A few years ago, I was on business travel in the Middle East. One of our company’s local security executives asked if I’d be willing to take a rather unusual meeting. Always game for a challenge, I asked what made the meeting unusual? As it turned out, one of our customers in the Energy sector had two CISOs: one overseeing security on the IT (information technology) side, the other, overseeing security for the OT (operational technology) part of the organization. The problem? They weren’t talking to each other. Which made it very hard for the local security executive to have a successful conversation.
Although getting to the level of non-communication is a bit of an outlier, disagreements on technical oversight between IT and OT teams are not uncommon. This is due in part to the fact that critical goals and legacy approaches for the two technical estates are different.
What is OT (Operational Technology)?
OT is sometimes referred to as the “uncarpeted” part of a company’s operation. OT environments usually house industrial control systems (ICSs) like programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems. These systems control a wide variety of functions, like:
- robotic automation units on manufacturing shop floors
- temperature controls on the nuclear core at a power plant
- valve management for a city’s wastewater control system.
What’s driving the need for cybersecurity in OT?
1. The emergence of IIoT
Increasingly, many of the above functions are being tied together using industrial/internet of things (IIoT) for monitoring and control. These kinds of systems were built and designed to run in protected environments. While having a safe and reliable function is an important requirement, connection to the Internet was not—at least initially. Legacy OT was almost universally deployed as a closed system that kept attackers out.
2. The need for “Availability”
Another critical driver for OT is emphasis on the “A” part of the CIA (confidentiality, integrity, availability) triad. In a closed system, confidentiality and integrity are easier to maintain, leaving availability as top priority. If your company depends on the assembly line or drilling rig staying operational, availability moves to the forefront on the priority list. This brings with it some trade-offs that may seem odd to those born and raised on the IT side of the house.
For example, in classic IT, patch management is a constant process. We set most end user devices to automatically update operating Systems and applications as soon as the manufacturer issues a patch. For servers and other production systems, there’s usually an SLA (service level agreement) in place for testing and deployment of most patches within ~30 days (where that’s not possible for all patches, it’s almost certainly the case for high and critical severity patches). However, if you’ve ever managed a patch program, you know that not all patch cycles go smoothly, especially when it comes to production servers running critical workflows.
In OT, formerly closed off and prioritizing availability, patching is almost never automatic. Instead, patches are tested and re-tested to ensure that, when they are applied, there will be absolutely no disruption in service. Sometimes patches are not applied if they are deemed to be disruptive to operations. Moreover, some ICS manufacturers warn that applying patches or upgrading the OS will void the warranty for the device. For devices in highly regulated industries, like healthcare, upgrading or patching an outdated OS can lead to the device no longer being certified as an approved healthcare device.
IT vs OT: the source of conflict
Even from just the few examples listed above, you’re probably already getting a better understanding of why IT and OT leaders may view governance over their domains differently. IT, the “front office” network, took hold in business around the same time as the growth in use of the Internet. Which means that, in IT, we’ve spent decades architecting and designing for a hyper connected world. This mindset sits directly at odds with traditional OT’s universally closed system.
How IT/OT convergence can benefit both
The OT networks of today are no longer islands protected from the outside by isolation. Even very sensitive OT systems are now open to remote administration and access. There’s even a website, Shodan, that shows Internet connected devices, many of them ICS and IIoT. IT teams can provide a wealth of support and tooling for OT managers to help them protect connected control systems.
Patching is another area where we can help each other. Although modern IT tries to patch as quickly as possible, we’ve all had a legacy system somewhere that couldn’t be patched or updated. Classic IT controls like segmentation, strict access control, and increased monitoring wrap legacy systems with protection when they can’t be patched. Similar approaches can be deployed in OT to reduce the attack surface of unpatched applications and EOL (end of life) operating systems.
The impact of IT/OT convergence: a better together approach
Although IT and OT evolved in different ways, the convergence of the two can benefit both sides. OT teams excel at maintaining availability and understanding how to apply rigorous safety checks and balances in systems where failure can lead to existential impacts. In IT, we’ve spent years defending connected systems from attackers and can help our OT counterparts integrate modern IT security approaches without sacrificing availability or reliability of critical systems.
Which takes me back to that meeting with the IT and OT CISOs. They agreed to the meeting, and when I walked into the room, it was clear from their body language that they weren’t looking forward to speaking with each other. I started with a simple question for both of them: “As CISO, what’s the biggest, most high-level risk to your company?” They both answered with a version of “a breach of incident that puts the company out of business or greatly impacts earnings.” Common ground. What that incident looks like and how it might manifest in OT vs IT is different, but all CISOs want the same thing: to keep our companies and our customers safe. And in the world of converged IT/OT, the best way to do that, is together.
Click here to learn about OT security solutions, or gain security Insights from IT/OT convergence examples--and learn why IT and OT are better together--in Diana's full webinar. Watch it on-demand here.
Diana Kelley, CSO2 (Chief Strategy Officer/Chief Security Officer) and co-founder of Cybrize, Executive Mentor, Research Analyst, Security Keynote Speaker
Diana Kelley is the CSO2 (Chief Strategy Officer/Chief Security Officer) and co-founder of Cybrize. She also serves on the boards of Cyber Future Foundation, WiCyS, and The Executive Women’s Forum (EWF). Diana was Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), a Manager at KPMG, CTO and co-founder of SecurityCurve, and Chief vCISO at SaltCybersecurity.
Her extensive volunteer work has included serving on the ACM Ethics & Plagiarism Committee, Cybersecurity Committee Advisor at CompTIA, CTO and Board Member at Sightline Security, Advisory Board Chair at WOPLLI Technologies, Advisory Council member Bartlett College of Science and Mathematics, Bridgewater State University, and RSAC US Program Committee.
She is a sought-after keynote speaker, the host of BrightTALK’s The (Security) Balancing Act, co-author of the books Practical Cybersecurity Architecture and Cryptographic Libraries for Developers, has been a lecturer at Boston College's Masters program in cybersecurity, the EWF 2020 Executive of the Year and EWF Conference Chair 2021 and 2022, an SCMedia Power Player, and one of Cybersecurity Ventures 100 Fascinating Females Fighting Cybercrime.