Ask most people from the C-suite to the plant floor who is responsible for the security of technology and networks, and they’ll point you directly to the information technology (IT) department. But attacks like those on the Colonial Pipeline and JBS have proven that when it comes to cybersecurity, the separation between IT and operational technology (OT) is exceedingly thin. While both attacks targeted IT departments, they ended up shutting down OT systems for various reasons. That’s why OT should own their cybersecurity, said Dino Busalachi, chief technology officer of Velta Technology.
This is a problem that hits multiple fronts. Damage to OT systems can be a huge safety issue, as the attack on the Oldsmar water treatment facility in Florida showed, but it’s also a business problem.
“If this stuff goes down, you quit making stuff,” he said. “It’s not about data theft and intellectual property. This is about not being able to make goods. This is your cash register over here. You’ve got to be able to keep it running. And they’re not going to separate them. They’re not going to go back to the days of being air-gapped and isolated because it just doesn’t work.”
Given the proliferation of technology in industrial control systems over the last several decades, it’s high time for OT teams to own their cybersecurity practice, Busalachi said. There has been tremendous growth in the number of assets that are connected in the modern, internet of things (IoT) environment, making it much harder for IT teams to really understand the problems.
“There hasn’t been a real clear separation as this explosive growth has moved into that environment,” Busalachi said. “I think for a lot of organizations, it has shifted on who actually owns the security for these types of assets. If you talk to the OT teams, they don’t believe cybersecurity is their responsibility. They just don’t. They would shift that responsibility over to IT. They will defer and deflect.
“If you talk to an IT professional, they would say that OT cybersecurity is their responsibility, but I don’t think they really understand the assets that are involved. They haven’t gone through and really seen and had a tool that’s given them that asset inventory for those systems that are out there. They just don’t know. They walk by those panels. They don’t realize that there’s hundreds of devices inside those panels, sitting on a network, running software, and that have the same CVEs, common vulnerabilities and exposures, as do their IT assets.”
The modern plant floor is a dramatically different place than it was several decades ago. IT and OT have commingled. These days, the new OT machines have similar technology as you would find in IT. It might be hardened, Busalachi said, but it’s still networking technology that has the same vulnerabilities and exposures as IT assets.
Another thing that makes it difficult for IT leaders to own OT cybersecurity is both sides’ core goals are fundamentally different. They’re both trying to curtail external and internal threats and stop malicious behavior, but for OT leaders, safety comes first.
“We like to call it digital safety,” Busalachi said. “Those terms are typically foreign to an IT organization, who doesn’t have the same responsibility. Their job is confidentiality, integrity and availability. … On the other side of the coin, safety is first, then availability, then integrity and then confidentiality. They’re flipped. Their priorities are upside down between the two groups.”
While it is essential for OT to own cybersecurity, there are several hurdles that must be overcome to facilitate that process. One is simply manpower. OT systems have exponentially more endpoints than IT systems and are often staffed with fewer people, even in large manufacturers.
“On the OT side, they’re responsible for a lot of stuff, and they also have very few people,” Busalachi said. “Everybody is running on razor-thin resources. We don’t have the human capital. That’s a struggle.”
Another issue is OT machines typically have a much longer lifespan than IT systems. The lifecycle replacement strategy for control systems can be several decades. On the IT side, those technologies can change every three to five years. Many of these older OT systems don’t offer much visibility in the event of a cyberattack.
“If IT calls up and says, ‘We’re under attack,’ and they ask the OT guys, ‘How are you doing over there?’ what are the OT guys going to tell them?” Busalachi said. “They don’t have any tools down there telling them whether there’s malware in their environment. Are they going to wait for their human-machine interfaces (HMIs) to lock up because they got encrypted? That’s how they know. It’s like, ‘OK, now I can’t shut down a machine safely, or I have to go to manual mode.’”
The COVID-19 pandemic has also had a huge impact on industrial cybersecurity, as both IT and OT teams have transitioned to work-from-home environments.
“When COVID came along, they opened up Pandora’s box and cobbled together all these remote systems capabilities to get original equipment manufacturers (OEMs) and system integrators (SIs) and third parties into the environment because they couldn’t travel to the plant. They had to give them access, so they blew holes in the firewalls; they broke down all the rules, and what they thought was secure, they had to tear apart and move it to the perimeter for people to gain access to the environment.”
Though the process may not be simple, Busalachi said it’s still essential for OT to take a leadership role when it comes to cybersecurity on their own systems.
“The OT leadership, they own the assets. They need to own their place,” Busalachi said. “This is their stuff. All these vulnerabilities and all these exposures are theirs to solve. IT can help them. IT can help them organize it. They can help them explain what these things are, but at the end of the day, those assets and the responsibility of production and safety falls to OT, so they have to own it. That’s their supply chain.”
In Part 2 of our interview with Dino Busalachi, he will discuss some specifics on how OT teams can start to own cybersecurity. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.