Information technology (IT) and operational technology (OT) have been needing to converge for quite some time to ensure best cybersecurity practices are taking place. However, these two groups of engineers have often struggled to work together and view the threat landscape through each other’s eyes. So how can companies maximize IT/OT convergence?
CFE Media and Technology has brought several industry experts together to discuss IT/OT convergence and why it is such an important part of cybersecurity. Joining Gary Cohen are David Masson, Sam May and Bryan Bennett. Bennett is the vice president and practice leader of cybersecurity at ESD, Masson is the director of enterprise security at Darktrace and May is the senior compliance advisor at Steel Root.
This discussion has been edited for clarity.
ICS Pulse: When you talk about IT/OT convergence, you have to look at recent attacks on critical national infrastructure like Colonial Pipeline. Whether they’ve hit the IT side or the OT side, they’re still forcing companies to take their OT systems offline. This means the cash registers get turned off, which means the business isn’t making money, which obviously isn’t acceptable. As these two technology systems become more interdependent, how do we protect both?
Bryan Bennett: I would call them separate and segmented. A lot of my OT environments are on our private network. Do you get alerts on your other network when there’s an issue? Yeah. Guess what? If they can reach out, I can reach in. A lot of folks don’t understand that, but there is a convergence. There hasn’t been a convergence up until recently with all the scares and everything else that’s going on with this convergence of ownership of security between IT and OT.
There’s been a lot of situations where the IT directors always take care of IT and never regarded anything from an ICS (industrial control systems)/OT perspective because it’s up. It’s running. Nobody really cares. There’s no information on it to where if it did get compromised, it’s going to affect me. That’s not the case, but it’s been that way for a while. Now it’s getting all the notoriety if it’s not the case. There must be an individual or individuals responsible for the security of both.
Bringing security up for OT environments is going to be painful in a lot of cases because they were never considered to be a security threat when they were made. Some of these systems are still running on a server with big scary tape around it that says, “Don’t touch me or I’ll go down,” with no updates. We all know those environments, and we’ve seen them. If somebody were to get into that, that is the mother lode of places to start from, and then you can infect the environment because if there’s no updates to it, there’s no security watching it either in most cases.
That’s the convergence of ownership, as well as the understanding that you must bring your OT environment up securely or to the same security the level that you’re bringing your IT environment and have the same concern for it to be maintained at that level. It’s not a one and done. This is an every day-all-day scenario.
Sam May: Yeah, it’s super easy to say things like, “Just take it offline and don’t attach your OT to the WAN and everything will be happy and secure.” Theoretically, that’s true, but in reality, the world we live in is more and more and more interconnected. That’s not going to change. OT is just inevitably going to be web managed, and because there aren’t the people to do it, the infrastructure is so dispersed.
They’re all going to be connected to the internet so that they can be managed, and that’s what we want. We want them, but we also want them to be done securely. OT is designed by principle to be up. It’s constantly available, and it is available 24 hours a day, seven days a week, especially SIS GATA. SIS is going to be up and running regardless of security. SIS has to work, and safety integrated systems have to provide their safety function always.
They don’t provide their safety function if someone has locked them up with ransomware, so there is security, but security must come secondary to uptime. Our challenge as security professionals is to walk this fine line and say, “How do we make these systems secure without annihilating free cash flow and driving these businesses out of business, removing some amount of that availability of the data to flow through the OT environment to begin with and providing whatever it is, from a pipeline to safety relief valves in an oil production facility?”
These have to be systems that are up, and that challenge is on us. There isn’t a good marketplace for people who can solve these problems because this really hasn’t been an engineering requirement. The CI 9critical infrastructure) have been out of it, and so there aren’t security architects and engineers who are taught to think this way. So now we must create them from scratch, which is also difficult because now you have to go into an environment where there is a Win 95 server or a server 95 running, and you have to try to convince a bunch of engineers that this is going to have to change.
For their entire career, they’ve been looking at that orange tape that says, “Don’t touch me,” and they’re like, “It’s worked for 20 years. I’ve never had a job where this machine hasn’t been blinking, so I’m not going to touch it.” And, oh, by the way, the 67-year-old IT guy in the corner who’s only ever worked at this company, who’s never not seen this box there either, he’s going to be the same way. We’re not changing that. I wouldn’t even know how to change it if I did, and I don’t even know what the protocols that run on it are.
If you talk to the software company that runs the software that this machine is supporting, they say, “I wouldn’t touch it because then you’re going to have to replace everything.” You’re going to have to be talking about millions of dollars in capital investment simply to replace this one box. That’s the environment, and that’s not going to change. It’s incumbent upon us to figure out ways around that. This is where communication with the federal customer really becomes important.
It’s nice to have someone say, “OK, we’re paying attention to this now. Everyone’s going to have to change the way that we can be more secure. You are going to have to report your breaches,” and things like that. There’s a very real fear in reporting.
If you’re not taking cybersecurity seriously, you’re going to start facing legal challenges and create this culture of fear where now people don’t know what they’re supposed to be doing. They just know they must be doing something and start making massive sprints down the wrong directions just trying to achieve something. This is where there must be a coordinated effort. Nobody should be sprinting or running or dashing anywhere.
We should be talking about this like adults and figure out what the actual progressive next steps are. There should be a federal customer saying that your next steps are to sit down with your stakeholders and figure out how to write all these programs and policies, because that’s what’s going to save you at the end of the day. It’s not going to be some blinking box sold to you by some tech company that just wants to sell a blinking box right now.
David Masson: With IT/OT convergence, we always think of technologies converging, but Sam was just pointing out that you’re talking about two completely different groups of people. Cyber analysts, IT security people, engineers and cyber systems crime engineers don’t talk to each other. They don’t understand each other, and they speak different languages. That doesn’t bode well for the IT/OT convergence, which we’ve all realized is happening and is going to happen.
IT of the early 21st century is going to be MS DOS, and we always go on about PLCs and HMIs being these fragile little creatures. If you shake them, then they fall over. You might wonder whether the IT will fall over when it suddenly realizes what it’s trying to coordinate with when it gets on the other side. Sam and I just want to point out when we talk about the IT/OT convergence pieces, we all seem to think about it as the one business, and the IT and the big headquarters and plant meet in the middle.
What we do need to realize is that it’s probably going to meet in the cloud. That’s pretty much where this is all going to happen. You’re going to have OC SaaS, and at that point, that is true convergence. In fact, we’ll almost get to the point where we’re probably not talking about IT/OT, and it’s just going to be one thing because that’s where it’ll happen.