Information technology (IT) and operational technology (OT) teams have historically been separated over the years — and for good reason. Their priorities are different. Their approaches and processes are different. They inhabit different worlds of digital and physical results. However, the worlds are colliding from strategic initiatives related to Industry 4.0 or digital transformation. This gives even more impetus to discover what they can learn from one another.
What’s different between the disciplines of IT and OT? One key difference is OT deals with physical outcome-producing assets. OT is everything IT is, plus physics (IT + physics = OT).
Gartner predicts by 2025 cyber-attackers will have weaponized OT environments to successfully harm or kill humans.
A digital safety framework for OT
Given the differences between the disciplines, what can OT learn from IT? IT does not relinquish or delegate its roles and responsibilities to other business units. It takes responsibility for business systems, infrastructure, applications and data technologies. Taking full responsibility and ownership of the assets under their charge is one big step OT must take.
OT needs to develop a National Institute of Standards and Technology (NIST) framework (identify, protect, detect, respond and recover), MITRE ATT&CK or something similar. They need to assign team members who have the authority, responsibility and ownership for cybersecurity within the organization. They should be tasked with implementing and managing cybersecurity efforts and measures related to industrial control system (ICS) devices.
When it comes to IT, there is no question who owns IT technologies. Those in the OT organization must overcome the belief that they are not responsible for cybersecurity as it relates to their ICS. OT not taking responsibility is the equivalent of them stating they are not responsible for safety, which is everyone’s responsibility and the number one priority with ICS.
When working with OT practitioners, cybersecurity experts must frame the discussion around digital safety, a term that encompasses physical production and kinetic devices controlled by digital systems (IT + physics = OT). The plausible deniability position taken by OT and IT demonstrates confusion around ownership of associated risk. This opens them up to vulnerabilities in their environment where catastrophic events can happen. Both sides need to define and agree on an owner.
Common business rules of demarcation
The cybersecurity ownership mentality of IT needs to be embraced within OT. Clear lines of demarcation need to be established and understood between OT and IT. Many would say that by installing a firewall or implementing an industrial demilitarized zone (IDMZ), those boundaries exist. If that was true for every security measure put in place by IT, then OT would replicate.
For example, if IT installed a firewall to segment between IT and OT networks, what are the prescribed techniques, tactics and procedures (TTPs) for engagement between OT and IT networks? If IT deploys a firewall, then OT should also deploy a firewall under their charge. Why would OT assume IT is protecting them? How would IT even know what is considered valid traffic in an ICS environment?
Take IT and OT out of the mix. If a business wants to connect to the Internet or some other network, they deploy a firewall and DMZ on both sides. There is zero trust between the outside world and the internal network because of the unknowns. IT can control only what they have responsibility for, so they would deploy a firewall facing foreign networks.
Even within the same organization, IT and OT are third parties to each other with completely different roles, responsibilities, applications, systems and technologies. Why would OT trust IT? By installing the firewall, IT is saying they do not trust OT. Does IT put firewalls between accounting and sales? Probably not. Then why implement a firewall between IT and OT? OT is foolish to think IT is protecting them by installing a firewall for only IT’s benefit. OT should take the same position as IT with other third parties by installing and managing their own firewalls.
Ownership of digital safety and cybersecurity for ICS
Haphazardly or unwittingly, IT is led to believe they are the defenders of ICS until someone shows them the actual ICS in question (see Figure 1). Once the ICS devices are finally brought into the light, IT will respond those ICS technologies on the plant floor are not in their scope. If not IT, then who is responsible for ICS cybersecurity?
Without any hesitation, IT would say they are responsible for the system application and product in processing (SAP), email, data centers and business networks. If IT does not see ICS equipment as in their scope, and OT is not stepping up to take ownership of their environment from a cybersecurity perspective, where does that leave things?
Asset visibility and network monitoring
Visibility has been important for both groups to see what devices exist on their networks. Most IT groups today have tools that automatically discover those devices that live on their network. With these asset inventory and configuration management tools, they can get up-to-date information on what is connected to their environment, the software levels, installed programs, patch levels, etc.
More IT departments today have some level of network monitoring in place. This allows the IT side to manage those assets in larger groups for necessary updates and upgrades. OT needs to take the same steps with asset detection, monitoring and remediation.
A key differentiator between IT and OT is the total cost of ownership (TCO) model and how investment is viewed across both disciplines. IT is often viewed as overhead or expense versus OT, which is embedded in the revenue-generating side of the business. OT capital expenditures (CapEx) spending is viewed and treated differently in relation to ICS assets, compared to IT investments. The life cycles for technology are also much different. The OT asset life cycle replacement is measured in decades, while the IT technology asset life cycle is less than a decade, averaging between three and seven years.
IT leverages orchestration platforms to assist in managing a wide range of IT-centric technologies. This simplifies the management, administration and support functions into standardized toolsets to assist with outsourced strategies to third parties, which in turn helps reduce TCO. Whether a security information and event management (SIEM), security orchestration, automation and response (SOAR) or manage detection and response (MDR), these allow rollups of the massive amount of data the IT network produces so teams can sort through and identify incidents that require verifying and validation of events.
Leveraging third-party suppliers and vendors
OT and IT leverage their supply chain of technology partners and third-party professional services. The challenge is these supply chains have different go-to market strategies, initiatives, skills and expertise.
For example, you can find an IT technology company such as Cisco that sells enterprise and industrial technologies into IT and OT environments. However, how the technology gets there is via two different paths. IT buys for the enterprise, and OT buys for the industrial side of the business.
Cisco’s large value-added resellers (VAR) believe they can operate in OT environments as actual practitioners, yet OT organizations never engage IT VARs on any ICS-specific projects requiring IT technologies. IT will buy and hire from the IT VAR supply chain, but they can never get where they need to be to provide best-in-class cybersecurity or process integrity solutions for ICS. On the other hand, OT has supply chain automation technology suppliers such as Rockwell, Siemens or Schneider Electric, who can provide best-in-class solutions and operate in the OT environments from a cybersecurity perspective.
The first challenge for these firms is they cannot scale to handle the sheer volume of OT environments in the market. Second, industrial manufacturers have a variety of technologies deployed. No industrial manufacturer has 100% of one specific automation vendor’s technology deployed within one site, let alone across their entire fleet of plants.
The OT supply chain also is not trying to be something it is not, meaning it is not trying to sell into IT. Automation technology vendors and their supply chain (system integrators, OEMs) are not trying to sell enterprise class systems, infrastructure, applications or networks into IT organizations. They tend to stay in their own lanes but will be the first to admit they are pursuing cybersecurity initiatives with OT clients with little to no success without OT buy-in.
Adhering to the “when, not if” principle, cybersecurity has been on the minds of IT staff for years and many have an established — and likely growing — security processes. Whether following a specific framework such as NIST, MITRE or an internal process, they have established procedures and risk management that have been maturing over the years on identification, protection, detection, response and recovery.
Ownership and role definition
The final areas of learning OT can take from IT falls under ownership, roles and resources. The first area involves defining the ownership and roles involved. With the above-mentioned tools and processes, IT is clearer around who owns and is responsible for the actions to support digital safety and cybersecurity within their environment. It may be divided by organizations, teams or business units.
A final key learning that OT can take from their IT counterparts is the understanding that when it comes to resources, IT doesn’t go it alone. Most IT teams make use of expert resources and services through their ecosystem of partners and vendors. IT vendors come in all shapes and sizes — application, hardware, cloud, managed service providers and consultants. IT doesn’t have enough resources or bandwidth to address the demand, so leaning on outside vendor partners is a proven method to get things done.
OT faces the same internal resource constraints. By learning and replicating the relevant processes and approaches to resources, funding, role definition and oversight IT has successfully put in place over time, OT will be in a greater place of strength to monitor and manage their way through these turbulent times. This requires a great deal of diligence when it comes to digital safety and cybersecurity measures for industrial manufacturing and critical infrastructure environments.