Mind the Gap: How to Align Your IT and Operational Technology Teams
With the rise of connected devices, industrial environments are no longer safe from cyberattacks. Here’s how to bridge your IT and OT efforts and enhance your organization’s security posture before the next threat emerges.
The industrial landscape is evolving rapidly. Modern-day operations span complex IT (information technology) and OT (operational technology) infrastructures. In many factories and plants, thousands of devices are increasingly connected via the industrial internet of things (IIoT). This convergence between IT and OT systems creates new challenges in securing industrial environments by making cybersecurity threats even more difficult to detect, investigate and remediate.
Adding to this challenging endeavor is the fact that IT and OT teams typically inhabit different parts of the organization, and with good reason. Until recently, IT infrastructure was the main battleground in terms of ensuring complete visibility, security and compliance, mostly because this was where organizations were being attacked. For the better part of two decades, IT was the thing that kept the chief information security officer (CISO) up at night. But that reality has changed. With our increasingly interconnected world, OT has quickly caught up as a lightning rod for new attacks and increased security concerns.
Ground zero for industrial security
The focal point for attacks on industrial operations and critical infrastructure has centered on industrial controllers. When these devices were first deployed, they were not connected and interconnected as they are today. Advances in technology have put these devices online and made them a prime target for hackers.
Controllers were not built to address the security threats or innocent human errors we now experience. Outsiders, insiders, and outsiders masquerading as insiders are all possible actors capable of launching sophisticated attacks to take over machines for nefarious purposes. Hackers are no longer rogue individuals but members of carefully curated and systematic programs funded by highly motivated organizations and countries. A carefully executed cyberattack can accomplish as much, if not more, than modern-day warfare.
Furthermore, because industrial and computer networks are now connected, an attack that starts on an IT environment can quickly move to an OT environment, and vice versa. Lateral movement is increasingly the preferred attack methodology amongst hackers because of the relative ease of finding a weak link in the system, leveraging it as the point of entry, and then quickly owning the entire network.
Managing the convergence of IT and OT systems
Few organizations currently manage IT and OT with the same staff or tools. After all, these networks evolved with different sets of priorities and they operate in inherently different environments. Nevertheless, in order to address these new complex threats and the expanding attack surface, industrial organizations are converging their IT and OT groups.
The “convergence initiative” is anything but simple. It requires not only the integration of IT tools with OT solutions, but also the alignment of strategic goals, collaboration and training, and bridging two departments that have different backgrounds, mindsets and concerns.
IT teams are used to working with the latest and greatest hardware and software, including the best security tools available to protect their networks. They spend time patching, upgrading and replacing systems. Meanwhile, OT staff are used to working with legacy technologies, many of which pre-date the internet. These inherited systems often use proprietary network protocols and lack basic security controls, such as authentication or encryption, event logs or audit trails.
As a result of these divergent workflows, incident detection and response in an OT environment is very different than in an IT environment. But while there are significant differences between the worlds of IT and OT, there are also key elements that both sides can agree on when it comes to establishing a robust industrial security posture:
- Enterprise visibility to ensure that all collected data is integrated into a single pane of glass.
- Threat detection & mitigation that combine behavioral anomalies with policy-based rules.
- Automated asset tracking that includes dormant devices and goes as deep as programmable logic controller (PLC) backplane configurations.
- Vulnerability management that tracks and scores patch and risk levels of ICS devices.
- Configuration control that tracks all changes to code, OS & firmware regardless of whether done through the network or locally.
Staying ahead of new regulations
With the increased frequency of security threats, regulatory compliance is also accelerating IT-OT convergence. For example, the North American Electricity Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC) both require IT and operations staff at critical infrastructure facilities to collaborate, manage risks cooperatively and share relevant documentation to ensure security and reliability.
In fact, regulations specifically call for an environment in which there is the ability to conduct forensics across both networks in order to identify, thwart and report on incidents that can disable significant industrial deployments and critical infrastructure.
Bringing together your IT and OT teams, systems and processes hastens compliance with regulatory statutes. The ability to proactively report issues and demonstrate compliance makes any potential audit significantly easier.
C-level support can make it happen
The successful deployment of industrial cybersecurity initiatives must leverage resources from both IT and OT. To bring these teams together and unify security thinking and practices, organizations need to create a culture of collaboration between both camps for the common good of the business.
The key to success is getting C-level support. Some organizations begin by creating a C-Level role to facilitate the convergence. For example, it’s quite common to find a “chief digital transformation officer” whose role is to bridge the gap between IT and OT, merge the culture divide, and establish incident response processes that span both groups.
Business-level oversight and C-suite leadership help ensure that the two sides will collaborate effectively with each other. To make this happen, more and more organizations are taking senior, experienced engineers from OT business units and assigning them to support incident response within the security operations center (SOC). This creates an environment where people, processes and technologies straddle and unify both sides of the IT/OT fence.
A successful collaboration between IT and OT can reap significant benefits, including:
- Improved security automation, sensing and visibility
- Increased control over distributed operations
- Better compliance with regulatory requirements and tracking
- Higher responsiveness when incidents occur
- Better decision making based on more detailed information
- Proactive maintenance and reduced response times to unforeseen disruptions
- Improved flow of information to stakeholders
Many pundits and experts in the field say it is not an issue of “IF” but rather a matter of “WHEN” a security incident will occur. Bringing the IT and OT worlds into the same orbit helps ensure that when an incident occurs, the organization can weather the storm and in fact thrive amid the chaos.
For more information and best practices on enhancing your industrial security posture, check out our whitepaper, “Mind the Gap: A Roadmap to IT/OT Alignment."
Related Articles
- SCADA