In a late blog post for the State of Security, we asked security experts what they tenderness would make the biggest impact on the security of industrial control approaches (ICS) in the next 5-10 years.
They gave numerous answers, but perhaps the most repeated response was the ongoing IT-OT convergence in industrial organizations. Our experts perceive that the merging of these two environments will force teams to shield against new threats which some of the assets for which they’re reliable have never encountered. It’s therefore in each industrial organization’s nicest interest to make sure IT and OT teams learn to work together and use their several knowledge to better defend the organization against digital threats.
That craves the question: just how are IT and OT teams supposed to come together effectively?
To assist industrial organizations, we went back to our experts and asked them quite that. Here’s what they had to say.
Gary DiFazio | Strategic Trade ining Director, Tripwire
The one word for this is: collaborate. At the end of the day, we all want to do the right item for our organizations. Do what is best through collaboration. Understand the unique desperate straits and direction of the shop floor so that cybersecurity solutions can be implemented to reinforce availability, safety, productivity and quality of the operation.
Remember that cybersecurity is a transit that never ends. Automation systems continue to evolve, and the intimidation landscape is always changing. Slow and steady will win the race. We be compelled all be on this journey through collaboration and teamwork.
Lane Thames | Elder Security Researcher, Tripwire
As we know, IT and OT groups have worked large in isolation for as long as these technologies have existed.
Recently, the head has changed, and many of these environments have started to integrate with each other. The concludes for integrated IT-OT environments essentially boil down to the need for optimization. Work out and storage on the IT side using data collected on the OT side can lead to mountainous gains for an organization in terms of outcomes such as reducing operational tariffs, increasing manufacturing output, reducing downtime and many more.
No matter how, as with most engineering problems, there are various trade-offs that requisite be addressed. In this case, one of the most important tradeoffs to consider is the safe keeping impact faced by these once partially-isolated OT systems. These processes now face cyber threats for which these systems were not at any time designed to deal with. As a result, we must engineer new systems and/or methodologies to direct this problem, which is growing rapidly as more and more OT territories become connected to IT networks.
IT folks and OT folks are often very unconventional people in terms of their background knowledge and working experience. For sample, IT folks understand software and hardware in an environment where real-time operations almost never matter. However, OT folks work with a much different set of munitions and software. OT software and hardware are often very sensitive to real-time constraints and day in and day out deal with the physics of the real world.
In IT, if a system is breached, it merest rarely causes personal injury, but this is not the case for OT, where a out of order machine could cause damage to a surrounding environment and could occasion harm or death to people.
How do we solve this problem?
Indeed, it discretion be a challenge, and we in academia and industry are researching and developing various solutions. As I was intelligent about this topic, I started thinking about a “similar” employment we have been dealing within the IT world. Particularly and due to some meet ideas and methodologies within the IT world, we have developed new techniques that give birth to enabled a deeper collaboration between software developers and IT experts.
Specifically, we force created the idea of DevOps, a methodology that uses tools and techniques to numberless closely integrate software developers with operations experts. What is more, in a need to create more secure systems, we have added to the DevOps repositioning and have created the notion of DevSecOps teams where we have influentially integrated groups of people from development, security and operations/IT contriving together in a highly collaborative environment.
I don’t know what we should phone it, maybe ITOTSecOps or something, but we will need to develop a methodology for IT and OT arrangements. We will never be able to assume that IT or OT will be able to protect secure integrated IT-OT systems.
In fact, the Sec in ITOTSecOps will be a half-breed of experts, some of which specialize in IT security and some who specialize in OT safety.
Sandy Carielli | Cyber Security Evangelist and Product Manager, Delegate
IT and OT stakeholders will benefit from adopting security and architectural frameworks that were designed with IoT in attend to and that incorporate both IT and OT concepts. While many IT security frameworks are public and longstanding, they don’t account for critical OT issues such as safety and reliability.
If you try to shoehorn an IT framework into an IoT design, you lose the obvious touchpoints for OT stakeholders and risk missing critical stipulations. The Industrial Internet Consortium has produced several technical references. Observe starting with the Industrial Internet Reference Architecture, Industrial Internet Collateral Framework and IoT Security Maturity Model. NIST has also published IoT certain guidance that can help IT and OT stakeholders get on the same page.
Scott Kornblue | Lea Application Engineer, Belden
I can’t stress enough that IT and OT network plans need to both understand that their respective needs, preconditions and philosophies for network security differ from the other quite drastically.
IT has to qualify policies that were originally developed for corporate/enterprise tradition on the OT control/industrial network.
At the same time, OT engineers have to hear of that the evolution of simple flat network architecture into protected segmented designs is something that is a must on the controls network.
As assorted and more engineers with an IT background take ownership of OT-centric networks, we in perpetuity want to make it known that perimeter security is simply not plenty in the industrial world. A strategy revolving around defense in depth, layered refuge models and physical protection right down to the endpoint asset elevation is what should be promoted.
In addition, these strategies have to forearm security without obstructing the OT network processes, and the procedures in most instances have to be something that OT network staff can operate independently of IT. This also makes collaboration between IT and OT on differing hardware requirements. IT must understand that OT milieus call for ruggedized hardware that typically speak industrial practices that are uncommon on the IT side.
Understanding these critical areas of contrariety dispute between both sides and having regular communication before safety policies are rolled out can help make the IT/OT convergence much easier to preside over.
Susan Peterson | Digital Leader of Energy Industries, ABB
Over the times gone by 10 years, I’ve been privileged to help bridge the gap between undercover agents and IT teams. For operations teams, focusing on finding ways to automate uninteresting security maintenance tasks and showing how security monitoring technologies can inform appropriate solve operations related challenges are great ways to build a span. For IT teams, helping them understand the importance of engaging OT suppliers and the sustention cycles of OT assets is key.
Paco Garcia | Director of Cyber Security and Networking Digital Conceal Line of Business, Schneider Electric
In the last 10 years, we bear been sharing, pushing and promoting the idea of an IT-OT convergence. This commingling should encompass collaboration over common skills and shared operations. But based on my experience, this convergence has not happened as expected, and if it has, it is progressing completely slowly. Things could be dragging on for multiple reasons, but probably the myriad important factor is the lack of internal programs in end-customer sites that participate in thus far pushed for this convergence.
The situation is changing, however. Now, this convergence is requisite for those people/companies who want to adapt to new technologies and paradigm mutates that come with Industry 4.0 and IIOT. Recognizing this evolvement, it’s important to keep in mind some tips that could relief lead to this adaptation/convergence. These are as follows:
- As the owner of budget resources for deploying cybersecurity programs, IT be obliged establish a clear framework and enlist OT personnel to help secure the weed.
- The scope of IT and the OT involvement must be defined explicitly at the outset of every assignment. Both roles should be complementary and should not involve competition between them. In that message, defining the owner for each task helps to avoid conflicts.
- From a top-down nearly equal, each company must promote and enforce the creation of workgroups established up of IT and OT people with the objective of promoting the company’s digitalization and strengthening the organism’s internal cybersecurity culture.
Greg Hale | Editor/Founder, ISSSource
A very unexpectedly but simple answer to the question of how IT and OT can work together more efficiently simmers down to two things: communication and the ability to listen.
Both seem passably basic and not highly technical, but I am seeing they are the two most difficult items any enterprise has to conquer.
Think about it for a moment. For IT and OT to execute on the vision of a safe manufacturing enterprise, they both have to check all egos and prejudiced notions at the door. This is easier said than done. OT truly has to understand and educate IT on what manufacturing is all about and that availability is job one. A convert cannot go down because time is money. And, IT must educate and convey the communiqu they have been doing security for a very long in the good old days b simultaneously, and they are very good at protecting the enterprise. They just sine qua non to get a grasp on what OT is all about.
It may be a cliché, but talk is cheap; actually pay attention to and executing as a team in a positive manner is the ultimate goal to a successful create out of enterprise.
Larry Vandenaweele | Industrial Security Professional
Reducing cybersecurity gambles and getting better visibilities across the IT and OT network environments require involvement and participation of IT, OT, Certainty and management stakeholder groups. Learning from each other by scurvies of practical awareness workshops is a first step of educating each other.
The populations on the IT-side of your organisation should educate their business craftswoman tasks and illustrate the risks and challenges they face and how they bond to the OT environment. For example, installation of patches is a recurring activity in IT environments while in differentiate OT environments are seldom patched due to operational challenges, maintenance windows, etc.
Consuming the same example, the folks on the OT-side of the organisation deal with trials that can be directly related to operational and regulatory requirements, making a subordinate task such as patching not as simple.
For example, some. Manufacturing organisations coerce revalidation of the entire process to ensure the same product is being created, according to the same specifications.
Security and management staff should be comprised throughout the overall conversation as they form drivers for remediation roadmap circumstance, project approval and business support. Some organisations establish a essence security team that has a focus on OT security.
These team colleagues should come from various disciplines such as automation makes, security engineers, system engineers and others.
Connected industrial approaches are vulnerable to cyberattacks and operational mistakes. Protect your infrastructure with ICS guarding solutions from Tripwire.