LONDON, UK – Information technology and operational technology are like two sides of the same coin. Their objectives are the same, but too often they don’t see eye-to-eye when it comes to priorities, according to cybersecurity experts.
Information technology (IT) teams are tasked with securing and managing hardware and software along with storing, retrieving and transmitting data. Operational technology (OT) teams oversee industrial control systems, managing and monitoring the physical processes tied to devices such as valves and pumps.
Both have long butted heads when it comes to security implementation and system updates. One bad security patch could mean production downtime for OT. Meanwhile, IT worries a malware infected meter will bring production to a grinding halt.
Thanks to advances in cyberdefenses things are about to get interesting for both OT and IT, said a panel of experts at Infosecurity Europe said this week.
While OT functions have historically been monitored manually, more factories and other industrial companies look to implement big data and smart analytics functions – meaning that the teams behind IT and OT must soon converge – and learn how to work together, experts said.
“The world is changing, and operational technology has to keep up,” said Gavin Ellis, CISO of the Nuclear Decommissioning Authority. Despite that, he said that the objectives of IT and OT are strikingly the same. “The objectives aren’t different but they are prioritized differently. It’s the same as working with any team that has conflicting priorities.”
Two Worlds
The panel remained optimistic that a common ground can be found. The key to that, they said, is engagement around similarities in what the two want. The current issue is that IT and OT teams have historically been separate, in terms of communications, priorities and even the way that they operate systems.
While IT teams have historically protected information security for enterprise systems, operational technology teams have focused on industrial automation networks. But even beyond roles, IT and OT teams have historically been different to the core. Operational technology is built for specific environments and must take system downtime into account, while IT has more of layered or global approach. The lifecycles of the two teams are separate as well – OT systems may be 10 or 20 years old, with some devices still running Windows XP.
On top of that, the two have different goals: Confidentiality is the end goals for IT, whereas operational technology teams strive to make sure that machines don’t go down – which could have catastrophic results.
“[The two have] quite a legacy set of priorities… but with the interconnection of networks and environments, those objectives are converging,” said Matt Gordon-Smith, CISO at Anglo American, a (mining company). “That common ground is the merging of confidentiality and availability and integrity.”
Convergence
But everything is changing as IoT is increasingly implemented on the factory floor to better monitor events, processes and devices. Historically isolated industrial networks will now be exposed to a greater attack surface. And, with legacy OT equipment, safety regulations (that might bar modifications being made to that equipment), and compliance regulations, the industrial world is difficult to secure.
But now, high profile malware attacks such as Shamoon, which infected the Saudi oil production company Aramco and damaged upwards of 30,000 computers in 2012, and Triton, which has targeted industrial control systems, have highlighted the cyber risks facing operational technology.
Getting industrial firms’ C-Suite involved helps to prioritize security for systems, experts agree – especially if top management understands the risk and how it impacts the business as a whole.
“In a typical industrial environment, the appreciation of cybersecurity isn’t as high,” said Gordon-Smith. “You need someone at the top level pushing information to the right people.”
But the main strategy that needs to be adopted when it comes to IT-OT convergence first and foremost is communication between the two teams maintaining systems on both sides, professionals agree. But with these differing priorities and cultural clashes, that might be more difficult than it looks.
An exercise-based simulated attacks could help IT and OT teams better understand their differences – and talk them out, the panel said.
“Get the team to work together: It’s important to understand that as security professionals, we have a definitive role to play in this space,” said Shawn Scott, head of information security at Thames Water. “Joint red and blue team exercises could help these two different brains communicate better in simulated environments.”