There has been a lot of talk recently about the convergence of information technology (IT) and operational technology (OT). Much of the discussion has centered on the opportunities for improving efficiency and availability by integrating the two environments. IT-OT convergence enables better monitoring of operational processes and analysis of data from complex industrial control systems from anywhere in the world. However, it also introduces new cybersecurity risks.
For most organizations, dealing with these new risks is a big challenge because of the need to overcome the longstanding divide between IT and OT teams. This is because these two environments have very different requirements, budgets, objectives, people, and technology. Delivering successful IT projects is nothing like delivering projects in the OT world. The two disciplines have their own equipment, requirements, goals, regulations, standards, project management teams, and so on.
The primary reasons for the deep divide between IT and OT teams are contrasting cultures and mindsets, different technologies, and a long history of a lack of collaboration.
Disparate Technologies: A Barrier to Convergence
IT people work on Windows, Unix, and Linux-based systems, virtual machines, and storage systems. They implement firewalls, network intrusion detection solutions, access controls, and endpoint security solutions. As such, they're used to working in highly dynamic environments that change frequently with the introduction of newer solutions and technologies. Systems are constantly patched, upgraded, or replaced. And when doing so, it's OK to restart a server.
In contrast, industrial control devices don't run Windows, Unix, or Linux. Instead, they're based on proprietary technologies designed by specialized OT manufacturers such as GE, Honeywell, Siemens, and Schneider Electric. These devices were designed to last for decades. This explains why industrial environments mostly use older technologies that are still operational and won't be easily replaced. Many of these systems predate the Internet era.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]
The general mindset of OT staff is to maintain the stability and safety of the environment at all costs. As a result, industrial networks are much more static and changes are infrequent. Restarting a system isn't always possible, and patching or upgrading is much more difficult and dangerous. Consequently, OT teams are often unwilling to download updates to firmware and software. If the plant is operating as intended, why threaten its stability with new software?
Clashing IT and OT Cultures
The cultures of IT and OT staff are vastly different. IT is responsible for maintaining and securing the data center. IT teams monitor and fix network issues, help users with their data availability and usability problems, and protect corporate assets and networks from cyberattacks. They are guided by the CIA triad: to protect data "Confidentiality, Integrity, and Availability." They're less familiar with the OT space, and often display little interest in knowing what their counterparts do to keep it safe and operational.
In contrast, OT engineers are trained to monitor and fix issues in highly complex and sensitive industrial plants such as oil refineries, chemical plants, and water utilities. Their top priorities are to maintain operational safety, reliability, and continuity. They don't deal with IT or work with the IT staff, and certainly don't want them to get involved in their operational issues.
Each group is concerned that the other side will wreak havoc in their environment. When there is a need to secure OT against cyberthreats, plant engineers worry that if IT team members get involved, they'll compromise system safety and stability. Unsanctioned changes to these systems might cripple the plant, cause an explosion, or worse. These concerns are justified. After all, when it comes to OT, IT staff members are in uncharted waters.
At the same time, there's also a concern that vulnerable OT networks will introduce new threats into IT networks, threatening corporate assets, data, and systems.
IT-OT Collaboration: The Key to Success
Neither OT team members nor IT team members are experts in defending OT systems against emerging cyberthreats. Because OT networks were previously disconnected from the external world, engineering staff never had to deal with such threats. Meanwhile, IT staff members who deal with cyberthreats on a daily basis don't fully understand how these new threats will affect OT systems.
Nevertheless, both sides must cooperate, because neither group can protect industrial systems singlehandedly. Given the divergent cultures, technologies, and objectives of IT and OT, the two groups must overcome a significant divide, including mutual suspicion.
To ensure IT and OT collaboration, business-level oversight and leadership is required. More and more organizations are taking senior, experienced engineers from OT business units, usually from under the COO, and moving them under the CIO hierarchy. This interdisciplinary model combines expertise and roles that straddle and unify both sides of the IT-OT fence.
Some organizations have taken this one step further. Instead of aligning IT roles under the CIO, they're creating a new C-level role to facilitate this management strategy. For example, it's not uncommon for organizations to have a chief digital officer, who helps bridge the gap between the CTO and COO.
The higher up the organizational ladder that IT-OT convergence decisions are being made, the better the chances for success in bridging the gap.