs) and system integrators (SIs) rely on the internet for access to OT environments, exposing critical machine controls to threats first faced by IT.
Awareness, acknowledgment of risk, and subsequent action haven’t kept pace with the sophisticated hacking evidenced across enterprise and OT environments using Windows, Linux / Unix and other legacy technology. IT’s blind spot regarding OT environments leaves ICS assets exposed, due to unpatched or end-of-life technologies like Windows XP, still used by OT assets. The rapid shift to the use of Remote Access and IIoT technologies has exacerbated the airgap ‘myth’ between IT and OT. On average, 94% of IT security incidents affect OT environments, according to data published by TXOne Networks.
IT and OT security priorities are out of whack, partly because each have polarized objectives. OT assumes isolated, air-gapped ICS assets are in place, when in most cases they are not.
IT protects what it is comfortable with and what it knows: networks, infrastructure, enterprise business applications and databases. They oversee security of enterprise environments with cybersecurity software, as well as firewalls, EDR and anti-virus technologies.
Expecting IT to understand OT cybersecurity needs can be likened to expecting a round peg to fit in a square hole.
To bolster the OT environment, organizations must educate themselves and identify gaps in understanding, expertise, ownership and accountability.
To improve security of manufacturing and infrastructure, companies should adopt a multi-pronged approach, including:
A workforce with skillsets to leverage the tools for OT / ICS cybersecurity
A cybersecurity framework i.e., NIST, IEC62443, or other guidelines or regulations
IT cybersecurity best practices, including policies, procedures, audits and security segmentation
Traditional technologies such as firewalls / IPS, EDR, SIEM, SDN.
Industry Partners and Experts
The challenge in buttressing the cybersecurity posture of an organization is found in the ecosystem itself. Clearly, the automation vendors, such as Siemens, Rockwell, Honeywell, ABB, Emerson and GE, have achieved maturity regarding OT cybersecurity. Systems integrators bring automation’s benefits to bear, acting as a bridge between suppliers and users of automated control systems. A clear roadmap exists to get where you need to be with cybersecurity. The good news is that experienced and talented resources exist.
The question remains, is the source of the problem a talent shortage or a lack of OT cybersecurity knowledge and expert resources? We think both contribute to the challenge organizations face. The important thing is to take action, because it’s not ‘if’ you’ll experience a cyber event but “when.”