Menu

IT/OT convergence needs conflict resolution from both sides

Information technology (IT) and operations technology (OT) are very different organizations that have begun to converge and they must start resolving their issues. Three tips for reducing potential conflict are highlighted.

Katherine Brocklehurst
06/21/2017

Information technology (IT) and operations technology (OT) are both responsible for resolving potential cybersecurity risks. However, both groups have different approaches and mindsets on the topic that are incompatible when they are brought together, which can lead to conflict.

Pre-internet, the line between IT and OT was clear. The line has been blurred as technology has brought connectivity to nearly every device on the plant floor and in field locations. That enhanced connectivity is connecting IT and OT in new ways and, as a result, they are starting to converge.

Instead of conflicting with one another, which has been the standard mindset, they must start resolving their issues for their sake and the sake of the company as a whole.

Resisting convergence

IT and OT are resisting convergence happening all around them, said Luigi De Bernardini, chief executive of Autoware, a manufacturing execution system (MES) and smart manufacturing automation firm in Italy. When working with clients in large manufacturing automation projects he found that, "Many manufacturers still see strong resistance to bringing information and operational technologies together, with mistrust coming from both sides."

De Bernardini said that must change. "Continuing to operate separately not only slows the adoption of solutions based on technologies that fall outside of industrial control system (ICS) operations' comfort zone, but also exposes companies to fault or security risks that could significantly impact production." 

Different viewpoints

IT and OT are very different worlds with very different responsibilities. Fundamentally, IT secures data. An intentional or unintentional cyber threat could result in the loss of intellectual property, corporate financials, and employee or customer information-and the ripple effect can be costly, ranging from $200K to $4M per incident.

In contrast, OT uses ICS logic to execute control processes, which produces a physical impact. A cyber threat could have devastating physical consequences to critical infrastructure and services, employees, human life, and safety and the environment-as has been shown in numerous publicized incidents.

Different priorities

The different priorities of IT and OT are key to understanding why conflicts arise so easily between the two groups. IT's top priority is to protect the data. OT's priority is to protect the availability and integrity of the process, with security (confidentiality) coming last.

The security solutions each group might choose for the ICS operations environment may be different due to several variables such a regulatory and compliance requirements, network architectures, performance/production requirements, employee and environmental safety considerations, risk tolerance, and management and security goals.

Each group has a bias and a specific perspective when considering ICS cyber risks and consequences. 

IT's perspective

IT's top priority is protecting data such as intellectual property, corporate financials, employee, or customer private data. They figuratively look across the demilitarized zone (DMZ) thinking of the many changes that could bring a stronger security posture to OT environments. IT's potential solutions include:

Information technology (IT) and operations technology (OT) are very different organizations that have begun to converge and they must start resolving their issues. Three tips for reducing potential conflict are highlighted. Courtesy: Tirza van Dijk, UnsplOT's perspective

OT's top priorities revolve around availability. When considering suggestions from IT to secure ICS environments, OT will often invoke cybersecurity inertia to assure control processes and production yield are not placed at risk. Reasonable explanations for why ICS security cannot be implemented are:

Protecting information is important, but production losses translate into business losses. Cyber threats that can disrupt production, cause damage, affect visibility and control, or jeopardize safety also could affect business profitability. Changes by IT are not appropriate or allowed. Further, OT is still skeptical of the real risk to their ICS operations and control processes, believing the risks and consequences to be hype and rarities. 

Conflict resolution

Rather than endure a major security breach that affects confidentiality or operations, companies should consider these three actions to reduce conflict and mistrust with IT and OT convergence while increasing ICS security at the same time. 

1. Get strategic alignment at the highest levels.

De Bernardini said most of his clients, "Still have two strongly separated departments for operations and IT. They have different people, goals, policies, and projects."

De Bernardini recommends starting with reorganizing IT and OT departments to be strategically aligned and unified. He suggests at least the chief information officer (CIO)/chief information security officer (CISO), and chief operations officer (COO) should have, "Partly common and overlapping goals and targets, which would force them to work cooperatively."

The CIO/CISO must also accept complete responsibility for the cybersecurity of the ICS and for any safety incidents, reliability incidents, or equipment damage caused directly or indirectly by cyber incidents. 

2. Coordinate a joint task force.

NIST SP800-82r2 and De Bernardini recommend creating a joint task force as a cross-functional cybersecurity team to share varied domain knowledge and experience to evaluate and mitigate risk to the ICS. NIST goes so far as to specifically name titles that should be a part of this cybersecurity task force, which should include:

The task force should also consult: a site management/facility superintendent, a control system vendor and/or a system integrator and the CIO/CISO. 

3. Develop pilot projects and a governing structure.

One of the first things the joint cybersecurity task force can do is to identify pilot projects that both groups can work on together. The task force can compile a list of the most critical ICS assets that absolutely must be secured and begin to assess what needs to be done.

These pilot projects are designed to offer value with a low-risk benchmark to help the company train and progressively build a specific mix of shared IT/OT skills. This also will aid in determining how to jointly reduce conflict when deciding on steps toward improving ICS security.

De Bernardini said the joint cybersecurity team should have, "Joint governance and responsibility to execute projects, harmonize duplicated or overlapping systems and processes, and promote the development of the interdisciplinary skills that are now missing in most companies." 

Marathon, not a sprint

Mitigating the conflicts inherent in IT and OT convergence and improving ICS security doesn't happen overnight.

Managers need to learn to share goals, jointly evaluate business risks and consequences, and train the broader group on shared skills, which will ultimately lead to appropriate ICS security products, processes, policies, and people.

The two collaborating and cooperating departments need to extend their skills to adapting the IT security project models for use in operations with consideration of all the differences inherent in their security priorities and risk biases.

While there are many cultural and structural challenges that come from bringing IT and OT together, the long-term benefits far outweigh any difficulties that might arise in the beginning.

Katherine Brocklehurst is with Belden's Industrial IT group. Her area of responsibility covers industrial networking equipment and cybersecurity products across four product lines and multiple market segments. She has 20 years of experience in network security, most recently with Tripwire. This article originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Hannah Cox, content specialist, CFE Media, hcox(at)cfemedia.com.

MORE ADVICE

Key Concepts

Consider this

What other methods/strategies could be used to get the IT and OT to work together?

Channels

Products

Visit Our Sites

Contact Us

Settings

Close Home
click me