Securing critical infrastructure is becoming a priority for the public and private sectors. Cyber professionals everywhere are rejoicing about the increasing investments in protecting the networks and systems that keep us safe at night. The Oval Office has even signaled its intentions to make security a priority. We welcome the new administration’s desire for a “cyber miracle.” Security programs require top-down leadership. Politics aside, this is a great example to set. I hope board rooms will demonstrate the same commitment and require executives that report to them to prioritize security, as well. Although this increased focus on cyber security will provide opportunities to make a positive impact, security professionals should take a measured approach to implementing new protections. This is not enterprise IT, and while some of the technologies are the same, the technological approaches and drivers on the OT side of the house are completely different. Here are four tips for a successful OT & IT security marriage:
1. Include OT in Project Planning Phases
How many times have you expressed disbelief at business units installing insecure apps or systems without your team’s input? Since you know how frustrating that can be, you should approach OT security with that same level of empathy. Involve key people in OT from the very beginning, including project scoping. How can you accurately scope the requirements without their expertise?
2. Form Allies & Establish Trust
Be transparent about your objectives because you will need allies to make your initiatives successful. The OT team has intimate knowledge of their processes and systems. They know the “who, what, when, where, why, and how” of their environment – you don’t. Establish relationships and rapport with the people who can provide the needed information to understand all the puzzle pieces.
3. Understand Interdependencies (What will break if I do X?)
In the OT space, they are far more concerned with reliability, availability, integrity and safety than security. Since there is a clear line of sight into the revenue they generate, you need their expertise to understand legacy systems, applications, chron jobs, or other processes that could be negatively impacted. I cannot stress enough the importance of engaging OT about any activity that can be disruptive to the site. Do you want to have to explain to your boss why water or electricity services have been disrupted for thousands of customers because you did not ask OT engineers what application used that port before blocking it?
4. Prepare a “What can get me fired” Inventory
You don’t know what you don’t know, right? There are templates available for conducting risk analysis, project planning and security architecture reviews. I’d like to propose a customized “what can get me fired” security project template. Some questions may include:
- Will this make my boss look bad if it goes south?
- Will my new tool or process impact availability?
- Did I consult with key players in OT?
- What type of services would need to be in the DMZ to support traffic between OT & IT?
- What vendor or other third-party services will be impacted?
- Have you reviewed/adopted a reference architecture and/or core template for each site where you intend to deliver a new solution?
Robert M. Lee, co-founder of Dragos Security, advises customers to have cross-functional approaches to security, too. When asked about ways IT and OT can work together, he stated as follows:
“... we must ensure that people are coming together to voice their concerns and identify what they consider critical assets and processes. Having OT personnel integrated into an IT security operations center or security team and having IT personnel learn more about the industrial control system will ensure a better overall approach towards security. This requires breaking down barriers and realizing that the problem is about people, not technology.”
The moral of the story: communication is key to forming allies in OT, gaining access to their expertise, and keeping your job. In fact, great communication is needed to advance your career, as well. While there are exciting (and scary) times ahead with increased security budgets, slow down and include OT in your initiatives from the outset. Reducing the attack surface for both the enterprise and the OT side is mutually beneficial and a worthwhile goal for everyone involved. Therefore, you should remember to use teamwork to make this new marriage work.