The events of 2020 accelerated many organizations’ efforts to converge their information technology (IT) and operational technology (OT) environments. Now that they’re immersed in this journey, some organizations are finding that it’s not quite as smooth as they were expecting. They’re learning that they need to overcome several challenges if they hope to leverage the IT-OT convergence as part of their ongoing digital transformations.
That raises some important questions. What challenges are organizations meeting along the way? Are there some that tend to pop up across different organizations?
To find out, the State of Security worked with Belden and decided to ask a group of security experts about some of the key obstacles facing IT and OT. Their responses are provided below.
Alex Bagwell | Vice President of Industrial Sales at Tripwire
The biggest challenges that we are seeing with IT-OT convergence is how to consolidate overlapping solutions across multiple business units within seemingly separate IT and OT networks. CISOs have historically focused on their IT networks, investing heavily into security solutions that give them full visibility of what is going on inside their domain. Now that operational technology is being inherited by the CISO or being forced to the forefront by the Board and United States Government, that CISO is looking for ways to reduce the number of tools but also to maintain the same IT familiarity with their OT environments.
Additionally, there is a very careful dance that must be done to get buy-in from the OT teams to allow for IT integrations or solution deployment. Plant shutdowns are a real concern for OT manufacturing owners, as they can quickly become costly or impact their overall production metrics. This is typically driven around the notion that if a solution is put in place, it could cause a machine to fail, potentially impacting the key metrics of industrial facilities of safety, quality, delivery, cost, and/or inventory.
Susan Peterson | Serves on the advisory boards of Bayshore Networks, Cognite, Innosphere Ventures and One Warm Coat.
In the energy industry and in energy-intensive industries, the post-COVID world will catalyze substantive change in how we operate in the future. One of the biggest challenges that OT and IT security professionals face in these industries is how to support this operational evolution with security being addressed at its foundation. In the OT space, cybersecurity was often treated like a final step or “afterthought.” In this phase, security teams need a seat at the table not only around topics related to new technology itself but also to be engaged on the people and process aspects involved in this evolution.
As an example, the remote operations paradigm has hit mainstream in the energy industry. With factors like an aging workforce and limited access to sites, companies like Saudi Aramco and Baker Hughes have embraced remote operations around entire fleets. Among the bigger challenges for security professionals is ensuring that these new operating modalities are secure by design. That includes including people and process. As security professionals, we are critical stakeholders in the mission to enable different operating models. Given this evolution towards new ways of working, there is a lot of investment in new enabling technology.
A second challenge/opportunity to security teams is to leverage enterprise investments, enabling real time OT data to be contextualized and consumed at the enterprise level by new stakeholders. There is a lot of talk about “digital twins” in the OT space; in practice, these models will enable disparate stakeholders like Security Operations Center teams (and other functional teams that rely on operations data like ESG and HSE teams) to have unparalleled real-time access not only to plant level data flows but also to the actual context of the production and underlying asset health. It will greatly benefit security teams to engage proactively on OT data topics related to asset taxonomy, data governance, and data integration as digital twins grow more commonplace. This engagement will provide greater visibility into environments, enable greater returns on security budgets, and significantly minimize unsecured, ad hoc connections into OT environments.
These are challenging times of accelerated change in energy and energy-intensive industries, but I believe as security professionals, we have a great opportunity to contribute and deliver significant gains for security throughout the operational lifecycle.
Scott Kornblue | Lead Solution Designer at Belden
One area I see as a long-term challenge in the IT-OT convergence is the growing need for secure remote access into sensitive/critical networks. Specifically, as the typical work environment is shifting to more remote/work from home processes, the need to allow trusted engineers and operators to reach networks remotely will grow. Secure remote access strategies will have to traverse both IT and OT networks. IT network administrators will need to work closely with OT/SCADA network operators to properly design these remote access policies and procedures. Over the next five years, this challenge will most certainly evolve as secure remote access moves from a position of convenience to one of necessity.
Biggest challenges to OT and IT professionals now and in the next five years will be ransomware, supply chain, and digital transformation.
Ransomware will shift attention to incident response and recovery first, then eventually it will find its way into better network designs such as intelligence slanting and shear-away networks. If you can island off the critical OT and let the other stuff burn then rebuild/recover, we get closer to resilience.
Supply chain is stealing much of the oxygen in the room despite the lower probability of it happening. Nonetheless, SBOM/HBOM and the like will take off to assist. Mix in some politics and security theater with the depth and breadth of truly managing supply chain risk, and the scope of the mess becomes apparent.
Digital transformation will drive more digital devices with more connectivity coming from the OT side. This data will be used for efficiency of the process and more importantly as a new revenue stream. Once the revenue potential is realized (that you can make as much or more off of the data products from your operations as you do from the actual operations), this will shift the network architecture models and risk profiles to protection of both the OT assets as well as the OT data wherever it goes outside of the OT networks.
German Fernandez | Sales Director of South & East Europe at Belden
The first thing we need to notice is that the wide adoption of IP-based protocols in OT networks—and, therefore, the convergence with IT—has created a serious problem of network ownership and functional accountability. In the past, for instance, network requirements for services latency or even cybersecurity were well marked off. Nowadays, the boundaries of both networks have completely disappeared, and we need to take into consideration that what you do in one network has implications on the other side. So, different departments will have to work together to allow the network to meet the challenges of digitalization, to allow the company to compete in a real digital world. So, I think the biggest challenge is to set clear ownership and define responsibilities based on a mixed team that’s functionally orientated across IT and OT networks. It is becoming less relevant where the devices are physically located compared to the function they perform or the treatment we are giving to the data we are acquiring.
Also, we need to remark that Belden has vast experience helping companies to secure and integrate OT networks into the corporate systems. Through our newly created enhanced solutions delivery practice, we can help companies to justify the investments needed through quantifying the outcomes of their digital transformation. We can also support OT/IT departments in the implementation phase of the project. Our legacy experience, not to mention networks, allow us to define tailor-made, application-focused solutions to cover the requirements for mission-critical application networks. For any company in the digitalization journey, it is worth talking to our experts. They will gain insights and best practices. They will get support on future-proof solutions. And they gain experienced professionals as companions in their journey.
Dean Ferrando | Systems Engineering Manager (EMEA) at Tripwire
Rather than trying to compare which security methodology is better and how we need to bring one up to the other, why not combine the best of both worlds into one global security policy that could work for both the IT and OT estates? Physical security is as important as cybersecurity, and cybersecurity is as important as physical security. The two should not been seen as mutually exclusive but rather as complementary to one another. One of the only challenges we are seeing in the marketplace today to make this dream a reality is for both environments to find a common language that is understood by all.
Newton Fernandez | Technical Director (LATAM) at Baumier Automation
One thing is certain: with the increasing use of IIoT in the companies, the amount of data available will reach values never seen before. In this way, both IT and OT professionals will increasingly deal with threats from attacks on their data (both internal and external). The integration between IT and OT will be crucial for the success of the company. I mean, the knowledge of the characteristics and needs of each area must be well known by the other area.
I believe that one of the main challenges for IT professionals is to understand how different the characteristics of OT (availability, safety...) are from IT and thus be ready to help them protect their networks while realizing the criticality of the process and the problems of an interruption can cause. At the same time, OT professionals will need to become familiar with new threats (many of them already common to IT teams) and thus, with the help of the IT team, study ways to mitigate risks and threats while maintaining the availability and safety of the application. Indeed, one of the biggest challenges lies in adapting common IT tools to the OT environment without disrupting the process (for updates, patches, or active monitoring).
Jeremy Friedmar | Senior Product Manager, Edge Solutions
With the rapid growth of Ethernet on the industrial side and the organization converging into a single data network spanning both IT and OT, the conflict seems inevitable. Which department gets oversight and control of the Ethernet network? A lot of organizations are finding out—perhaps not without a bit of pain—that the “either/or” question can be problematic. The chasm between IT and OT in everything from processes to knowledge and culture can be quite large.
Right from the start, the department that is traditionally responsible for data flow and the department that is responsible for industrial controls are managed according to fundamentally different incentives. For OT, availability is king, representing millions of dollars in manufacturing productivity, whereas IT tends to position data security as a comparatively higher priority. When IT and OT are separate, organizations have different priorities, which leads to the creation of different procedures and mindsets. No point of intersection between IT and OT is a contributing factor in conflict and an overall lack of understanding between the two.
The key point is that there needs to be a way to bridge the gap between IT and OT. One pathway to achieve this is by finding an individual capable of communicating with and relating to both departments. This person could ensure that the departments work synergistically rather than as adversaries, and they could use a sub-organization around him or her to ensure that the proper backing and resources are provided. We call this individual the “Automation & Data Exchange (ADX) Engineer” and the support system for this person the IT/OT “Joint Task Force” or “Steering Committee.” Both entities are critical in ensuring the success of IT/OT convergence.
Viral Trivedi | CBO at Ampcus Cyber
The convergence of IT & OT technology is happening at a quicker pace. It is motivated by market forces that mandate ever-increasing connectivity of all assets across enterprises. Conjunction of these worlds exhibits directly in the shifting responsibility for ICS security into the IT security and risk C-Suite.
Today, IT security and risk leaders are progressively forced to take over the security of OT devices at a fast pace. This newborn accountability has left IT security and risk leaders fighting to adopt the OT security labor gaps, contrasting technology solutions and costs. Although OT and IIoT security concerns are benefiting from increased budget prioritization, security and risk leaders remain keen for simplification of their existing tech stack.
Added to above, the lack of skilled OT security personnel has been one of the biggest challenges due to the silos created between IT and OT. Each group has their unique way of handling security, and most of the time, it does not align, as IT and OT environments operate on different technology stacks.
To view part one of the series, hosted on the Belden site, click here.