by Henry Elisher
Business Analysis (BAPL) Consultant
Many industrial organisations still view IT (Information Technology) and OT (Operational Technology) security as unique issues to be addressed in isolation. Even though IT & OT environments are foundationally and functionally different, the need for convergence between the two in the new world of increased and pervasive cyber risk can no longer be labelled as a consideration or option, convergence between the two spheres needs to be a mission critical objective.
A recent report by the World Economic Forum identified cyberattacks on critical infrastructure and strategic industrial assets as now being one of the top five global risks. Knowing that, it beckons reason that the typical view many industrial companies take when it comes to the security of their IT & OT spheres is that each still pose their own unique set of challenges which need to be handled in isolation. The reasoning being that the differing concerns and practices of each are justification enough to warrant a siloed approach to security.
Siloed approaches in themselves mean a disparate and non-cohesive structure. Gaps in the cyber defence of organisations as a result from the lack of cohesion are inevitable.
Attackers understand where the vulnerabilities lie and have the expertise to exploit the security gaps between IT & OT technologies. They understand full well that those responsible for organisational cyber defence can have different priorities and practices. Specifically, within the business there can be differing, functional requirements, different working cultures and risk appetites. It’s no surprise then that these environments also have the propensity to be dissimilar and divergent when it comes to their own security requirements.
In industrial organisations security has traditionally been divided across three silos, IT security, OT security and additionally, physical security (plant security and system integrity). This divide has made it difficult for operators to identify and respond to incidents when they’ve occurred. Coupled with the historical aspect of siloed priorities in terms of security requirements, with IT security focusing primarily on confidentiality and OT security on integrity and availability, modern day operations have been placed under immense pressure and scrutiny. New challenges have now arisen from the complexities formed out of elaborate IT and OT infrastructures, which typically include thousands of devices, all being connected via the IIoT (Industrial Internet of Things). These complexities have changed the game yet again, making it even more difficult to detect, investigate and remediate cyber security threats and incidents.
From the perspective of critical infrastructure providers, the potential societal consequences from a cyberattack requires that their operations take place in a certain manner. The priority of an operator, such as in the electricity market, is to ensure the safe and reliable delivery of that service, it’s their primary concern. Having this as their key responsibility in turn leads to other differences across areas, from component lifetimes and patching practices to audit timelines and additional functions. Reliability of service in the electricity sector is of utmost importance and becomes an overarching goal.
These security challenges are also often exacerbated by the communication barriers between the two groups & the fact that they quite likely have different reporting and governance structures.
This lack of coordination and communication becomes especially risky in times of emergency where the organisation has been the target of a cyber-attack and needs to formulate a cohesive, comprehensive response to, or in fact recover from, a cyber incident.
Protection of the various spheres in an organisation is obligatory. However, in order to protect a complex surface attack, the way many industrial organisations are acting recently has been to devise ways to converge their IT & OT working groups. A more than onerous task in itself as each group has a tendency to believe that security vulnerabilities are inheritedby them usually due the blatant ignorance of the other. This finger pointing tends to entrench an eternal battle that centres on each domain playing a defensive roll and devising mitigation strategies against risks posed by the other side. The issue is of course not internal. However, the area of conflict that exists between the two groups is just the space required for attackers to utilise and exploit it.
The difference in the IT & OT environments highlights one of two fundamental barriers that need to be overcome. IT environments are dynamic and IT systems are often patched, upgraded and replaced regularly. IT personnel have their concerns centred on the confidentiality of data, data integrity and availability. As knowledgeable as IT staff may be in their fields and as up to date they may be on trends & threats, their propensity to operate outside their sphere is limited. IT personnel are often lacklustre and typically unfamiliar with OT networks and control systems.
OT staff work in a world where stability, reliability and safety are the top priorities. Their remit is to maintain the stability of complex and sensitive environments, quiet often with legacy systems that have not been upgraded in decades.
This inherent environment difference due to business priorities and culture can be pervasive and quite often divisive without pointed remediation.
Also, the different technologies utilised within each domain has the propensity to cause unnecessary tension. Within the realm of IT, personnel are used to working with the latest hardware and software, including of course the very best security available to protect their network. Their time is spent patching, upgrading and replacing systems. Whilst IT has ownership of their ‘sphere’ the disparity between what they see as their world and the responsibility & accountability they should have is altogether different.
OT on the other hand has the propensity to function with legacy technologies, many of which pre-date the internet era. Common features of the IT environment are lost in the OT world, and the lack of basic security controls such as authentication and encryption are often disregarded in terms of importance to the ire of IT who in turn can be both incredulous and dismissive in their contempt.
C-level support is the primary step to being able to instigate IT/OT convergence, and ultimately, bring about the success of forming a harmonious unification of practices in IT & OT. In order to unify strategy, security thinking and practices, the objective of organisations is to create a culture of collaboration between the disciplines.
Despite the divide there are organisations that have successfully facilitated deep collaboration between IT & OT, the importance and driving factor of which rested within the remit of the C-suite and the support provided.
In order to facilitate convergence some organisations have created C-level roles to bridge the gap between the two. For example, it is not uncommon to known see a Chief Digital Officer whose role it is to be bridge the divide between IT & OT through the merging of culture, and by the establishment of incident management responsiveness that spans both groups.
To make this happen, more and more organisations are taking senior, experienced engineers from OT units, and assigning them to support incident response within the Security Operations Centre (SOC). This in itself helps to create an environment where people, knowledge, processes and technologies straddle and work to unify the IT/OT fence.
What consolidating IT & OT cybersecurity efforts achieves first and foremost is that it clarifies responsibilities, but more importantly, moves to eliminate security gaps. It also ensures that there is a consistency of security levels across the entire organisation and leads to reductions in the overall cyber risk. The key objectives set within this form of consolidation are therefore to entrench a shared responsibility for end-to-end cybersecurity, ensure global corporate governance of all cybersecurity policies, procedures, technologies and guidelines, and supports global visibility and management of all cyber assets, vulnerabilities and threats.
The elimination of the IT & OT silos is critical for the goal of reducing risk. The aim should be for the creation of a single digital security and risk management function/structure, with a direct report into IT but having a responsibility that spans all of the requirements for IT & OT security.
In order to be effective therefore, a converged IT-OT cybersecurity program needs to ensure a centralised oversight of the entire organisation’s cyber security efforts and additionally, have the authority invested in the group to be able to implement key objectives. Implementation of key objectives can be through formal organisational changes or via virtual teams that work in IT groups, OT groups, and security operation centres (SOC’s). The integration of third parties with specific capabilities should also be a consideration in order to address the ongoing shortages in cybersecurity professionals.
Any organisation going through changes will inevitably encounter varying degrees of resistance. Even though the benefits derived from the convergence of IT/OT cyber security strategies may seem to be obvious, the transition is likely to be arduous due to personnel implacability and the complexity of two stand-alone operating functions being subsumed into one cohesive structure.
Some of the initiatives that companies utilise to ease the transitions are:
- Establish cross-trained site teams in order to handle routine security hygiene
- Create a global support network within IT & OT experts in order to deal with more complex cyber issues such as malware intrusions and anomalous behaviour
- Update key IT/OT cybersecurity processes from vulnerability management to incident management
- Ensure compliance with corporate policies
- Integrate cybersecurity technology to enable coordinated cybersecurity management
Also, there needs to be the understanding that whilst the tools required by IT & OT might need to be different, they do in themselves need to be compatible and fully integrated within key areas such as asset inventory, endpoint and network protection, security monitoring & reporting, and secure remote access.
Beyond the technical challenges, posed inherent cultural issues also need to be addressed. Quite commonly distrust between the two groups may be the biggest hurdle to overcome on its own. Methods that might aid in the easing of transition in this regard might include workshops to reconcile perspectives, and the cross-pollination of groups in order to build bridges and re-establish trust between the groups.
The challenges posed in bridging the gap between IT & OT security exist, are real, but, are not insurmountable. As both IT & OT infrastructures increase in complexity and their dependencies increase accordingly, ownership of cyber security issues cannot take place in isolation. A siloed approach will not work in environments of interdependency because aside from the internal disruption and inefficiencies of this viewpoint, the gaps and ‘grey’ area of ownership create the opportunity for attackers to take advantage.
Convergence of the IT & OT security realms needs to have C-level support and a framework set by which security for both resides in a single location under a single remit. Once a cohesive plan is in place and once collaboration occurs between both domains then effective strategies for mitigation in a holistic sense can be made possible.
To find out more about what’s happening in the world of Business Analysis follow us on LinkedIn