Industrie 4.0 and the rapid expansion of the Internet of Things (IoT) require increased access to the Operational Technology (OT) that propels production. Twenty to thirty years ago, assets were proprietary, different for every vendor, and offered limited connectivity to third party systems. Over time, owner-operators demanded more openness and access to these proprietary systems. As a result, vendors are using more information technology (IT) to connect to those systems when developing OT assets, spurring the need for more IT experience to deploy OT assets. This connectivity is looking more like what we see in IT. While OT needs IT to ensure reliability of those systems, there are still key differences in the mission between IT and OT assets. Understanding those differences is key to keeping industrial control systems secure.
OT Mission: Reliability
On the OT side, reliability is the most mission-critical parameter. Assets require a high uptime and must be available for service to drive production and ensure safe operations. Each OT asset is designed and maintained to conduct a specific task - they should not be changed without careful consideration, and those changes must be carefully managed. In many cases availability and uptime trumps security – companies will often delay patching and other strategies to remediate vulnerabilities in order to keep the OT assets in service.
IT Mission: Data Privacy
On the IT side, the primary mission is to guarantee data privacy, ensuring information goes to the right people and does not fall into the wrong hands. Data privacy trumps reliability – security teams often choose to stop or delay availability to remediate or patch vulnerabilities. IT must also ensure flexibility of purpose. It is less critical to manage specific functions inside an IT asset. Instead, a specific tool should work for a variety of users and be flexible for a variety of tasks.
A successful ICS cybersecurity strategy includes a multi-functional team that combines people with long OT expertise that understand capability and mission with IT people that understand things like access management and vulnerability. OT and IT teams will continue to be different and focused on the goal of their respective missions. Building a cross-functional team helps to ensure these goals are met to improve security as well as continue the mission of OT.
For a deeper perspective, we asked industry experts to share their insights on best practices for building a comprehensive OT cybersecurity program. These experts shared their strategies to build teams that recognize the strengths and differences of IT vs. OT cybersecurity and how the two groups can best work together. These insights can be found in this freely available eBook: Leveraging IT/OT Convergence and Developing Effective OT Cybersecurity
I invite you to join me for a webinar on October 4, Reducing Industrial Risk in a Converging IT/OT World: Industry Experts Share Their Strategies. During this event, I will share insights from the experts, along with what I have seen in the field. You will also have an opportunity to ask questions and share your insights.