Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10:30 AM
Barak Perelman
Barak Perelman
Connect Directly
E-Mail vvv

IT-OT Convergence: Coming to an Industrial Plant Near You

There's been a big divide between IT and OT, but that must end. Here's how to make them come together.

There has been a lot of talk recently about the convergence of information technology (IT) and operational technology (OT). Much of the discussion has centered on the opportunities for improving efficiency and availability by integrating the two environments. IT-OT convergence enables better monitoring of operational processes and analysis of data from complex industrial control systems from anywhere in the world. However, it also introduces new cybersecurity risks.

For most organizations, dealing with these new risks is a big challenge because of the need to overcome the longstanding divide between IT and OT teams. This is because these two environments have very different requirements, budgets, objectives, people, and technology. Delivering successful IT projects is nothing like delivering projects in the OT world. The two disciplines have their own equipment, requirements, goals, regulations, standards, project management teams, and so on.

The primary reasons for the deep divide between IT and OT teams are contrasting cultures and mindsets, different technologies, and a long history of a lack of collaboration.

Disparate Technologies: A Barrier to Convergence
IT people work on Windows, Unix, and Linux-based systems, virtual machines, and storage systems. They implement firewalls, network intrusion detection solutions, access controls, and endpoint security solutions. As such, they're used to working in highly dynamic environments that change frequently with the introduction of newer solutions and technologies. Systems are constantly patched, upgraded, or replaced. And when doing so, it's OK to restart a server.

In contrast, industrial control devices don't run Windows, Unix, or Linux. Instead, they're based on proprietary technologies designed by specialized OT manufacturers such as GE, Honeywell, Siemens, and Schneider Electric. These devices were designed to last for decades. This explains why industrial environments mostly use older technologies that are still operational and won't be easily replaced. Many of these systems predate the Internet era.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

The general mindset of OT staff is to maintain the stability and safety of the environment at all costs. As a result, industrial networks are much more static and changes are infrequent. Restarting a system isn't always possible, and patching or upgrading is much more difficult and dangerous. Consequently, OT teams are often unwilling to download updates to firmware and software. If the plant is operating as intended, why threaten its stability with new software?

Clashing IT and OT Cultures
The cultures of IT and OT staff are vastly different. IT is responsible for maintaining and securing the data center. IT teams monitor and fix network issues, help users with their data availability and usability problems, and protect corporate assets and networks from cyberattacks. They are guided by the CIA triad: to protect data "Confidentiality, Integrity, and Availability." They're less familiar with the OT space, and often display little interest in knowing what their counterparts do to keep it safe and operational.

In contrast, OT engineers are trained to monitor and fix issues in highly complex and sensitive industrial plants such as oil refineries, chemical plants, and water utilities. Their top priorities are to maintain operational safety, reliability, and continuity. They don't deal with IT or work with the IT staff, and certainly don't want them to get involved in their operational issues.

Each group is concerned that the other side will wreak havoc in their environment. When there is a need to secure OT against cyberthreats, plant engineers worry that if IT team members get involved, they'll compromise system safety and stability. Unsanctioned changes to these systems might cripple the plant, cause an explosion, or worse. These concerns are justified. After all, when it comes to OT, IT staff members are in uncharted waters.

At the same time, there's also a concern that vulnerable OT networks will introduce new threats into IT networks, threatening corporate assets, data, and systems.

IT-OT Collaboration: The Key to Success
Neither OT team members nor IT team members are experts in defending OT systems against emerging cyberthreats. Because OT networks were previously disconnected from the external world, engineering staff never had to deal with such threats. Meanwhile, IT staff members who deal with cyberthreats on a daily basis don't fully understand how these new threats will affect OT systems.  

Nevertheless, both sides must cooperate, because neither group can protect industrial systems singlehandedly. Given the divergent cultures, technologies, and objectives of IT and OT, the two groups must overcome a significant divide, including mutual suspicion.

To ensure IT and OT collaboration, business-level oversight and leadership is required. More and more organizations are taking senior, experienced engineers from OT business units, usually from under the COO, and moving them under the CIO hierarchy. This interdisciplinary model combines expertise and roles that straddle and unify both sides of the IT-OT fence.

Some organizations have taken this one step further. Instead of aligning IT roles under the CIO, they're creating a new C-level role to facilitate this management strategy. For example, it's not uncommon for organizations to have a chief digital officer, who helps bridge the gap between the CTO and COO.

The higher up the organizational ladder that IT-OT convergence decisions are being made, the better the chances for success in bridging the gap.

Related Content:

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.