In the past, information technology (IT) and operational technology (OT) were seen as two distinct domains of a business. The former focused on all technologies that were necessary to manage the processing of information, whereas the latter supported the devices, sensors and software that were necessary for physical value creation and manufacturing processes.
While their foci have remained the same over the years, recent developments have begun to force the two areas closer together. One of the most significant forces behind this convergence has been the Internet of Things
(IoT), which has, among other things, contributed to the proliferation of devices that employ the Internet Protocol (IP) and a Windows-based operating system.
These changes have created some common ground between IT and OT, but there has been a lack of discussion with regards to how both sides can meet in the middle to address IoT and simultaneously preserve their unique responsibilities.
In an effort to better understand this challenge, Tripwire and Belden asked IT and OT personnel the following question:
How does IoT change the dynamics between IT and OT, and what practical tips can you provide to help individuals from both areas to work together more efficiently?
James Arlen is the Director of Risk and Advisory Services at Leviathan Security Group, where he is responsible for the development and delivery of Leviathan’s professional services.
"IoT's effect on IT and OT mirrors the leapfrog dynamic that has been evident between these two sides for decades. The real issue is the blurring of the lines between IT and OT. The former is implementing 'things that smell like OT,' while the latter is incorporating 'things that are traditional IT.'
When the line is blurred, where does the responsibility for resilience lie? To figure these and other issues out, I recommend both sides buy more coffee and lunches together. In all honesty, IT and OT need to begin communicating with one another in order to ensure that there is a clear line both for responsibility and for where knowledge can be exchanged between the two.
There’s no need for conflict. If necessary, we should sit people down from both sides and let Big Bird teach them about cooperation."
Chris Blask is the Executive Director of Webster University's Knowledge Sharing Directorate, where he oversees the operation of the ICS-ISAC
"The phenomenon referred to as 'IoT' is in large part about the physical merging of many traditional OT and IT components. Whereas a network managing an oil well could be conceived as separate from the front office of that oil company, a new office tower may well have a single network for 'computers,' as well as various building systems from light bulbs to air conditioning.
Don't get me wrong. IT and OT have two very different skill sets. However, these responsibilities can be organized to effectively complement one other. Industrial people tend to offer reliability, whereas security folks may focus more on innovation.
Both sides need to remember that is a two-way street; if they work together, they can support each other."
Doug Brock is a Manager at Kendall Electric with a background in factory automation and more than 17 years of experience recommending automation products to manufacturers.
"The choice of many manufacturers to begin connecting plant floor devices and sharing information often hinges on the initiative of a controls engineer who may or may not know how to either make information available or secure the network.
Those days are over, however; the risk is too high. In today's world, if you don’t know security, you risk bringing down or exposing your network. Some companies might overreact to this threat by not allowing their workers to access information, but this places these enterprises at a huge disadvantage vis-à-vis their competitors.
With this in mind, my best advice is that one does not wing it, for that strategy no longer works. Instead people need to be educated or seek out help in order to help bolster the availability of business-relevant information."
Robert M. Lee is the co-founder of Dragos Security
where he has a passion for control system traffic analysis, incident response, and threat intelligence research.
"IoT is not changing the dynamics between IT and OT. It sounds great, and it's the latest in good discussions and debates, but it misses the difference between IT and OT. The systems themselves have been converging for years in terms of technology.
As an example, Windows-based human machine interfaces are a norm in most organizations. The real difference between IT and OT lies is in what they do. OT specifically focuses on the control of systems and the physical processes, so IoT's inclusion as either Industrial IoT or IoT in the IT environment will not fundamentally change the difference between IT and OT.
"With this in mind, to help IT and OT work together, we must ensure that people are coming together to voice their concerns and identify what they consider critical assets and processes. Having OT personnel integrated into an IT security operations center or security team and having IT personnel learn more about the industrial control system will ensure a better overall approach towards security. This requires breaking down barriers and realizing that the problem is about people, not technology.
After all, the tools, technology, tactics, etc. available to defenders are robust even when resources are limited to execute them. It is the people and processes that are ultimately necessary to defend against advanced adversaries and complex problems."
Jeff is the senior director of product line management in Belden’s
industrial IT group. He is responsible for Belden’s vision and product initiatives related to the Industrial Internet of Things.
"IoT will deliver a wide range of benefits to industrial applications. As networking extends deeper into devices and systems, businesses will be able to collect finer grained and timelier information and use this information to optimize processes, minimize downtime, and reduce operating costs. Achieving this vision however requires closer cooperation between the OT and IT worlds than has historically been required. In particular, IT and OT must work together to enable:
- Secure remote access to remote plants and equipment. Putting the “I” in IoT requires internet connectivity that meets both the enterprise requirements of the IT world as well as rugged environment requirements of the OT world.
- Scalable storage. IoT promises to enable new insights and efficiencies through the analysis of data generated over time from single sites and aggregated over multiple sites. IT must work closely with OT to understand the volume of data to be generated as well as archiving and retentions needs.
- Processing power and apps. Once we have secure connections to remote devices and data and scalable storage, IT and OT will need to collaborate to make use of that data. While much of the expertise on the operations side will come from the OT world, IT has an important role to play in integrated operation data into the enterprise business processes."
David is Chief Research Officer at Tripwire
where he is responsible for working with customers, partners, and industry experts to imagine, innovate, and deliver on advancing the state of the art in protecting Tripwire’s customers from the most sophisticated attackers in the world.
"There has been rapid movement towards the adoption of standard Ethernet devices as part of the Industrial Internet of Things, moving away from proprietary fieldbus technologies. Although this move to standards has many benefits for interoperability and efficiency, it also brings with it the same set of security risks that we saw when IT networks made this migration.
IT Security could have ignored the OT network as it being disconnected, air-gapped, proprietary, and not subject to the same sort of threats and attacks in the past, but this mindset is no longer effective. Cooperation on a consistent security strategy across both IT and OT is essential for the future.
I've heard in the past that one of the main concerns from control engineers working in OT environments is that IT doesn't 'get it' when it comes to the availability requirements they have. Something as simple as rebooting a system to apply a patch update every month is generally accepted in IT as being a necessary best practice for security, but in some OT environments, this could be a very costly source of downtime.
For IT security pros that want to start to cooperate on security with OT, learning about how OT works is a great starting place. Whether that means buying a PLC training kit and learning what these devices actually look like in OT environments, or taking a Industrial Security Controls class, or just reading a book on the subject, it is beneficial for professionals to go in with an open mind and learn about that other side.
A few good places to start include the following:
- List of ICS Security books from Digital Bond
- 'Securing the Industrial Internet of Things' from ISSA Journal (PDF)
- ISACA: Industrial Control Systems: A Primer for the Rest of Us"
Patrick Miller is a trusted independent advisor dedicated to the protection and defense of critical infrastructures around the globe. He is currently a Managing Partner at Archer Energy Solutions.
"IT and OT are different, but this is really just a matter of time. In the legacy world, they will probably remain different for a while. However, looking forward, mainstream IT vendors are now beginning to play in the IoT space, such as by using common programming platforms, operating systems, user interfaces, hardware, etc. They are intentionally blurring the lines between IT and OT.
At some point in the not too distant future, we will only have technology. No more IT/OT distinction. Just 'T.' This brings us to a different problem insofar as the culture will still take 20 years to catch up. In the meantime, however, we can do three things to help facilitate this transition.
First, we need to drop the egos. Both sides are obviously very smart and very good at what they do, but there’s always room to grow and learn. This realization leads us to our second point: get a beer or a coffee. Both sides need to do something social that helps them realize that their IT/OT counterparts are human beings with the same strengths and weaknesses as anyone else. Lastly, we would all benefit from walking a mile in the other side's shoes. Whether it's a day, a week, or a month, job shadowing and embedded observation will do wonders for helping both sides to see each other’s perspective more clearly. This would go very far to help each side learn the other's 'language.'"
Gary Mintchell is an industry-leading writer on automation, control, software, manufacturing, marketing, and leadership.
"IoT simply means more 'things', aka devices, that are connected in such a way that facilitates the transmission and sharing of data. On the one hand, IT wants to receive data directly from production/manufacturing in order to make enterprise resource planning (ERP) more useful. On the other hand, OT usually implements IoT in production/manufacturing.
By acknowledging and adhering to these respective roles, teams from both sides can collaborate together without needing to worry about interfering in the affairs of the other side. That such collaboration is possible reveals the fact that getting IT and OT to work together is not a technology problem. It is a people problem.
As a result, organizations should consider implementing cross-functional training and teamwork, efforts which should be guided by a leader whose primary tasks need to include creating a collaborative environment and promoting metrics that emphasize teamwork."
Dale Peterson is an internationally renowned SCADA security technologist and is responsible for a large amount of the available technical SCADA security content.
"The fallacy that says OT is different than IT stems from ICS professionals comparing OT to desktop management. In actuality, OT is mission critical IT, and the areas where OT differs from highly secure and reliable mission critical IT systems are in its own unique deficiencies rather than in differences of requirements, such as insecure-by-design protocols, incorrectly deployed equipment, staff who are insufficiently trained for interacting with deployed technologies, inadequate test environments, and a 'run to fail' maintenance philosophy.
The looming insecurity of IoT is ultimately much more of a concern for end users than traditional ICS as long as one does not fall for the 'everything must talk to everything' myth."
John Walker | @SBLTD
CEO of HEXFORENSICS LTD, Academic Practitioner & Accredited Advisor to the Chartered Society of Forensic Sciences in the area of Digital/Cyber Forensics.
"The most important thing is to figure out what is owned and by whom, what is not, and where the border ends, not only at the corporate perimeter but also at the device level. Consider BYOD, BYOIOT, and the big bowl in which it is mixed. Consider those guest Wi-Fi hot spots on which those troves of useless yet must-have tools will now depend. And consider the nature of the world we now find ourselves in, where ultimate control is but an illusion and insecurity is our daily reality."