The Internet of Things means more and more devices are being connected to industrial networks. These “things” aren’t just the controllers and related computers “owned” by the OT department or the computers and network devices “owned” by the IT department. It might also include everything from physical security IP cameras and networked badge readers to HVAC systems and mobile devices.
One vulnerable system is a potential pathway to all systems. Given the massive nature of this change, we decided to work with our corporate sibling, Tripwire, to poll IT and Industrial Control System (ICS) security experts about it. We asked them:
- How does the IoT changes the dynamics between IT and OT?
- What practical tips do they have for how IT and OT groups can work together effectively?
Today we present their responses and explain how they add up to news you might want to be sitting down to read –there are three ways OT and IT have to change.
Many industry experts say the IoT will greatly change how IT and OT work together. To adapt, OT will need to improve skills in the areas of security, teamwork and communication.
How Does IoT Change the Dynamics between IT and OT?
Most security experts say that the IoT is changing the size and shape of the industrial network. At one level, this is about the ongoing adoption of Ethernet infrastructure and Common Off-the-Shelf Technologies (COTS) for factory and critical infrastructure communications.
At another level, all kinds of other systems might be connected to the industrial Ethernet infrastructure. This includes connections to more and more enterprise systems, cloud-based applications, building systems, physical security systems, BYOD, BYOIOT and more.
- “The ‘IoT’ is in large part the ultimate physical merging of many traditional OT and IT components.”– Chris Blask
(For information about Chris Blask and the other experts quoted in this article, please see the table at the end.)
- “At some point in the not too distant future, we will only have technology. No more IT/OT distinction. Just T.” – Patrick Miller
- Many experts see the integrated network of the future as requiring a “holistic security strategy.” – Eric Byres
The above narrative is not consistent across all experts though, particularly when it comes to legacy ICS.
- “The factory floor is typically pretty static, with little change, since the objective is maximum profit at highest production availability and least risk impact.” – Pat Differ
- “IoT is not changing the dynamics between IT and OT….. [While] the systems have been converging for years…. OT specifically focuses on the control of systems and the physical processes…. IoT’s inclusion…. will not impact the difference between IT and OT”. – Robert M Lee
- “The ‘OT is different than IT’ fallacy stems from ICS professionals comparing OT to desktop management. OT is mission-critical IT.” – Dale Peterson
- While not everyone agrees on the impact of the IoT, all of them see a future where IT and OT will be working together a lot more closely. It might take “the culture 20 years to catch up”, as Patrick Miller says, but it is going to happen.
- “In an IoT environment, it is abundantly clear the fractured IT/OT relationship will need to become stronger and more connected.” – Greg Hale
- “Achieving the vision of the IoT requires closer cooperation between the OT and IT worlds than has been historically been the case.” – Jeff Lund
3 Practical Tips for IT and OT
1. Practical Tip: Get Ready for Cross-Functional Goal Setting and Metrics
Technology convergence and/or the IoT will erode typical departmental silos. You can be a constructive player in this changing game by accepting it and bringing forward ideas to foster cross-functional teamwork.
- Support the leader “who creates a collaborative environment and metrics that emphasize teamwork.” – Gary Mintchell
- Work towards establishing “one playing field with role-based training and awareness programs for IoT. [These programs should] outline corporate objectives, eliminate potential silos and insure daily cooperation with all stakeholders.” – Pat Differ
- “Senior management can first identify all the various IoT systems, be clear who is responsible for each one and then drive consistent behaviors for security throughout the company.“ – Eric Byres
If you do not have strong security or ICS skills today, make a plan to either get them yourself, add them to your department or form a close partnership with a third party who can provide them.
- “The days when engineers could connect things to the network but not know how to make them secure are over…Get educated [on security] or get help but don’t wing it. That doesn’t work any longer.” – Doug Brock
- “For IT security pros that want to start to cooperate on security with OT, learning about how OT works is a great starting place. Whether that means buying a PLC training kit and learning what these devices actually look like in OT environments, or taking an Industrial Security Controls class, or just reading a book on the subject, go in with an open-mind and learn about that other side.” – David Meltzer
- “Work with consultants who have IT and OT capabilities and live in both worlds on a daily basis. They will provide real balance and clarity as they understand the objectives of both disciplines.” – Pat Differ
- “When IT and OT understand they must work together, efficiently communicate and leave any and all egos and fears at the door for the greater good that will be the start of a positive dynamic.” – Greg Hale
- “Walk a mile in their shoes. Spend some time (like more than a day – try a week or a month) working side by side with the other.” – Patrick Miller
- “Having OT personnel integrated into an IT security operations center or security team and having IT personnel learn more about ICS will ensure a better approach towards security.” – Robert M Lee
- “Buy more coffee and lunches. In all honesty, the most practical tip is to execute on having some people skills and cooperating to ensure that there is a bright-line for responsibility and that where knowledge transfer can be undertaken it is obvious that the transfer happens. There is no need for conflict – and if necessary, sit people down and let Big Bird teach them about cooperation.”– James Arlen
- “Both sides need to remember that it is a two-way street and if they work together, they can support each other.”– Chris Blask
Don’t miss the Tripwire blog for the detailed comments of many of the experts:
Belden and Tripwire thank everyone who contributed to this project. Here is a list of the Infosec and ICS Security experts, along with their credentials and contact information.
Do you think the IoT is changing how IT and OT need to work together? If so, what are your tips for adapting? I look forward to hearing from you.
Industrial Internet of Things
- IIoT resource webpage: Industrial Internet of Things
- Blog: Industrial Ethernet Infrastructure – The IIoT Super Highway
- Blog: Realize IIoT Benefits with Industrial Wireless Technology
- Blog: 4 Big Trends that Impact Industrial Automation and What To Do About Them, Part 1 of 2
- Blog: The Smart Factory of the Future – Part 1
IT and OT Working Together
- Blog:IT and Controls - Working Together for Better Industrial Networking
- Blog: ICS Security - How Your IT Dept. Can Help
- Blog: Why Industrial Networks are Different than IT Networks (and What to do About It)
- Blog: SCADA Security Basics: Why are PLCs so Insecure?
Tripwire "The State of Security" Blog
- Blog: The IoT Convergence: How IT and OT Can Work Together to Secure the Internet of Things
- Blog: Report: More Than Half of Attacks Against ICS Vendors Involved APTs
- Blog: The Difference between ICS/DCS and SCADA
- White Paper Download Page: When Cyber Attacks Get Physical: ICS Attack Scenarios and CIP-007 R1