Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10:30 AM
Barak Perelman
Barak Perelman
Connect Directly
E-Mail vvv

IT-OT Convergence: Coming to an Industrial Plant Near You

There's been a big divide between IT and OT, but that must end. Here's how to make them come together.

There has been a lot of talk recently about the convergence of information technology (IT) and operational technology (OT). Much of the discussion has centered on the opportunities for improving efficiency and availability by integrating the two environments. IT-OT convergence enables better monitoring of operational processes and analysis of data from complex industrial control systems from anywhere in the world. However, it also introduces new cybersecurity risks.

For most organizations, dealing with these new risks is a big challenge because of the need to overcome the longstanding divide between IT and OT teams. This is because these two environments have very different requirements, budgets, objectives, people, and technology. Delivering successful IT projects is nothing like delivering projects in the OT world. The two disciplines have their own equipment, requirements, goals, regulations, standards, project management teams, and so on.

The primary reasons for the deep divide between IT and OT teams are contrasting cultures and mindsets, different technologies, and a long history of a lack of collaboration.

Disparate Technologies: A Barrier to Convergence
IT people work on Windows, Unix, and Linux-based systems, virtual machines, and storage systems. They implement firewalls, network intrusion detection solutions, access controls, and endpoint security solutions. As such, they're used to working in highly dynamic environments that change frequently with the introduction of newer solutions and technologies. Systems are constantly patched, upgraded, or replaced. And when doing so, it's OK to restart a server.

In contrast, industrial control devices don't run Windows, Unix, or Linux. Instead, they're based on proprietary technologies designed by specialized OT manufacturers such as GE, Honeywell, Siemens, and Schneider Electric. These devices were designed to last for decades. This explains why industrial environments mostly use older technologies that are still operational and won't be easily replaced. Many of these systems predate the Internet era.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

The general mindset of OT staff is to maintain the stability and safety of the environment at all costs. As a result, industrial networks are much more static and changes are infrequent. Restarting a system isn't always possible, and patching or upgrading is much more difficult and dangerous. Consequently, OT teams are often unwilling to download updates to firmware and software. If the plant is operating as intended, why threaten its stability with new software?

Clashing IT and OT Cultures
The cultures of IT and OT staff are vastly different. IT is responsible for maintaining and securing the data center. IT teams monitor and fix network issues, help users with their data availability and usability problems, and protect corporate assets and networks from cyberattacks. They are guided by the CIA triad: to protect data "Confidentiality, Integrity, and Availability." They're less familiar with the OT space, and often display little interest in knowing what their counterparts do to keep it safe and operational.

In contrast, OT engineers are trained to monitor and fix issues in highly complex and sensitive industrial plants such as oil refineries, chemical plants, and water utilities. Their top priorities are to maintain operational safety, reliability, and continuity. They don't deal with IT or work with the IT staff, and certainly don't want them to get involved in their operational issues.

Each group is concerned that the other side will wreak havoc in their environment. When there is a need to secure OT against cyberthreats, plant engineers worry that if IT team members get involved, they'll compromise system safety and stability. Unsanctioned changes to these systems might cripple the plant, cause an explosion, or worse. These concerns are justified. After all, when it comes to OT, IT staff members are in uncharted waters.

At the same time, there's also a concern that vulnerable OT networks will introduce new threats into IT networks, threatening corporate assets, data, and systems.

IT-OT Collaboration: The Key to Success
Neither OT team members nor IT team members are experts in defending OT systems against emerging cyberthreats. Because OT networks were previously disconnected from the external world, engineering staff never had to deal with such threats. Meanwhile, IT staff members who deal with cyberthreats on a daily basis don't fully understand how these new threats will affect OT systems.  

Nevertheless, both sides must cooperate, because neither group can protect industrial systems singlehandedly. Given the divergent cultures, technologies, and objectives of IT and OT, the two groups must overcome a significant divide, including mutual suspicion.

To ensure IT and OT collaboration, business-level oversight and leadership is required. More and more organizations are taking senior, experienced engineers from OT business units, usually from under the COO, and moving them under the CIO hierarchy. This interdisciplinary model combines expertise and roles that straddle and unify both sides of the IT-OT fence.

Some organizations have taken this one step further. Instead of aligning IT roles under the CIO, they're creating a new C-level role to facilitate this management strategy. For example, it's not uncommon for organizations to have a chief digital officer, who helps bridge the gap between the CTO and COO.

The higher up the organizational ladder that IT-OT convergence decisions are being made, the better the chances for success in bridging the gap.

Related Content:

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-01
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previousl...
PUBLISHED: 2021-03-01
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request...
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.