IT-OT Convergence: Who Owns OT Security?
Who’s responsible for industrial cyber security in your organization? Whether it’s Information Technology (IT) or a cross-functional ICS operations and process control group – often labeled Operations Technology (OT) – they likely have incompatible approaches to resolving cybersecurity risk.
To both secure ICS and reap the productivity benefits of IT-OT convergence, the industrial cyber security program must be recognized as a cross-functional lifecycle and journey. IT and OT must work together for either team to be successful.
Pre-internet, the line between IT and OT was quite clear. Today, that line has been blurred. Technology can potentially allow connectivity to nearly any device on the plant floor and out to field locations. And it’s also connecting IT and OT in new ways too.
IT and OT are very different organizations that have begun to converge. This blog addresses one of the many causes of their conflict and how to start resolving the growing pains.
Why IT and OT Resist Convergence
IT and OT are resisting convergence happening all around them says Luigi De Bernardini, CEO of Autoware, an MES and smart manufacturing automation firm in Italy. When working with clients in large manufacturing automation projects he finds that “many manufacturers still see strong resistance to bringing information and operational technologies together, with mistrust coming from both sides.”
Bernardini says that must change. “Continuing to operate separately not only slows the adoption of solutions based on technologies that fall outside of ICS operations’ comfort zone, but also exposes companies to fault or security risks that could significantly impact production.” We couldn’t agree more.
(Source: Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82 Revision 2 (NIST SP800-82r2), Executive Summary, pg. 1, May 2015)
It and OT Are Different Worlds
IT and OT are very different worlds with very different responsibilities. Fundamentally, IT secures data. An intentional or unintentional cyber threat could result in the loss of intellectual property, corporate financials and employee or customer information – and the ripple effect can be costly, ranging from $200K to $4M per incident.
In contrast, ICS logic executes control processes with physical impact. A cyber threat could have devastating physical consequences to critical infrastructure and services, employees, human life and safety and the environment – as has been shown in numerous publicized incidents.
As seen below, the Purdue Manufacturing Model gives context to each group’s realms.
Purdue Model for Control Hierarchy Logical Framework
|Level 5: Enterprise
|Enterprise Domains - Levels 4 and 5
|Level 4: Site Business Planning and Logistics
|Concerned with Securing data
|Typically managing servers, workstations, email systems, databases and applications
|Level 3: Site Manufacturing Operations and Control
|Plant Domains - Level 3 through 0
|Concerned with safety and availability of their physical and cyber assets because disruption could cause human harm or disruption to production processes
|Level 2: Area Supervisory Control
|Level 1: Basic Control
|Level 0: Process
|Typically maintaining production, process automation, and equipment spread throughout wide geographies such as transmission substations or water pump stations
The model uses the concept of zones to subdivide an Enterprise (IT) and ICS (OT) network into logical segments comprised of systems that perform similar functions or have similar requirements. (Source: SANS Institute)
If you’re in OT, how many times have you heard that “IT thinks” they can solve “the security issue” in the plant? If you’re in IT, how many times have you worried about cyber threats and risks coming into relatively flat ICS networks, and yet offers to assist are not welcome?
How Priorities Differ When It Comes to Security
The different priorities IT and OT each have are a key point as to why conflicts arise so easily between the two groups. The figure below is the classic CIA Triad, which helps to show how the two functions’ security priorities are inverse. Also, let’s not overlook that IT doesn’t even factor plant or employee physical safety in, except where physical access systems are under their domain.
IT’s top priority is to protect the data. OT’s priority, however, is to protect the availability and integrity of the process with security (confidentiality) coming last.
The security solutions each might choose for the ICS operations environment would also be very different due to many variables. This could include regulatory and compliance requirements, network architectures, performance/production requirements, employee and environmental safety considerations, risk tolerance and management goals, asset types (hardware, software and operating systems), availability requirements or security goals – the list goes on and on.
Each group has a biased lens when considering ICS cyber risks and consequences.
The “CIA Triad” of Classic Security Priorities (Source: TechTarget)
IT Cybersecurity Perspective
IT’s top priority is protecting data (confidentiality), such as intellectual property, corporate financials, employee or customer private data. They figuratively look across the demilitarized zone (DMZ) thinking of the many changes that could bring a stronger security posture to OT environments.
What is important to IT?
- Stronger network segmentation
- Access control lists to restrict and manage permissions and access to key resources
- Geographic or organizational groupings of data and assets
- Strong password hygiene
- Routine patching processes (automated and with much higher frequency)
- Security policies to apply everywhere
OT Cybersecurity Perspective
OT’s top priorities would certainly add the safety dimension to the typically top priority of availability. When considering suggestions from IT to secure ICS environments, OT will often invoke cyber security inertia to assure control processes and production yield are not placed at risk due to changes.
Issues implementing ICS Security:
- Fragile PLCs may not have enough memory to handle high traffic, such as a broadcast storm or unexpected function codes that cause a reboot.
- Not all patches, even those released by ICS vendors are required. It takes time to assess whether even the ICS-CERT Advisories are appropriate for the devices in place.
- Anti-virus or automatic patching is completely atypical and requires considerable testing, scheduling and may even require vendor participation to assure warranties stay intact.
- Flat network architectures are favored with minimal or no subnets or secure zones to isolate unrelated systems and processes. In this way, OT can minimize performance latency that could disrupt time-sensitive processes, and all resources are easily available to operators should they need to quickly pivot to manage another set of systems and processes.
- Shared credentials are common on many types of systems, both new and legacy. This allows users to quickly gain access without strong password hygiene and frequent password changes that are difficult to keep everyone in sync.
- Remote access is ideal for staff to connect from home or even vendors to connect from the Internet to conduct maintenance or diagnostics on equipment.
Protection of information is important, but production losses translate immediately into business losses. Cyber threats which can disrupt production, cause damage, affect visibility and control or jeopardize safety would also affect business profitability. Any changes by IT are not appropriate or allowed. Further, OT is still skeptical of the real risk to their ICS operations and control processes, believing the risks and consequences to be hype and rarities.
3 Ways to Help Reduce IT and OT Conflict
Unfortunately, consultants that perform risk assessments in ICS operations environments say that many organizations must experience a cyber incident before they’re willing to take serious action.
So, what are potential actions your organization can take to ease the IT and OT convergence and reduce conflicts and mistrust and at the same time increase ICS security?
1. Get Strategic Alignment at the Highest Levels
Luigi De Bernardini says that most of his clients “still have two strongly separated departments for operations and IT. They have different people, goals, policies and projects.”
Instead, Bernardini recommends starting with reorganizing IT and OT departments to be strategically aligned and unified. He suggests that at least the Chief Information Officer (CIO)/ Chief Information Security Officer (CISO) and Chief Operations Officer (COO) should have “partly common and overlapping goals and targets, which would force them to work cooperatively.”
The CIO/CISO must also accept complete responsibility for the cyber security of the ICS and for any safety incidents, reliability incidents, or equipment damage caused directly or indirectly by cyber incidents.
2. Coordinate a Joint Task Force
Next, both NIST SP800-82r2 and Bernardini recommend creating a joint task force as a cross-functional cyber security team to share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS. NIST goes so far as to specifically name titles that should be a part of this cyber security task force, which at minimum should include:
- A member of the IT staff
- A control engineer
- A control system operator
- A network and system security expert
- A member of the management staff
- A member of the physical security department
The task force should also consult: site management/facility superintendent, a control system vendor and/or system integrator and the CIO/CISO.
3. Pilot Projects and Governance
One of the first things the joint cyber security task force can do is to identify simple pilot projects to work on together. A suggestion might be to jointly create a list of the most critical ICS assets that absolutely MUST be secured. Rank them in priority order, and begin to assess what to do.
These pilot projects will offer value with a low-risk benchmark to help the company train and progressively build a specific mix of shared IT/OT skills. This will also aid in determining how to jointly reduce conflict when deciding on steps toward improving ICS security.
Ultimately, the joint cyber security team should have “joint governance and responsibility to execute projects, harmonize duplicated or overlapping systems and processes, and promote the development of the interdisciplinary skills that are now missing in most companies,” per Bernardini.
Mitigating the conflicts inherent in IT and OT convergence, and improving ICS security doesn’t happen overnight. This is a serious challenge for any organization and difficult for many to undertake. Managers need to learn to share goals, jointly evaluate business risks and consequences together, and train the broader group on shared skills, which will ultimately lead to appropriate ICS security products, processes, policies and people.
Also, joint governance for IT and OT projects shouldn’t be underestimated. IT commonly has stronger project management models, but they cannot just be taken “as-is” into ICS operations. The two collaborating and cooperating departments need to extend their skills to adapting the IT security project models for use in operations with consideration of all the differences inherent in their security priorities and risk biases. An effective industrial cyber security program is a lifecycle and a journey – the first step is getting the journey started.