As industrial organizations strive to reduce cyber risks in their operational technology (OT) environments, cybersecurity leaders who look after the enterprise/IT environments are requested to assist in leading the charge.
Many IT cybersecurity veterans have been through their paces over many years, building security controls and experience for IT environments. They have already made some common mistakes and have learned from them. This experience allows them to bring a proper perspective on what it takes to mature a set of security processes to fend off modern threats.
If you are one of the IT leaders who are helping to transfer their knowledge to the OT side of the house, the trick is not to let all that IT security experience go to your head. As a guiding principle, my encouragement is not to make the mistake of assuming that the expertise gained in the enterprise/IT security domain will automatically establish your credibility to know the right path for reducing risk in OT environments.
Innovative enterprise/IT security has enjoyed the opportunity to develop and adapt over the past 20-plus years through trial and error, and has leveraged the data from the ever-evolving threat landscape that arose against it. Unfortunately, charting the course for OT cybersecurity will not be as simple as merging the same strategies and expectations from IT environments over to the industrial control system (ICS) environment.
First impressions can be deceiving. At a glance, it is easy to believe that, because an OT environment shares similar operating systems vendors, network connections, digital architectures, and cybersecurity risks as IT, there is a 1:1 relationship between the two worlds. That is not the case.
As an IT person, it is essential to remember that the OT environment has a unique mission that leverages diverse systems, and these different systems face distinct threats. It is also important to remember that the people responsible for these environments come from a unique background of knowledge and experience.
To put it directly, the software and hardware supporting the IT environment rarely mandate real-time operations. If that environment is compromised or degraded, it is unlikely to cause personal injury or environmental harm.
The people supporting the OT environment, however, interact with software and hardware that is unique to their mission and can be sensitive to real-time constraints and often deal with the physics of the real world. If a system within the OT environment is compromised or degraded, it could damage the surrounding environment and lead to physical harm or death to people in the vicinity.
Along those same lines, disruption or degradation of these OT environments will affect the organization entirely differently than the IT systems would. Some basics of IT security do not always apply to OT environments—or their importance may be reduced in comparison with other risks around factors like physical safety, environmental impact, and process availability.
I will give you a classic example of what it looks like when an unaware IT professional comes onto the scene with OT operators/engineers, and is not ready first to listen and learn. IT professionals have been known to walk confidently into the OT environment and demand swift patching of specific systems or applications with little input, not asking the operators questions about the situation. In doing so, they will more than likely hit a brick wall with the OT operators and engineers.
These IT people may fail to realize that, while it is a relatively simple matter to patch a similar IT system, the OT staff may not even have the contractual standing to do so. After all, vendors provide guarantees and warranties for systems and equipment at a preset level of configuration. Something as simple and routine as patching could void these contracts if the vendor has not given their appropriate blessing. We can apply the same types of considerations to many other security controls, such as network segmentation and access controls, endpoint protection, role-based access controls, disaster recovery, and even passive monitoring solutions.
Often in these vulnerability management situations, IT professionals do not fully understand the complexities of the OT environment well enough to see that sometimes the known flaw may not threaten the ultimate safety or mission of that system. One study by Dragos found that 64% of all industrial related vulnerabilities do not introduce any risk, and that a further 34% were inaccurately classified. This study highlights how a "patch-at-all-costs" mentality does not always make sense for an IT environment, let alone an OT environment.
The point of this example is to highlight that, as domain experts in IT cybersecurity, you must still learn a lot about OT systems before making demands or prescriptive advice.
Before we can even start on collaboration with OT operators, IT experts need to ensure we drop our egos at the figurative door and instead bring inquisitiveness and empathy to the table. That will take humility. It will mean asking questions, staying quiet, and listening to the answers before jumping to conclusions and recommendations.
In my humble opinion, this is the first step on the journey to establishing effective collaboration between IT and OT for better cybersecurity across both environments. In future blog installments, we will talk more about what the next steps may look like in the OT environments that you are supporting.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.