Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

4/25/2017
10:30 AM
Barak Perelman
Barak Perelman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

IT-OT Convergence: Coming to an Industrial Plant Near You

There's been a big divide between IT and OT, but that must end. Here's how to make them come together.

There has been a lot of talk recently about the convergence of information technology (IT) and operational technology (OT). Much of the discussion has centered on the opportunities for improving efficiency and availability by integrating the two environments. IT-OT convergence enables better monitoring of operational processes and analysis of data from complex industrial control systems from anywhere in the world. However, it also introduces new cybersecurity risks.

For most organizations, dealing with these new risks is a big challenge because of the need to overcome the longstanding divide between IT and OT teams. This is because these two environments have very different requirements, budgets, objectives, people, and technology. Delivering successful IT projects is nothing like delivering projects in the OT world. The two disciplines have their own equipment, requirements, goals, regulations, standards, project management teams, and so on.

The primary reasons for the deep divide between IT and OT teams are contrasting cultures and mindsets, different technologies, and a long history of a lack of collaboration.

Disparate Technologies: A Barrier to Convergence
IT people work on Windows, Unix, and Linux-based systems, virtual machines, and storage systems. They implement firewalls, network intrusion detection solutions, access controls, and endpoint security solutions. As such, they're used to working in highly dynamic environments that change frequently with the introduction of newer solutions and technologies. Systems are constantly patched, upgraded, or replaced. And when doing so, it's OK to restart a server.

In contrast, industrial control devices don't run Windows, Unix, or Linux. Instead, they're based on proprietary technologies designed by specialized OT manufacturers such as GE, Honeywell, Siemens, and Schneider Electric. These devices were designed to last for decades. This explains why industrial environments mostly use older technologies that are still operational and won't be easily replaced. Many of these systems predate the Internet era.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

The general mindset of OT staff is to maintain the stability and safety of the environment at all costs. As a result, industrial networks are much more static and changes are infrequent. Restarting a system isn't always possible, and patching or upgrading is much more difficult and dangerous. Consequently, OT teams are often unwilling to download updates to firmware and software. If the plant is operating as intended, why threaten its stability with new software?

Clashing IT and OT Cultures
The cultures of IT and OT staff are vastly different. IT is responsible for maintaining and securing the data center. IT teams monitor and fix network issues, help users with their data availability and usability problems, and protect corporate assets and networks from cyberattacks. They are guided by the CIA triad: to protect data "Confidentiality, Integrity, and Availability." They're less familiar with the OT space, and often display little interest in knowing what their counterparts do to keep it safe and operational.

In contrast, OT engineers are trained to monitor and fix issues in highly complex and sensitive industrial plants such as oil refineries, chemical plants, and water utilities. Their top priorities are to maintain operational safety, reliability, and continuity. They don't deal with IT or work with the IT staff, and certainly don't want them to get involved in their operational issues.

Each group is concerned that the other side will wreak havoc in their environment. When there is a need to secure OT against cyberthreats, plant engineers worry that if IT team members get involved, they'll compromise system safety and stability. Unsanctioned changes to these systems might cripple the plant, cause an explosion, or worse. These concerns are justified. After all, when it comes to OT, IT staff members are in uncharted waters.

At the same time, there's also a concern that vulnerable OT networks will introduce new threats into IT networks, threatening corporate assets, data, and systems.

IT-OT Collaboration: The Key to Success
Neither OT team members nor IT team members are experts in defending OT systems against emerging cyberthreats. Because OT networks were previously disconnected from the external world, engineering staff never had to deal with such threats. Meanwhile, IT staff members who deal with cyberthreats on a daily basis don't fully understand how these new threats will affect OT systems.  

Nevertheless, both sides must cooperate, because neither group can protect industrial systems singlehandedly. Given the divergent cultures, technologies, and objectives of IT and OT, the two groups must overcome a significant divide, including mutual suspicion.

To ensure IT and OT collaboration, business-level oversight and leadership is required. More and more organizations are taking senior, experienced engineers from OT business units, usually from under the COO, and moving them under the CIO hierarchy. This interdisciplinary model combines expertise and roles that straddle and unify both sides of the IT-OT fence.

Some organizations have taken this one step further. Instead of aligning IT roles under the CIO, they're creating a new C-level role to facilitate this management strategy. For example, it's not uncommon for organizations to have a chief digital officer, who helps bridge the gap between the CTO and COO.

The higher up the organizational ladder that IT-OT convergence decisions are being made, the better the chances for success in bridging the gap.

Related Content:

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.