Personnel responsible for protecting organizational assets within Operations Technology (OT) groups would seem to have the same mission as those responsible for protecting organizational assets within Information Technology (IT) groups, and be tightly aligned. Spending any amount of time with Industrial Control System (ICS) clients, however, shows that is certainly not the case. Let’s look at some reasons why this is and what can be done about it.
Profit-producing entities seek to organize themselves to generate revenues, minimize costs, and maximize profits. They do themselves an injustice when they create business units that are not aligned in strategic intent or in operational execution.
It is logical to have an IT services organization support the entire enterprise and list OT as one of the business areas where they provide traditional IT services. The OT mission, however, requires a set of IT services that are unlike the rest of the business enterprise.
An OT focus on availability—with an inability to take systems offline for required patches— leads to differing operational goals and IT support than for servers and end user devices that typically can be patched outside normal business hours and scheduled in a timely manner.
Having OT cybersecurity personnel report to a local plant manager while IT personnel reports to a corporate Chief Information Officer (CIO) or Chief Information Security Officer (CISO) is bound to lead to organizational turf and budget wars, as well as a lack of technical respect for the unique cybersecurity missions of each group.
Instead, organizations should consider having a group at each plant that is responsible for plant cybersecurity, but seed one or more members of that team with individuals that are dotted line reporting to a C level executive responsible for cyber protections. This aligns organizational intent with organizational structure and facilitates day-to-day peer interaction across IT and OT networks. A CIO or CISO responsible for the entire organization’s cybersecurity helps to bridge OT / IT gaps.
The Perdue Model is often used as a reference model for business enterprises. It breaks organizations into multiple layers, with Business Planning and Logistics (IT) at Level 4 while Operations and Controls is Level 2. As such, why would it be expected that the same set of security controls be appropriate to protect assets at both levels?
Businesses require internet access for a wide and diverse user population, which presents an assortment of challenges, including malware, phishing, and social engineering attacks. IT must stay aware of a continually changing threat environment that looks to exploit any open vulnerabilities across the IT infrastructure.
The OT challenge is quite different. They seek network segmentation to isolate control networks and control devices from open internet access. Any direct engineering station connectivity or control device updates should be done through tightly controlled conditions, where all authorized users can be identified ahead of time and be required to use strict authentication methods such as Virtual Private Networks (VPN).
OT personnel are primarily composed of numerous types of engineers who have an interest in the output and safe operations of plants instead of the IT tools and networks needed to make those outputs happen. IT personnel may have a computer science background or come from any number of creative disciplines drawn to the allure of working with shiny new IT toys as they hit commercial markets.
The point is—painting with broad strokes—these two groups have inherently different backgrounds and motivations, and do not always share the same technology fascination or appreciation for the difficulties the other has in their cybersecurity mission. An organization needs them both, however, and would benefit from taking active and continued steps to promote cross-functional interactions and opportunities to meet and share technical perspectives where there is a common interest.
A large part of the OT / IT gap is due to both terms sharing the word ‘technology’ and assuming the cyber personnel in both groups have the same objectives, backgrounds, and motivations. Enterprises that want to be market leaders in their industry should embrace the OT / IT cultural differences and promote organizational structures, events, and training that facilitates empathy for the technical concerns and objectives of each of the groups.
Learn more about bridging the OT/IT gap and other ICS cybersecurity strategies in Implementing IEC 62443 - A Pragmatic Approach to Cybersecurity.