By John Maddison, Senior Vice President-Products & Solutions, Fortinet
For decades, computer and data networks – known as Information Technology (IT), and industrial control system (ICS) operations and process control groups – often labeled as Operations Technology (OT), have run as isolated and independent networks, with entirely different objectives and requirements. That is beginning to change.
At its most basic level, IT is responsible for the creation, transmission, storage, and securing of data. Network compromises can have an immediate financial impact on an organization, often resulting in such things as the loss of customer confidence, fines and penalties, and even lawsuits.
OT, on the other hand, is focused on establishing and maintaining control processes with physical impact, such as manufacturing floors and production environments, whether local or in the field. Recent developments, including the need to more effectively compete in the digital marketplace, are now causing these traditionally separate environments to converge. A growing number of industries have already begun integrating networking and digital communications into the OT space by deploying new Industrial IoT (IIoT) devices such as smart meters, automated asset distribution systems, and self-monitoring transformers.
OT Security Challenges
These changes aren’t without risks. A cyber attack that successfully targets an OT ICS, supervisory control and data acquisition (SCADA) control system, or even connected devices such as valves, gauges, or switches, could result in devastating physical consequences to such things as critical infrastructure and services, the environment, and even human life.
Other concerns include the inability to properly identify, measure, and track risk, IT outages that impact customer-facing systems, and the interruption of business operations due to a catastrophic event. These challenges are being compounded by the lack of security expertise inside organizations, not only within their own in-house staff (reported by 40% of organizations), but also with the third party vendors they outsource their security services to (41%). This is not just due to the growing cybersecurity skills gap facing the entire computing industry, but also the fact that even available security professionals have little experience with OT environments.
As a result, nearly 90% of organizations with connected OT infrastructures have experienced a security breach within their Supervisory Control and Data Acquisition and Industrial Control Systems (SCADA/ICS) architectures, with more than half of those breaches occurring in just the last 12 months. Security concerns include viruses (77%), internal (73%) or external (70%) hackers, the leakage of sensitive or confidential information (72%), and the lack of device authentication (67%). And over a third are now concerned with the exploitation of backdoors built into connected IoT devices.
These and other challenges have resulted in strong internal resistance against bringing these two teams and infrastructures together, with mistrust coming from both sides. This is primarily due to these teams having fundamentally incompatible approaches to addressing cyber risk.
IT’s top security priority is protecting data, including intellectual property, corporate financials, and employee or customer private data. To address these challenges, they tend to follow the traditional CIA hierarchy for security: confidentiality, integrity, and availability.
OT, on the other hand, uses an inverted CIA model, where availability comes first, and safety is typically the top priority of availability. OT teams need to ensure that such things as control processes and production yields are not put at risk due to network changes. As a result, infrastructure components in OT networks tend to have extended life cycles, and traditional IT best practices like patching and updating can potentially take a currently functional system offline, with significant and unintended consequences.
How to Get Started
These differences are not intractable. Careful planning and coordination, combined with open communications and effective listening are critical to converging these different environments and reaping the potential benefits. These include:
Strategic executive alignment: Team leaders need to all understand and agree to the business objectives and benefits of converging these resources. Common goals and clearly defined outcomes help all teams drive towards an effective solution.
Establishing a joint task force: Once goals and outcomes are defined, few approaches are more effective than bringing representatives from all impacted teams together to voice concerns, debate strategies, scope out the project, and develop a common set of processes. The first objective should be to educate each other on the challenges such a project entails. This will help drive a solution that all parties can embrace. However, be prepared for this process to take some time.
Running pilot programs: This generally goes without saying, but every step of the process outlined by the joint task force needs to be run, sometimes repeatedly, in a controlled environment before turning it on in a production network. There is a lot at stake, so fine tuning operational controls, security measures, and contingency plans before applying them to a live environment is essential.
Convergence covers more than technology
Integrating IT and OT requires more than converging networking resources. It is critical that organizations avoid the pitfalls created by developing a parallel security team for the OT portion of their network. The duplication of staff, training, and resources is not only an expense that few organizations can sustain, but resulting organizational gaps can also raise governance, risk management, and compliance issues.
The Answer to Complexity is Simplicity
Success in the new digital economy requires developing integrated networks that are able to seamlessly leverage all available resources, even those ICS/SCADA systems deep inside your OT network. While malicious cyber actors demonstrate their ability to exploit the expanding digital attack surface, organizations need to respond not by adding new isolated devices to their security wiring closet, but by deploying an integrated security framework which prioritizes critical functions such as speed, collaboration, advanced analytics, and risk-based decision making. Such an approach, built around a flexible fabric strategy, enables comprehensive protection at machine speed and scale, while integrating appropriate solutions across both IT and OT environments into a single, centralized, and automated security system.