IT and OT Insights
- IT and OT should be assessed differently from one another. However, if there is a set list of tasks to do with them working together, it must get done, which allows a company to have better organization and communication.
- Technical skills are required to qualify as a CISO, but to be good at it, people have to stick around to gain experience from the wins and losses so they can learn what will actually work and what won’t.
A hot topic in the cybersecurity world for the past few years has been IT/OT convergence and how to bring these two sides together. Finding a way for these two different culture-based departments to have open communication and work in tandem can be difficult. There are different rules for information technology (IT) and operational technology (OT), so how do they fit together?
Joining Gary Cohen, senior editor of Industrial Cybersecurity Pulse, for this conversation are Jim Crowley, CEO of Industrial Defender; Ryan Heidorn, co-founder and managing director of Steel Root; Pranav Patel, founder and CEO of MediTechSafe and Resiliant; and Tyler Whitaker, CTO at Leading2Lean.
This discussion has been edited for clarity.
ICS Pulse: When it comes to compliance, should OT be assessed differently from IT?
Pranav Patel: The fundamental premises of compliance are the standard things that you want to go do, and you make sure you do it. It doesn’t matter whether it’s IT or OT, it’s a matter of process. How disciplined are you in meeting those things? And you must define what those things that you have to do on the compliance list are. So I don’t think it actually changes whether it’s IT or OT.
If you define what you’re going to do, if you get people disciplined enough to get those things done, and do it well and on time, then you’ve got the organization working as a well-oiled machine. I don’t know if that’s really a fight or friction between IT/OT when you get to both sides to agree on: Here’s the list of compliance that we’re going to do to secure the whole enterprise.
Jim Crowley: I think it’s prescriptive, for example, in the utility world. The data in the organization that can be shared is very limited based on that compliance regimen. It’s set up with silos inside of the organizations where you have an OT compliance and security team that’s managing those assets that are critical to above electrical system. Then, IT is sort of on its own, and the two don’t really collaborate because it’s regulated.
You have to sign into that room. You have to have special permission to view the data. There’s some of the regulation that’s actually working across purposes because there should be more collaboration between IT and OT in terms of why the processes are playing out in a certain way or why data can’t be shared, as an example. OT data that is critical inside of an operating entity should be able to be pushed to the SOC (security operations center), and it shouldn’t be just prescribed that an alert can’t go to a security analyst because it’s a NERC CIP asset.
Ryan Heidorn: Depending on the compliance framework and what audience it was written for, the techniques to implement certain requirements could be different from IT to OT. For example, multifactor authentication to a CNC machine, or an embedded system that is not capable of doing certain things, but there are other ways to mitigate those same threats in that type of environment. With the defense industrial base, there’s a lot of room for those particular frameworks to do a better job of contemplating OT use cases. I think the objectives are probably achievable but might require a little additional guidance around acceptable practices.
Tyler Whitaker: It’s interesting because OT and IT have definitely been categorized in these silos in the past with different security requirements and risk appetites. Bringing both sides of the house together makes a ton of sense for organizations that are trying to not only improve their cybersecurity stance and program, but also enable both sides to be more flexible from a compliance perspective.
The biggest challenge I see right now is that the two sides come from different worlds typically with different standards and different rule sets. The ability to merge, manage and do that in a way that enables the business to be flexible and agile would do a lot to help ease the budgets. It would also do a lot to help the C-suite relieve some frustration there. The C-suites are there to help the business grow, and it feels like sometimes cybersecurity is there to keep it status quo or to lock down what they can do. Opening the communication channels across the board and agreeing on a standardized framework that can apply and be adaptable for both sides makes a lot of sense.
ICSP: Both Jim and Pranav have touched on this idea of creating a culture of cybersecurity throughout an organization. What skills are needed from a cybersecurity team, whether that’s on the IT side or OT side, to effectively lead cybersecurity practice and start building this culture where everybody’s pulling in the same direction?
Patel: If you go back to the stats of 25% of projects fail outright, 20 to 25% to employ ROI and up to 50% require massive rework, and you ask what the reasons are, it boils down to a few things: immature processes, failure in change management, immature technology, scope creep and hidden costs mostly. Now, if you look at those, one out of those five is about technology and technology assessment. Four out of five, or 80%, are about leadership engagement and business acumen.
So these are the skills, but now look at flip side of it. The CISO (chief information security officer) turnover is at an all-time high. On average, they stay on a job for 18 to 24 months. Many are accelerated to those positions. All you need is CISSP and a few years of experience, and they’ll make you a CISO, which is great, but it creates two fundamental problems.
The first is these folks are technically very, very good, but they haven’t had scars and experiences to mature those other skills, which are 80% of the success factors. The second part, if you think about a cycle time, implementing something from need to requirements, to sourcing, implementing and stabilizing, you’re looking at more than 18 to 24 months. If people change within 18 to 24 months, you’ve got two problems.
No. 1, those guys didn’t have an experience of seeing the decisions they’ve made. No. 2, accountability disappears. The organization faced the problem, but they really haven’t seen whether it works or not. So, as I said, going back to the single biggest problem and failure point is engagement. The skills that are required are more about EQ, more so than IQ, and are about empathy, collaboration, trust, building likability and business acumen. That’s what brings the organization together. Quite honestly, CISSP really doesn’t grant you or certify you on those. That’s an experience part. That’s the skill that you need in addition to the critical technical skills to really lead across the board and make it stick.
Crowley: I think that the business skills are required to actually be the leader and be able to get an effective seat at the table to bring these issues forward. Even though the CISO has a C at the beginning of this title, they’re not adequately represented in the C-suite, and they’re not respected at the same level as let’s say, the CIO, the COO or the CFO. They don’t have the business skills or the experience of sticking through these projects to get the scars, not just pull the rip cord when the heat comes up or the next big pay increase comes your way.
ICSP: We were talking about OT. How valuable is it to use security orchestration, automation and response (SOAR) technology for OT?
Crowley: We have a couple of projects going on in that area right now, and we think it’s going to be tremendously valuable over time. To be able to do the security orchestration and be able to tie events from both IT and OT together, that type of tool set makes sense.
As an example, industrial companies often struggle with keeping their systems patched and the vulnerabilities up to date, because there’s a lag between when a Siemens or Honeywell or GE releases a patch and when Microsoft does. It’s a logistical problem to keep these systems up to date, so something like a SOAR can help with that. If you have the right asset inventory information tied to the right patching data, the SOAR system can help orchestrate that these are the most critical systems. These are the most critical vulnerabilities that need to be patched, and now it’s time to do it.
There are applications here that fit pretty well into that workflow. However, it’s really early days. People are just starting to think about how they can take advantage of this, but they’re going to have to because there are not enough people out there to do the work. There has to be some automation built to become effective around these programs that people want to put in place.
Whitaker: I think using a SOAR to help automate the response and mitigation steps is a really great idea.
ICSP: Somebody mentioned earlier that it’s more art than science and that it doesn’t seem like our cybersecurity problems can be entirely solved by technology. And they can’t be entirely solved on the human side. There has to be a blend of the two to make it really work.
Crowley: It’s certainly people that have security programs that are risk- or compliance-based. There’s still a tremendous amount of data collection that’s being done and published on spreadsheets. There’s a big opportunity to help solve that problem, having humans running around inputting data into spreadsheets, which is not an effective use of your human capital, through automation.