Why you need to get buy-in for an IT/OT SOC

Image courtesy: Brett Sayles
Courtesy: Brett Sayles

Information technology (IT) and operational technology (OT) are generally still kept separate, and that’s a good thing from a cybersecurity perspective. But you can utilize some standard IT practices to better protect your OT operations. To truly protect industrial systems, IT and OT need to work together. Organizations can forge a united front by creating a converged security operations center, or SOC. A converged IT/OT SOC can give you greater visibility across your operations and help you defend against outside threats, but you definitely need buy-in throughout the organization.

In this partial transcript from the Dec. 5, 2023, webcast, Five Essential Steps to Creating a United IT/OT SOC, sponsored by Fortinet and Tenable, two experts answered the following questions:

  • Why are industrial organizations under attack?
  • Why are IT and OT still divided when it comes to security?
  • What is a security operation center, and how is it used?
  • How can you get executive and organizational buy-in?
  • What are the benefits of a converged IT/OT SOC?

The speakers were Luis Narvaez, regional product manager for controllers and cybersecurity for Siemens Factory Automation, and Jim Cook, COO for Velta Technology. This is the fourth and final part of the transcript. To read part 1, click here. For Part 2, click here. For Part 3, click here. The following has been edited for clarity.

Why IT and OT are fundamentally different

Jim Cook: Things can get hairy, especially as you start looking at the Purdue model and how that can level and layer down. The reality is the OT networks are connected to the IT networks. It’s a reality. We’ve got to look at what we’re trying to do to manage against the threats and the risk. The threats could be internal; they could be external. It is about organizational resilience and keeping it moving.

Then, the solution is, “If this is the reality and OT networks are connected to the IT networks, and we say that they are, for better or for worse, they are, is it OK or is it not”? That’s a whole different story. But if the reality is they are connected, what is the solution? Why aren’t we exercising the same due diligence for IT networks? To Luis’ point at the beginning of this, what are you doing about OT security? Explain that to me. So that generates that discussion of, “We have an IT security budget. We have IT security people. Should we have OT security budgets? Should we have OT security people? And how do we deal with that in our organization?”

Because it’s an organizational right thing to do. So all that being said, and if the reality is that the worlds are connected, is it converging or is it colliding? I had to go to an expert, someone who has experience in two separate worlds coming together: the great Dr. Peter Venkman, who I believe has two Ph.D.s. I think he’s an expert, or at least I find this very insightful. Is it convergence or is it collision? What is it? It’s dogs and cats living together in mass hysteria. And are the dogs or cats IT and one is OT? I don’t know, but it’s always good to get puppies into a presentation. The internet is full of cats. So I thought this was a great place to start talking about that because convergence is talked about and it’s defined in different ways, but hopefully I’ll get to a little better definition on this here.

To this convergence or collision, the thing that I always say is IT deals with digital systems controlling digital outcomes. OT is dealing with digital systems controlling physical outcomes. Historically, we kept them separate, and we did that on purpose. There was a reason for it. But over time, suddenly everybody says, “Hey, let’s try and bring these things together.” However you wind up defining convergence in this situation, you must understand that’s a needed balance. There is a separation. You need to be careful with it because they are two worlds.

Let’s jump into the security operations center real quick. What is that for? Well, let’s level set at the highest level. It’s a common IT capability that, at some level, monitors to cut the time of response.

Some of these different capabilities would add asset and vulnerability and patch management. So that’s what a SOC does. These seem like good things, right? “If it’s good for IT, let’s just do that for OT.” But hold on a minute. I said IT and OT are different. The facility uniqueness at each site is unique. You can’t apply the IT global standard. Everything is different at each site, and whether you’re making the same thing and not, they’re never the same. There are different processes and physical outcomes. There are OT protocols and devices that IT doesn’t deal with. There’s the remediation response, which could be completely different.

An isolate could shut down the organization. As we talked about, vulnerabilities are rarely patched, and the ownership of those assets are different. Then, on top of that, the OT technology stacks are different, too. The protocols and the engines and detection engines, those are different. But there is an answer. To a point, keeping those separate — the IT on one side, the OT on the other — there’s a value to bringing those into an operations center and rolling it up to the top where that SOC exists already. They already have the infrastructure in place. That capability exists now. On top of that, the OT security tools can feed that capability. They’re similar technologies, but you address them differently. There’s also potential OT-specific value that’s not found in IT and this model, as you mature it further.

Ultimately, you’re taking those two Venn diagrams, and you’re trying to go, “Where’s the value, and what can cross over? What needs to stay in place on either side?” If it’s not a perfect fit, but there could be some value, my buddy Lloyd Christmas got it right. “So you’re telling me there’s a chance.” Just maybe we can get these cats and dogs together here, making it work. Really, it’s about what can the IT SOC bring OT, and it’s about that monitoring and using that capability. But OT is not off the hook. As those asset owners are out there, you have to tell the SOC what to monitor. What’s important that IT SOC can call me and tell me, and what can they do to respond and then keep it moving for that long journey of improvement.

Getting buy-in for an IT/OT SOC

And, of course, you’ve got to get the buy-in. We’ve got to get the buy-in; make sure it’s a business priority. Is it a business priority of resilience? If so, let’s extrapolate that down into what we’re trying to accomplish here. And then that common understanding. We have to get the IT and OT together, because if the execs are hearing two different stories, you’re not working together within your organization. You’re not going to move forward because you can’t responsibly define where those lines of demarcation will exist between the two worlds and how you can help the others. Ultimately, it is about bringing IT and the OT SOC together. There will be room for everyone on the nice list if we can get that together. Hey, we’re in December. I couldn’t help but fit a Buddy the Elf quote in here, but no one wants to be on that naughty list. So let’s get working together.

But just to go back to wrap it up, we have the five essential steps. Acknowledge that those risks exist. Awareness on all sides — IT, OT, exec. You’ve got to identify those risks so that you can manage them and move forward, and then take advantage of those. If you’ve got IT SOC capabilities and there are IT SOC services — there are a few that are coming out as OT moving forward, just a few out there — but they can be integrated and you can use what exists in place already without bringing it down into your OT organization and causing disruption.

Remember, cats are cats, and dogs are dogs. IT and OT are different, and there’s a reason for that. The fourth one being, really, you’ve got to take that continuous improvement. It’s a journey, I think Luis called it. It’s a journey. You’re not going to fix it in one day. You’re not going to fix it in one month. You’re not going to fix it one year, but you’ve got to start getting better. Then, at the end, if you’ve got the awareness, get that executive buy-in. IT and OT together make it a business priority.




Keep your finger on the pulse of top industry news