Industrial and, in particular, discrete manufacturing, is lagging behind other industries when it comes to converging its OT and IT technology, according to Industry Week. For example, financial institutions and healthcare facilities have converged their operational technology, like HVAC systems and building automation gear, onto the same IP network they use for communications. Manufacturers, on the other hand, have waited to jump into convergence, fearing it could lead to costly downtime or open up unwanted vulnerabilities.
But not all is lost. In fact, this slow convergence can actually work to industries’ advantage. By examining key learnings and adopting best practices to fit their unique methodology, the industry can catch up and begin to enjoy the production, economic and security benefits now enjoyed in the financial, consumer and healthcare markets.
To be fair, industrial has faced far more difficult issues than other industries in realizing this convergence. Manufacturing has a complex shop floor with thousands of moving parts. A simple chink in the production line can cost millions of dollars, cause bodily harm to workers or even put customers at risk. As a result, OT organizations have created a risk-averse environment.
The functional division between OT and IT organizations has long sheltered the shop floor from cybersecurity risk. However, with the rise of lloT and other Ethernet-enabled devices, operation managers are now facing new challenges and responsibilities at a time when demand is high, their resources are stretched and unrelenting security threats are aplenty.
Regardless of how painful a convergence may be, turning back the clock is no longer a viable option. The benefits to lloT are numerous and undeniable, and bridging the worlds of OT and IT could provide manufacturers with the competitive advantage needed to gain both marketspace and market share.
This can be seen in a recent Deloitte report, a publication which stated the following:
“Deere & Company (built) smart, connected product with features such as satellite guidance and live data monitoring. The data is collected through sensors and pulled into a cloud of analysis, thereby helping customers make informed decisions. Through a web platform, the company is also able to remotely diagnose machines in the field and help its customers make informed decisions via predictive maintenance. Through the web platform, the company is also able to remotely diagnose machines in the field and help its customers with predictive maintenance, thereby reducing downtime. Through digital innovation at the core, Deere & Company has been able to provide sustained value to its customers.”
There is no simple solution, yet future-focused manufacturers can take a page from the playbooks of businesses like Deere and Company, which have been successful in converging their OT and IT teams to sidestep some of the earlier pitfalls and build a more secure and profitable environment.
1. Bride Building
Convergence of OT and IT is a familiar mantra among savvy manufacturers, but convergence has many different faces and technical implications. Getting these groups onboard with an integrated security strategy will require an understanding of each organization and their unique functionalities.
A successful convergence requires a bridge builder, a CISO who can bring two organizations together. This will not happen overnight. OT and IT do not only operate very differently, but they also resist change and have traditionally mistrusted each other.
A good place to start is by conducting weekly OT-IT weekly conversancy meetings – before the convergence process begins. This lays the foundation for each organization to work together to solve problems, with each side bringing unique experiences to the table.
2. Meeting of the Minds
As you will see from the chart below, each organization will need to understand each other’s functional methodology. For example, it may be perfectly acceptable to take an email server offline for 10 hours, as it may only impact mail, but having the plant down for one hour could cost the company productivity.
The difference in OT and IT
Studies conducted by LNS consistently show that a lack of stakeholder alignment is quite often a roadblock to project success. On the flip side, “engaging stakeholders doesn’t just eliminate silos; it elevates the effort to a strategic level and promotes cross-functional ownership.”
Many successful OT and IT organizations have developed “exchange” programs through inter-departmental sabbatical coverage, job share and cross-functional vacation coverage to stay connected, build trust and forge stronger partnerships.
3. Defined Responsibilities
Just by its very nature, convergence opens the door for security assumptions. Departments may simply assume the other is managing a specific security functionality. But “security through obscurity” is no longer an acceptable practice, especially with “now-connected” commercial generic infrastructures which require OT managers to take on a security role.
Creating a collective task force with joint governance and responsibilities will help develop cohesiveness and support business objectives, especially when implementing an integrated security strategy.
4. Build Trust
Although trust between the two organizations will not develop overnight, it can be accelerated.
Start with a small pilot project that can offer tangible value and low-risk benchmarks. Make sure to document key learnings. Not only will this help build trust; it will also create an opportunity to develop cross-functional skills among team members.
There are no successes without agility, so it’s important to remove silos that can delay security implementations across the entire network. Security is both a risk and an opportunity as it can help mitigate threats. And according to Gartner, the rewards for OT and IT convergence are numerous.
Most companies who successfully implement an OT-IT convergence initiative, supported by a resilient security strategy, are rewarded by a strong ROSI through optimized business processes, enhanced information for better decisions, reduced costs, lower risks and shortened project timelines, all of which support an agile organization.
If your organization completed an OT-IT convergence project, we would like to hear about any key ideas you may have collected. What went well? Were there any pitfalls that others may wish to avoid? Please let us know in the comments.
Also, Tripwire is hosting an industrial cybersecurity webcast titled, “What’s Hiding On Your ICS Network?“. Join Tripwire industrial cybersecurity experts Zane Blomgren and Robert Landavazo on February 26th for a virtual tour of the first cohesive solution providing visibility, monitoring, and threat mitigation across the complete OT landscape.
By attending this webcast you’ll learn how to:
- Accurately map your ICS network
- Find and fix vulnerabilities without interrupting operations
- Anticipate attack vectors with proactive threat modeling
We look forward to seeing you there! Register today!