Understanding the role of Security Triads in IT/OT convergence. Right now, the majority of industrial companies around the world are wrestling with the convergence of information technology and operational technology.
IT/OT convergence involves integrating two worlds. Their functions are often completely different from each other and their ways of mitigating risks and managing tasks are equally dissimilar.
In recent years, IT/OT convergence has become increasingly important as it is also driven by the increasing complexity of networking and computing in OT and the need for a significant increase in process maturity in areas that are normally within the domain of IT, especially network security and identity management.
I recently talked with industry colleagues about the challenges facing companies currently dealing with IT/OT convergence. According to these experts, many industrial companies currently find themselves struggling to seamlessly blend IT and OT into a unified system that is both easy to monitor and understand. This also means merging disparate IT and OT staff who often have opposing views on how to solve problems.
The experts I talked with say that while IT/OT convergence presents companies with unique challenges, when done correctly, this integration can help bring disparate teams together and lead to accelerated innovation.
“The fact that both domains now share a common goal implies that there is an implicit agreement between these working groups to start working together, which means that now the discussion revolves around what is the best way of achieving this collaboration,” says IT / ICS Cybersecurity consultant Martín Cafferata. “Many companies are embracing agile methodologies to enhance their digital transformation goals, and I’ve recently seen an example of a company where IT/OT profiles were grouped together in an agile cell to build an MVP of a PLC monitoring dashboard in Microsoft Azure.”
Training programs and team building seem to be one of the main themes surrounding IT/OT convergence and integration. While the process is primarily about integrating technologies, there is also a human element to the convergence.
“It is a matter of education. Helping them to understand that IT is all about the CIA Triad (Confidentiality, Integrity, Availability) while OT is all about the AIC Triad (Availability, Integrity, Confidentiality),” says Craig Reeds, cybersecurity compliance manager at Electric Power Systems. “Once the teams understand the difference in priorities we can move forward.”
In the OT arena the safety part means that OT systems should be designed in such a way that the machinery will not inflict harm (employees, population, environment). Additionally, intentional sabotage or mistaken action by authorized personnel must not damage their safe operation. This goal is achievable through safety-oriented design of the OT control architecture and supported by enhanced cybersecurity.
The reliability part of the triad is also extremely important. In the past, safe and reliable operation of machinery was the main design criteria for OT, and cybersecurity requirements were not listed in the specifications. This flaw should be corrected as quickly as possible in all future projects and should also be remedied in existing (legacy) installations.
The productivity part is very important as it provides the business justification for the entire system. Naturally achieving quality production must be supported by reliable system operation. Furthermore, reliability should not be at risk due to vulnerable OT design, according to the paper.
Another way to safeguard security is to ensure organizations have written documentation related to cyber defense processes. Having such documents is a step in the right direction, however enforcing their use across the organization is not an easy task. There are published cyber defense-related “best practices” and regulations, from which CIOs and CISO can retrieve information applicable to their organization.
Enhanced technology is important towards achieving a higher level of cyber defense. We no longer live in an era where a firewall and antivirus protection is all that is required to keep systems safe. A lack of awareness leads to limited security budgets, which prevents investment in cyber defense. By having larger security-technology budgets and using higher quality safeguards, companies can take a step in the right direction. What may seem like a huge investment now will be worth it when there are targeted attacks. Skimp on solutions now and you may be facing a much heavier price tag in the case of an attack.
Most cybersecurity experts I speak to agree on the importance of the human element in ensuring the security of systems. Almost every expert agrees that team building is the key to IT/OT collaboration and successful cybersecurity because the different teams need to come together as one to build successful systems.
In most industrial companies, “if it isn’t broke, don’t fix it” is the norm. Business continuity and “always up” is necessary as Arthur Mailloux, a SCADA Project Manager at Brookfield Renewable Energy Group points out.
The biggest challenges for industrial companies are two-fold, Mailloux says. The first is simply understanding that OT needs protecting. The second is that some IT processes and procedures really should be considered best practices and are necessary to protect your OT.
The main goal for most companies is to consolidate their efforts and not have two teams doing the same thing at double the cost. Both IT and OT teams need to learn each other’s nuances.
“I have found that they both have totally different opinions and strategies, and a convergence can be devastating without each type of Administrator, IT and OT, having a good understanding of the consequences of their actions. Education, Patience, and experience are needed,” Mailloux adds.
A normal IT approach to fixing issues could be to push patches, updates, hot fixes. However, in OT that could mean re-boots, which could render control systems useless, or cause down time. All of these are solutions that are not acceptable in the OT environment.
However, outdated or unpatched software invites a risk with today’s cyber attackers who have many tools at their fingertips to exploit known vulnerabilities. Due to the “always up” and quick response nature of most OT systems, vulnerabilities exist. IT-focused policies and procedures aren’t necessarily bad, or too restrictive, as long as the proper stop gaps are developed and testing is done.
“The road to convergence is very tricky. The answers can only come from asking the right questions of the right people. Each industry is unique in what they do and how they do it, even if there are similarities. Working with the vendors you currently use along with the employees who know how to use it in your environment is key,” Mailloux says.
Mailloux, like all cybersecurity experts, feels very strongly about training.
“Training is critical – both technical and interpersonal. IT staff and OT staff don’t usually mix well,” he says. “Network personnel and electricians have different perspectives as to how to move signals across wires or distance, while system administrators and operational technicians have different views as to their hardware. Both need to at least understand each other in order to bring the best of both worlds together to better protect the industry.”
Management doesn’t always understand the intricacies involved in integrating teams, but having well blended teams can be the most important factor in creating a secure environment.
As Mailloux puts it, “Sometimes the top of the hierarchy doesn’t have a firm grasp of the issues convergence will entail, especially the different mindsets between the two. A good leader needs to have long talks and good understanding of BOTH IT and OT, and work with both to have a comprehensive approach to convergence.”
OT/IT folks need to appreciate each other’s roles and find a common understanding. While their fundamental worldview can be starkly different, convergence or at the very least, alignment and mutual understanding is critical to the organizations they serve. IT folks should get out into the field and down to the production floor.
In the end, I believe it comes down to how your organization views and manages risk. Successful end-to-end risk reduction and mitigation cannot be achieved by a “House Divided”. It is time to cross the chasm.
Directing Analyst, Takepoint Research