Industrial security was arguably much simpler before the web. Firewalls and demilitarized zones (DMZs) separating the corporate and plant networks either didn’t exist or weren’t necessary. After all, organizations were primarily concerned with physically protecting their systems behind gates, fences and other barriers.
For that reason, vendors designed control systems chiefly with automation and reliability in mind; all communications technologies were proprietary and lacked compatibility with Ethernet and TCP/IP.
But then the Internet came. And with it, the threat of connectivity-enabled attacks that don’t require physical access to plants or the systems contained therein.
In response to these new risks, organizations are now dedicating resources to protecting their industrial control systems (ICS) against intentional or accidental security threats. Defending these systems, which include supervisory control and data acquisition (SCADA) programs, is like other industrial safety programs.
People and technology must work together to develop policies and processes that they can implement, build upon, enforce, modify and improve.
Even so, ICS security has plenty of challenges. Chief among them is determining who is responsible for protecting these systems.
Who gets blamed if an organization suffers a breach? Is it the information technology (IT) team, which has experience and budget for digital security but lacks insight into how an industrial setting works? Or is it operational technology (OT) personnel who supervise industrial control systems but who aren’t as tested in their ability to defend against digital threats?
In exploration of this question, Tripwire and its parent company Belden published Industrial Cyber Security for Dummies. Their resource takes a deeper dive into why many organizations’ ICS products and software aren’t receptive to IT security strategies. It also explores the blurring line separating IT from OT as a convergence of different priorities and strategies.
To demonstrate, IT adheres to the CIA Triad: it values confidentiality first, then integrity, and lastly availability. As such, IT personnel can easily disable a system to implement a patch or remove malware if it’s in the interest of preserving the confidentiality or integrity of a system. But that’s not so easy for OT.
Paramount to OT professionals is availability (and safety), for disabling certain systems could cause others to malfunction in a way that endangers the lives of ordinary people. In OT environments, uptime and the lack thereof have real-world consequences. As a result, OT takes an interest in integrity and confidentiality only after availability is ensured.
For more information about the differences between IT and OT with respect to ICS security, please download Tripwire’s guide here.