In a recent blog post for the State of Security, we asked security experts what they thought would make the biggest impact on the security of industrial control systems (ICS) in the next 5-10 years. They gave numerous answers, but perhaps the most frequent response was the ongoing IT-OT convergence in industrial organizations. Our experts felt that the merging of these two environments will force teams to defend against new threats which some of the assets for which they’re responsible have never encountered. It’s therefore in each industrial organization’s best interest to make sure IT and OT teams learn to work together and use their respective knowledge to better defend the organization against digital threats. That begs the question: just how are IT and OT teams supposed to come together effectively? To help industrial organizations, we went back to our experts and asked them exactly that. Here’s what they had to say.
Gary DiFazio | Strategic Marketing Director, Tripwire
The one word for this is: collaborate. At the end of the day, we all want to do the right thing for our organizations. Do what is best through collaboration. Understand the unique needs and direction of the shop floor so that cybersecurity solutions can be implemented to support availability, safety, productivity and quality of the operation. Remember that cybersecurity is a journey that never ends. Automation systems continue to evolve, and the threat landscape is always changing. Slow and steady will win the race. We must all be on this journey through collaboration and teamwork.
Lane Thames | Senior Security Researcher, Tripwire
As we know, IT and OT groups have worked largely in isolation for as long as these technologies have existed. Recently, the trend has changed, and many of these environments have started to integrate with each other. The reasons for integrated IT-OT environments essentially boil down to the need for optimization. Computing and storage on the IT side using data collected on the OT side can lead to huge gains for an organization in terms of outcomes such as reducing operational costs, increasing manufacturing output, reducing downtime and many more. However, as with most engineering problems, there are various trade-offs that must be addressed. In this case, one of the most important tradeoffs to consider is the security impact faced by these once partially-isolated OT systems. These systems now face cyber threats for which these systems were never designed to deal with. As a result, we must engineer new systems and/or methodologies to address this problem, which is growing rapidly as more and more OT environments become connected to IT networks. IT folks and OT folks are often very different people in terms of their background knowledge and working experience. For example, IT folks understand software and hardware in an environment where real-time operations rarely matter. However, OT folks work with a much different set of hardware and software. OT software and hardware are often very sensitive to real-time constraints and often deal with the physics of the real world. In IT, if a system is breached, it very rarely causes personal injury, but this is not the case for OT, where a faulty machine could cause damage to a surrounding environment and could cause harm or death to people. How do we solve this problem? Indeed, it will be a challenge, and we in academia and industry are researching and developing various solutions. As I was thinking about this topic, I started thinking about a “similar” situation we have been dealing within the IT world. Particularly and due to some converging ideas and methodologies within the IT world, we have developed new techniques that have enabled a deeper collaboration between software developers and IT experts. Specifically, we have created the idea of DevOps, a methodology that uses tools and techniques to more closely integrate software developers with operations experts. Moreover, in a need to create more secure systems, we have added to the DevOps movement and have created the notion of DevSecOps teams where we have highly integrated groups of people from development, security and operations/IT working together in a highly collaborative environment. I don’t know what we should call it, maybe ITOTSecOps or something, but we will need to develop a methodology for IT and OT systems. We will never be able to assume that IT or OT will be able to ensure secure integrated IT-OT systems. In fact, the Sec in ITOTSecOps will be a hybrid of experts, some of which specialize in IT security and some who specialize in OT security.
Sandy Carielli | Cyber Security Evangelist and Product Manager, Entrust
IT and OT stakeholders will benefit from adopting security and architectural frameworks that were designed with IoT in mind and that incorporate both IT and OT concepts. While many IT security frameworks are popular and longstanding, they don’t account for critical OT issues such as safety and reliability. If you try to shoehorn an IT framework into an IoT project, you lose the obvious touchpoints for OT stakeholders and risk missing critical requirements. The Industrial Internet Consortium has produced several technical references. Consider starting with the Industrial Internet Reference Architecture, Industrial Internet Security Framework and IoT Security Maturity Model. NIST has also published IoT specific guidance that can help IT and OT stakeholders get on the same page.
Scott Kornblue | Field Application Engineer, Belden
I can’t stress enough that IT and OT network engineers need to both understand that their respective needs, requirements and philosophies for network security differ from the other quite drastically. IT has to adapt policies that were originally developed for corporate/enterprise usage on the OT control/industrial network. At the same time, OT engineers have to understand that the evolution of simple flat network architecture into secure segmented designs is something that is a must on the controls network. As more and more engineers with an IT background take ownership of OT-centric networks, we always want to make it known that perimeter security is simply not enough in the industrial world. A strategy revolving around defense in depth, layered security models and physical protection right down to the endpoint asset level is what should be promoted. In addition, these strategies have to provide security without obstructing the OT network processes, and the procedures in most cases have to be something that OT network staff can operate independently of IT. This also requires collaboration between IT and OT on differing hardware requirements. IT must understand that OT environments call for ruggedized hardware that typically speak industrial protocols that are uncommon on the IT side. Understanding these critical areas of difference between both sides and having regular communication before security policies are rolled out can help make the IT/OT convergence much easier to manage.
Susan Peterson | Digital Leader of Energy Industries, ABB
Over the past 10 years, I’ve been privileged to help bridge the gap between operations and IT teams. For operations teams, focusing on finding ways to automate routine security maintenance tasks and showing how security monitoring technologies can help solve operations related challenges are great ways to build a bridge. For IT teams, helping them understand the importance of engaging OT suppliers and the maintenance cycles of OT assets is key.
Paco Garcia | Director of Cyber Security and Networking Digital Plant Line of Business, Schneider Electric
In the last 10 years, we have been sharing, pushing and promoting the idea of an IT-OT convergence. This merging should encompass collaboration over common skills and shared processes. But based on my experience, this convergence has not happened as expected, and if it has, it is progressing very slowly. Things could be dragging on for multiple reasons, but probably the most important factor is the lack of internal programs in end-customer sites that have thus far pushed for this convergence. The situation is changing, however. Now, this convergence is mandatory for those people/companies who want to adapt to new technologies and paradigm changes that come with Industry 4.0 and IIOT. Recognizing this development, it’s important to keep in mind some tips that could help lead to this adaptation/convergence. These are as follows:
- As the owner of budget resources for deploying cybersecurity programs, IT must establish a clear framework and enlist OT personnel to help secure the plant.
- The scope of IT and the OT involvement must be defined explicitly at the outset of every project. Both roles should be complementary and should not involve competition between them. In that sense, defining the owner for each task helps to avoid conflicts.
- From a top-down approach, each company must promote and enforce the creation of workgroups made up of IT and OT people with the objective of promoting the company’s digitalization and strengthening the organization’s internal cybersecurity culture.
Greg Hale | Editor/Founder, ISSSource
A very short but simple answer to the question of how IT and OT can work together more efficiently boils down to two things: communication and the ability to listen. Both seem fairly basic and not highly technical, but I am seeing they are the two most difficult things any enterprise has to conquer. Think about it for a moment. For IT and OT to execute on the vision of a secure manufacturing enterprise, they both have to check all egos and preconceived notions at the door. This is easier said than done. OT truly has to understand and educate IT on what manufacturing is all about and that availability is job one. A process cannot go down because time is money. And, IT must educate and convey the message they have been doing security for a very long time, and they are very good at protecting the enterprise. They just need to get a grasp on what OT is all about. It may be a cliché, but talk is cheap; actually listening and executing as a team in a positive manner is the ultimate goal to a successful manufacturing enterprise.
Larry Vandenaweele | Industrial Security Professional
Reducing cybersecurity risks and getting better visibilities across the IT and OT network environments require involvement and participation of IT, OT, Security and management stakeholder groups. Learning from each other by means of practical awareness workshops is a first step of educating each other. The folks on the IT-side of your organisation should educate their business operation tasks and illustrate the risks and challenges they face and how they link to the OT environment. For example, installation of patches is a recurring activity in IT environments while in contrast OT environments are seldom patched due to operational challenges, maintenance windows, etc. Using the same example, the folks on the OT-side of the organisation deal with challenges that can be directly related to operational and regulatory requirements, making a simple task such as patching not as simple. For example, some. Manufacturing organisations require revalidation of the entire process to ensure the same product is being produced, according to the same specifications. Security and management staff should be included throughout the overall conversation as they form drivers for remediation roadmap development, project approval and business support. Some organisations establish a core security team that has a focus on OT security. These team members should come from various disciplines such as automation engineers, security engineers, system engineers and others. Connected industrial systems are vulnerable to cyberattacks and operational mistakes. Protect your infrastructure with ICS security solutions from Tripwire.