Key Challenges Facing IT/OT: Hear from the Experts
When you think of Information Technology (IT) and Operational Technology (OT), which side are you on? You may not feel that you fall on any side of that technological skirmish, but when you stop to carefully consider the differences in these two disciplines, it is nearly impossible to avoid a tendentious leaning.
However, the time may be upon us when the conflicts of IT and OT will be put to rest for the broader purpose of making businesses more agile, efficient, resilient and ultimately, more profitable. We spoke with experts in the field who offered their insights about the challenges facing IT and OT convergence. Here’s what they shared:
Greg Hale | Editor at ISSSource
While the industry has been talking about IT/OT convergence for years, if any good has come out of the pandemic, it is that IT/OT convergence is becoming more real, or actually taking place. Let’s face it, in the past, IT and OT were at odds. I remember sitting at an OT conference, and the speaker mentioned working with the IT department, and he was quickly booed.
Thankfully, those days are gone, but to me, the main challenge from back then, as well as today, and towards the future, is solid communication. Yes, there are technology differences between IT and OT that smart security professionals on either side of the firewall will iron out. But what really comes into play is the sense of IT and OT being able to sit down and openly discuss the issues they each face and make decisions on what is best for the organization. IT needs to fully understand that when OT says they need to stay up and running 24x7, they stay up and running. OT needs to understand that IT has been in the security business for quite a bit longer, and they know what they are talking about.
That level of communication does not just appear out of thin air. It needs to come from the top. You see it all the time in winning organizations when everyone knows the plan and understands the importance of their role. In those settings, teams will always thrive.
Kevin Holley | Director of the Customer Innovation Center at Belden
One of the biggest challenges facing IT and OT professionals is the implication of merging IT with OT networks. With Industry 4.0 growing larger, there is a drive towards greater amounts of data from automation equipment and sensors on the factory floor. With the massive amounts of data created from automation, this requires ever-increasing data streams between IT and OT networks that need to work together. A key challenge will be executing these streams efficiently and effectively while not negatively impacting the operational integrity of the OT network, and thus still prioritizing quality, safety and uptime.
Lane Thames | Principal Security Researcher at Tripwire
Asset discovery is a critical cybersecurity component because it provides visibility into our networks. Without visibility, it is impossible to secure our systems. Twenty years ago, asset discovery was straightforward—our networks were easy to manage (in terms of scale) and were not extremely varied. Today, the story is much different. Our networks are large and geographically distributed. We have very diverse environments such as on-premise systems along with systems in the cloud. We are also entering a new model in the industrial world, often referred to as “Industry 4.0.” Industry 4.0 is a paradigm shift that involves a few things such as digital transformation, the Industrial Internet of Things (IIoT), and the convergence IT systems with OT systems. OT technologies are used inside of industrial facilities such as on the “shop floor” of a manufacturing organization.
Asset discovery within the OT domain is different and much more challenging than in the IT domain. Gaining complete and accurate visibility holistically across IT and OT is a current challenge faced by technology professionals. There are various reasons for this, due to both technology and human factors. For example, common security technologies used in IT can’t always be used in the OT domain due to engineering and performance constraints. On the other hand, IT and OT professionals have very different backgrounds and priorities that can make collaboration difficult from an asset discovery and cybersecurity perspective.
Unfortunately, the situation will become a bit more challenging as we look to the near future. The situation will become more complex as newer and more abundant IIoT resources start coming online within our IT-OT systems. Newer IIoT technologies are going to be communicating with resources in the cloud as well as with traditional IT-OT systems. This will increase complexity and cause challenges in holistic visibility across the IT-OT-cloud divides. Not long ago, I watched a project demo where several Programmable Logic Controllers (PLC) were interfaced to the “traditional” manufacturing OT network. At the same time, the PLCs were interfaced with a cellular modem and sent data to an MQTT broker inside of a Cloud Service Provider. Future visibility technologies will have to work across a wide gamut of disparate systems that make use of the whole IT/OT Cloud system.
Michael Sanchez | CEO at ITEGRITI Corporation
Everywhere we look, technology surrounds us. Unlike traditional IT systems that focus primarily on transmitting, processing and storing data, OT controls physical devices. Primary security concerns with IT include protecting data confidentiality, integrity and privacy of sensitive data, such as personally identifiable information (PII), and electronic protected health information (ePHI). In contrast, safety, reliability and availability are paramount when it comes to OT systems.
However, during the last decade, a major paradigm shift has taken place. Modern OT systems, which were traditionally “air-gapped” and which used proprietary communication protocols, are increasingly manufactured and delivered with IT capabilities. The convergence of these two technologies has led to the creation of the IoT, using standard Internet protocols, and facilitating performance and speed at previously unachievable levels. Bring your own device (BYOD) has also become increasingly popular in work environments, and some reports suggest that “6G” technology will operate 100 times faster than 5G.
Most people and organizations leverage efficiency improvements gained through new tools and ideas, but cybercriminals are focusing on profit or advantage through hacking, ransomware, or weaponization. Attack surfaces are rapidly expanding through the deployment of IoT devices. Profit-motivated cybercriminals are growing in sophistication and may remotely engage in wrongdoing from anywhere in the world while supported by a barrage of new tools and tactics including artificial intelligence (AI). Nation states are expanding their knowledge of critical national infrastructure and targets while maturing their offensive capabilities.
All too often, new products are deployed without set standards, making them difficult to manage, service and secure. Broader adoption of BYOD and remote work environments requires enhanced security methodologies. This raises questions around how inventory, monitoring, baselines, patching and change and configuration management will be supported. Meeting these challenges requires organizations to look beyond minimal compliance and checking proverbial “boxes” to advanced security solutions. Legacy firewalls, routers and switches are insufficient when it comes to the modern world. Advanced security technologies such as the cloud, AI and global threat intelligence are now requisite to protect today’s OT/IoT devices.
Divij Agarwal | Senior Product Manager at Belden
One key challenge IT/OT faces and will continue to endure in the times to come is related to data management and governance. As more and more OT devices are getting networked and connected, the potential for data management in terms of data storage, transfer, and analytics is growing tremendously. Organizations need to have a strong data governance policy that outlines how data needs to be stored, managed, accessed, analyzed and by whom.
Data is the next gold. Industrial data has already found several applications, with machine learning and artificial intelligence helping to improve business performance and machine efficiency as well as reduce downtime. Correspondingly, it’s critical to protect this data from loss, theft, damage and misuse.
The data generated today is not transactional data that can be stored in simple relational databases and shared across networks or devices. Today’s applications, machines and equipment generate data in all kinds of varieties, velocities and volumes—in other words, big data. Handling big data requires tight collaboration between IT and OT organizations. No single entity can manage big data on their own. While OT must ensure data is clean, secure, structured and meaningful, IT needs to ensure availability, confidentiality, integrity and durability.
A typical data lifecycle involves creating, reading, updating and deleting it. Edge plays a crucial role in data lifecycle management. Sitting midway between OT and IT, the Edge network including Edge gateways and applications helps with data transformation, normalization, aggregation and convergence between IT and OT systems. OT systems are disparate, and so is the data generated by these systems. It is critical for this data to be normalized and aggregated in order for it to be stored and analyzed by the IT tools. As such, Edge will continue to play a pivotal role in the IT-OT convergence—especially in the areas of data management and governance—for several years to come.
Chris Furtick | Director of Incident Response and Planning at Fortalice Solutions
The biggest challenge I see currently and on the horizon for IT/OT professionals has little to do with technology; it’s the blurring of the line between “work” hours and personal/family hours. During the global pandemic, we have proven that many roles can function in a remote capacity, which has resulted in many professionals embracing the “Zoom from Home” work culture. But the fact that we can work from ANYWHERE has transitioned to a mindset that we now work from EVERYWHERE.
Technology professionals will need to be mindful to disconnect from the computers, tablets, and smart phones and reconnect with family and friends. It’s easy to allow the “tyranny of the urgent” to override the importance of having time to relax and recharge. I believe this will be a major cause of mental health issues in the very near future.
The companies that are in tune with their employees and proactively encourage them to take care of their mental health will attract and retain top talent, but employees can’t wait for their employers to spur them to consider their mental health.
Argiro Birba | Senior Manager of Cyber Security Assurance at ADACOM
Hardcore industrial automation is no longer relevant since we now live and operate in a fully inter-connected technological ecosystem. The inherited inadequacy of security in the industrial sector is unfortunately factual while this sector is merging with IT environments. Consequently, OT networks and systems, which were isolated and – theoretically – secure, are now open to new and unknown security challenges.
A decade ago, security testing in OT environments was focused and conducted against single products and systems. Nowadays, it has a more prominent role when assessing the same environments. There is the current need to be tested as part of one single infrastructure – the converged IT and OT infrastructure.
Several security and governance programs are being built for this reason, with dedicated cybersecurity teams working towards the improvement of the security posture of the IT/OT infrastructure. Nevertheless, the most important factor in successfully testing and securing our IT/OT environments is the justification of the need for assessing them. Is there a regulatory need, or is proactiveness required for the security of IT/OT environments?
Finally, we must be diligent with the sensitivity of OT systems regarding the demand for their continuous availability. For this reason, detailed, structured, and OT-oriented testing methodologies must be developed.
To sum up, there is the necessity to address key diversities for successfully testing the IT/OT environments, such as the differences between physical and logical tests. Moreover, specialists working in the industrial sector ought to be educated to further concentrate on the security of the OT services and systems, not merely of those in IT. If we manage to engage in these, we will be moving fast towards a highly secure IT/OT infrastructure, both physically and logically.
Markus Bloem | Industrial Sales Engineer at Tripwire (Europe, Middle East, Africa)
Traditionally, IT professionals are responsible for creating, storing, and of course securing an organization’s data or network. OT focuses primarily on processes that take place in the physical world; managing productivity, people and machinery. Information technology (IT) and operational technology (OT) have long existed in their separate spheres. Each had its own network, objectives and requirements. Until relatively recently, this separation was perfectly fine.
More and more organizations are embracing Industrial IoT technologies. The rise of these new technologies has created a need for organizations to optimize how machines, applications and infrastructure collect, transmit and process data. When done correctly, convergence gives businesses the ability to fix critical issues faster, make informed business decisions, and scale processes across both physical and virtual systems.
It is also important to understand that cybersecurity tools designed for modern IT environments may not suit a legacy Industrial Control Systems (ICS). Consider, for example, an ICS that is end-of-life with known vulnerabilities that can’t be patched and is too costly to replace. It still needs to be secured, and while investigating for vulnerabilities, if IT runs a port scan across the ICS network, it may lock up a PLC and shut down production for 24 hours. This situation can be avoided using passive scanning technologies that don’t introduce new traffic on the network but instead inspect every packet of data. Tools are available that can detect and audit network assets as well as monitor for configuration changes and anomalous behavior, all while mapping out the source and destination of traffic. If there is data flowing to or from an ICS, it can be identified and tracked.
Artificial intelligence (AI) and the Industrial Internet of Things (IIoT) are two of the hottest buzzwords dominating the “Industry 4.0” conversation. AI brings machine-learning and decision-making power to IoT systems, enhancing data management and analysis and enabling massive productivity gains. Some examples of AI-powered IoT applications being used today include Edge computing, autonomous delivery robots, digital twins and collaborative robots.
The future will include more emphasis on predictive maintenance, enhanced device communication, and more affordable access for companies of all sizes to tap into the business benefits of the connected facility. Among those benefits are productivity gains, cost savings, immediate control and quick detection of issues and opportunities. AI and a lot of other technologies will find their way into companies in increasingly interesting ways.
Ignacio Bravo | Lead Solution Designer at Belden (Latin America)
OT professionals have been traditionally challenged due to new technologies coming into the automation field. This is, from my point of view, the first trait of the so-called “IT/OT Convergence trend.”
A good example is the evolution of the initial control systems from wired logic (based on electrical relays interconnected in big and complex electrical cabinets) to Programmable Logic Controllers. PLCs were microprocessor-based devices and thus a direct application of the computing technology already used in the IT field. Even if this new technology was full of benefits in automation applications—for instance, much smaller cabinets could cope with more complex systems—its adaption to the OT professional was key for its success.
Ladder programming language allowed the ‘circuit & relay OT’ way of thinking at that time to program and maintain these new systems. But in time, high-level programming languages made their way into the industrial scene, and professionals took to them naturally. This trend has become much more intense now, with the time for new IT technologies to land on the factory floor having shrunk over the past few years.
Here are a few more developments to consider:
- The emergence of communication technologies like MPLS-TP that have received a warm welcome due to their benefits and maintainability.
- Time Sensitive Networking already has early adopters.
- Single pair Ethernet’s multi-drop capabilities.
- 5G Cellular and WLAN .11ax bringing interesting high bandwidth and real-time improvements to the wireless landscape.
Security and maintenance of such expanding architectures, with SOPs satisfying both teams, is a case in point. There will be a time when the borders of the operational ‘realm’ are not as clear as they were in the past. Having a properly defined interface in between is not enough anymore.
For more insights on achieving successful IT/OT convergence, download this white paper.
To read part two in this blog series with Tripwire, please visit State of Security.