In the last 20 years, information technology (IT) and operational technology (OT) have significantly converged. As technology has become more complex, more capable, and more critical to the business – and cyberthreats have gotten more frequent, sophisticated, and devastating – both teams have come together out of convenience and necessity.
This convergence, however, doesn’t translate to IT and OT merging into a singular mission. Each discipline has very important distinctions that determine how each environment can and should be run. For the business to tackle OT cybersecurity successfully, IT needs a clear understanding of how precisely OT differs and the implications of those differences to processes, technologies, and outcomes.
Our recent webinar, OT Cybersecurity for IT Professionals, covered this very topic. Let’s review what Mike Hoffman, Principal Industrial Consultant at Dragos, says that IT must understand about OT cybersecurity, then how IT and OT can work together to strengthen cybersecurity across the organization.
What Makes OT Unique: 5 Ways IT Differs
Let’s look at some distinct ways for IT and OT to collaborate towards a stronger security posture.
1. OT requires a different mentality.
As IT and OT converge, questions arise. Looking for economies of scale in technology and processes, organizations begin to explore whether they can apply IT security controls to OT. Similarities between the two environments exist – hey look, this machine is running Windows! – but OT requires a different mindset. For example:
- IT often places too much emphasis on vulnerability management. OT systems simply can’t be patched and updated in the same way without risking downtime and performance, nor do they often need to be.
- OT can’t keep pace with IT asset refresh rates. The interconnectivity of systems means that the latest software is not necessarily the best software.
- Moving to the cloud looks very different for OT. While there are some applications that make sense, OT teams must be very, very careful about how they deploy to the cloud and how far down those connections go.
2. The OT security triangle looks different.
The classic IT security triangle breaks down IT security drivers into three components: confidentiality, integrity, and availability (CIA). One misperception commonly repeated today is that in OT the priorities are similar but ordered differently—that availability, integrity, and confidentiality (AIC) drives security in industrial industries. Most longtime IT professionals refer to the triad as a three-legged stool. Each leg bears equal load in maintaining an organization’s security posture. While availability stands as a core tenant in OT security, it doesn’t necessarily trump everything.
While three-letter acronyms are helpful to categorize and define problems, at the end of the day there’s a mission focus for industrial operations that can vary depending on the industry or organizational output. That mission focus is more important than trying to fit the needs and requirements into the semantics of three letters—or their order of importance. It’s crucial to understand in every plant what the mission focus is to help be service-oriented to operations.
Discover other misconceptions keeping organizations from reducing risk to their ICS environments, their daily operations, and their organizational missions.
3. OT has unique requirements.
While the requirements of both environments look similar on paper – high uptime, redundancy, low latency – OT must support specific circumstances.
High uptime, for instance, must be measured in years, not months, with systems that literally run for multiple years between rounds of maintenance. Redundancy stems less from a security standpoint than availability; many OT critical components can’t be turned off and need workarounds in order to touch them. Low latency isn’t just the amount of time that it takes data to move from one place to another, it’s the milliseconds and microseconds that determine whether a robot will place the correct part at the correct time as a vehicle rolls down an assembly line. These use cases demand that OT teams think differently about how these requirements are met.
4. Cyber risk is calculated differently for OT.
The traditional IT security risk equation does not account for the functional, real-world physical outputs of industrial processes. For reference, we state that a more OT-centric risk equation should be:
Cyber risk = Consequence x Threat x Vulnerability
By focusing on a more consequence-driven approach, cyber risk and its associated impacts can benefit from engineering and reliability inputs, such as PHA (process hazard analysis) and FMEA (failure mode and effects analysis). These evaluations, which may exist already in industrial organizations, provide detailed information on conditions that may result in unreliable, unsafe, and possibly destructive states for control systems—something that does not exist in IT-centric cyber risk models. Because of the link to physical impacts and reliability, industrial cyber risk should include additional concepts from disaster recovery and business continuity.
Download our free whitepaper to learn more about industrial risk management.
5. OT security relies on crown jewel analysis.
OT is all about understanding what really matters so you can prioritize and protect it. To do so, many organizations go through an OT-specific process called crown jewel analysis (CJA). Predicated on the idea that not all ICS devices and systems are the same and each has a different level of criticality based on process impact, CJA analyzes and identifies the key systems and components that need enhanced prevention, detection, and recovery capabilities. This process of categorizing OT assets in a crown-jewel matrix enables OT teams to prioritize their efforts and ensure that the “crown jewels” are protected.
How Can IT and OT Work Together for Successful Cybersecurity?
With this context in mind, IT and OT can form a cross-functional team that supports and strengthens security across the organization. Watch the webinar for our expert’s full recommendations, but in brief, teams need five critical controls for effective OT security:
- Create an OT-specific incident response plan. This should cover the different device types, communication protocols, types of tactics, techniques, and procedures specific to industrial threat groups.
- Build a defensible architecture. Start at the edge and work your way, leveraging traditional IT tools as appropriate and identifying and securing OT/IT data flows to the enterprise and cloud environments.
- Implement network monitoring. Monitoring industrial assets validates your security controls, allows you to scale and automate threat detection, identifies vulnerabilities easily for action, and supports incident response processes.
- Establish remote access authentication. Enable multi-factor authentication if possible, as the most effective control for remote access authentication. If that’s not possible, consider alternate controls like jump hosts with focused monitoring.
- Manage key vulnerabilities. Most OT vulnerabilities have limited impact within a defensible architecture. Prioritize those that bridge IT and OT over vulnerabilities that reside deep within the ICS/OT network.
IT and OT play essential roles in ensuring the cybersecurity of the OT environment. With the appropriate understanding and context, plus the support and culture to form a cross-functional unit, both teams can contribute to a more secure, successful organization.
For more information, watch the full webinar: OT Cybersecurity for IT Professionals.
Ready to put your insights into action?
Take the next steps and contact our team today.