In industrial organizations, security is traditionally divided across three silos: physical security, IT security and operational security (plant security and system integrity). This divide makes it more difficult for facilities operators to identify and respond to incidents.
Also, modern-day operations often span complex IT (information technology) and OT (operational technology) infrastructures and typically include thousands of devices, which are increasingly being connected via the Industrial Internet of Things (IIoT). This creates new challenges for securing industrial environments, and makes cyber-physical security threats even more difficult to detect, investigate and remediate.
To protect this complex attack surface, many industrial organizations have devised ways to converge their IT and OT groups — or they are researching options for doing so. However, the ‘convergence challenge’ is truly a tough nut to crack as two main barriers exist.
IT and OT are Very Different
IT environments are very dynamic. For example, IT systems are patched, upgraded and replaced on a regular basis. IT staff are concerned about data confidentiality, integrity, and availability (aka CIA). They are very knowledgable about the latest IT trends and threats. However, IT personnel are typically not familiar with OT networks or industrial control systems, and few of them ever set foot on a plant floor.
In contrast, OT staff work in an operational environment where stability, safety and reliability are top priorities. Their jobs involve maintaining the stability of complex and sensitive environments such as oil refineries, chemical plants and water utilities that are populated with legacy systems that were implemented and haven’t changed for decades. The motto is: “if it works, don’t touch it”. OT engineers recoil at the thought of IT personnel being involved in the safety of their plants or tinkering with industrial control systems (ICS).
IT and OT use Different Technologies
In general, IT people are used to working with the latest and greatest hardware and software, including the best security available to protect their networks. They tend to spend most of their time patching, upgrading and replacing systems.
Meanwhile, OT staff are used to working with legacy technologies, many of which pre-date the internet era. These often use proprietary network protocols, and lack basic security controls like authentication or encryption. They also don’t have event logs or audit trails. As a result, incident detection and response in an OT environment is very different than in an IT environment.
C-Level Support is Key to Success
To bring IT and OT staff together, and unify security thinking and practices, organizations need to create a culture of collaboration between both camps for the common good of the business. Easier said than done, of course.
Despite the challenges of bridging this divide, a number of organizations have achieved deep collaboration between IT and OT. The key to success is getting C-level support.
Some organizations begin by creating a C-Level role to facilitate the convergence. For example, it’s quite common to find a Chief Digital Officer whose role is to bridge the gap between IT and OT, merge the culture divide, and establish incident response processes that span both groups.
The successful deployment of industrial cybersecurity projects must leverage resources from both IT and OT. Business-level oversight and leadership helps ensure that the two sides will collaborate effectively with each other.
To make this happen, more and more organizations are taking senior, experienced engineers from OT business units, and assigning them to support incident response within the Security Operations Center (SOC). This creates an environment where people, processes and technologies straddle and unify both sides of the IT/OT fence.