In 2019, the SANS Institute released a report looking at the state of cybersecurity risks, threats and potential impacts to industrial and automation control systems within operational technology environments. Among the topic areas covered in the report was the OT/IT gap.
The report included the results of a survey of 348 respondents in OT and IT. The survey indicated that while collaboration between these departments is growing, the goals and objectives of OT and IT teams are not well aligned.
While the majority of respondents rated the current level of collaboration between the two departments as “moderate or better,” discrepancies between the roles and responsibilities of each of these departments demonstrate the potential for conflict.
Approximately half of respondents said their ICS security budget is controlled by OT while 32 percent of respondents said it was controlled by IT. Thirty percent of respondents said control is shared.
Bringing IT and OT teams together is vitally important to the safety and security of OT environments. In a webinar hosted by IoT/ICS security company CyberX on May 8, industry experts discussed this issue and offered best practices for aligning IT and OT teams, while securing operational networks during periods of higher risk.
Among the panelists was Niyo Little Thunder Pearson, cybersecurity team lead with energy utility company ONE Gas. During his time spent working in the field, Pearson says he saw the conflict between IT and OT teams firsthand.
“One of the biggest fundamental issues you have is on the IT side, there’s not a firm understanding of what they’re trying to protect,” Pearson says. “If you don’t know what you need to protect, you don’t know how to build anything around it or create a culture where it is important.”
That’s why increased education and training for IT and OT teams is so important. However, according to the SANS survey, most training budgets are less than $100,000.
“On the OT side, one of the biggest things you deal with is these things have been done the same way for the majority of the past 30 or 40 years,” Pearson continued. “They have a lot of gaps between reality and the situations that exist today. One of the approaches we’ve taken is to try to show them just how real these things are.”
In an effort to bridge the OT/IT gap, many organizations are creating combined IT/OT security operation centers. This enables organizations to better identify security threats and mitigate them in real time.
“It’s crucial for running a successful SOC, that is based in IT but moving towards OT, to be able to provide value both to OT and IT,” says Arieh Shalem, director of information security operations at First Quality Enterprises, a manufacturing company.
Additionally, getting these teams on the same page starts at the top. It’s important to establish a culture where each department sees the value of security. In order to convince those in leadership of the importance, teams must communicate the potential impacts of a cyber attack, from production downtime, to financial loss.
“In manufacturing, there are impacts to production and impacts to logistics, which impact the bottom line. Those are the types of things your board is going to care about and your leadership as well,” says Paul Brager, global OT security program functional leader with Baker-Hughes, an oil and gas services company. “Safety is also a paramount concern…The potential loss of life, potential loss of property, buildings, structures, products, has a ripple effect down the whole supply chain.”
Overall, Brager says making cybersecurity relevant to OT teams is the best way to bridge the OT/IT gap.
“There’s always been an us versus them mentality,” Brager says. “Certainly our day to day operational responsibilities and accountabilities are very different. But what we’re realizing is we’re really not all that different.”
For more information on the recent expert roundtable visit CyberX.