by Michael Litherland, Cyber Security, Thales Australia
Many industrial organisations still view IT (Information Technology) and OT (Operational Technology) security as unique issues to be addressed in isolation. While IT & OT environments are foundationally and functionally different, the need for convergence between the two in the new world of increased and pervasive cyber risk can no longer be considered as a consideration or option – convergence between the two spheres needs to be a mission critical objective.
A recent report by the World Economic Forum identified cyberattacks on critical infrastructure and strategic industrial assets as now being one of the top five global risks. With this in mind, it makes sense that the typical view many industrial companies take when it comes to the security of their IT and OT spheres is that each still pose their own unique set of challenges which need to be handled in isolation. The reasoning being that the differing concerns and practices of each are justification enough to warrant a siloed approach to security.
Siloed approaches in themselves mean a disparate and non-cohesive structure. Gaps in the cyber defence of organisations as a result of the lack of cohesion are inevitable.
Attackers understand where the vulnerabilities lie and have the expertise to exploit the security gaps between IT and OT technologies. They understand full well that those responsible for organisational cyber defence can have different priorities and practices. Specifically, within the business, there can be differing functional requirements, different working cultures, and different risk appetites. It’s no surprise then that these environments also have the propensity to be dissimilar and divergent when it comes to their own security requirements.
In industrial organisations, security has traditionally been divided across three silos; IT security, OT security and additionally, physical security (plant security and system integrity). This divide has made it difficult for operators to identify and respond to incidents when they’ve occurred. Coupled with the historical aspect of siloed priorities in terms of security requirements, with IT security focusing primarily on confidentiality and OT security on integrity and availability, modern day operations have been placed under immense pressure and scrutiny. New challenges have now arisen from the complexities formed out of elaborate IT and OT infrastructures, which typically include thousands of devices, all being connected via the IIoT (Industrial Internet of Things). These complexities have changed the game yet again, making it even more difficult to detect, investigate and remediate cyber security threats and incidents.
From the perspective of the electricity grid, the potential societal consequences from a cyberattack requires operations to take place in a certain manner. The priority of an operator is to ensure the safe and reliable delivery of electricity. Having this as the key responsibility in turn leads to other differences across areas, from component lifetimes and patching practices, to audit timelines and additional functions. Reliability of service in the electricity sector is of utmost importance and becomes an overarching goal.
These security challenges are also often exacerbated by the communication barriers between the two groups and the fact that they quite probably have different reporting and governance structures.
This lack of coordination and communication becomes especially risky in times of emergency where the organisation has been the target of a cyber-attack and needs to formulate a cohesive, comprehensive response to, or in fact recover from, a cyber incident.
Protection of the various spheres in an organisation is obligatory. However, in order to protect a complex attack surface, many industrial organisations are devising ways to converge their IT and OT working groups. This is an onerous task in itself, as each group has a tendency to believe that security vulnerabilities are inherited by them. This finger pointing tends to entrench an eternal battle that centres on each domain playing a defensive role and devising mitigation strategies against risks posed by the other side. The issue is not internal. However the area of conflict that exists between the groups is just to the space required for attackers to utilise and exploit.
The difference in the IT and OT environments highlights one of two fundamental barriers that need to be overcome. IT environments are dynamic and IT systems are often patched, upgraded and regularly replaced. IT personnel have their concerns centred on the confidentiality of data, integrity and availability. As knowledgeable as IT staff may be in their fields and as up to date as they may be on trends and threats, their propensity to operate outside their sphere is limited. IT personnel are often lacklustre and typically unfamiliar with OT networks and control systems.
OT staff work in a world where stability, reliability and safety are top priorities. Their remit is to maintain the stability of complex and sensitive environments, quite often with legacy systems that have not been upgraded in decades.
This inherent environmental difference due to business priorities and culture can be pervasive and quite often divisive without pointed remediation.
Furthermore, the different technologies utilised within each domain have the propensity to cause unnecessary tension. Within the realm of IT, personnel are accustomed to working with the latest hardware and software, including the very best security available to protect their network. Their time is spent patching, upgrading and replacing systems. Whilst IT have ownership of their sphere, the disparity between what they see as their world and the responsibility and accountability they should have, are altogether different.
OT on the other hand has the propensity to function with legacy technologies, many of which pre-date the internet era. Common features of the IT environment are lost in the OT world, and the lack of basic security controls such as authentication and encryption are often disregarded.
C-level support is the primary step to being able to instigate IT/OT convergence, and ultimately, bring about the success of forming a harmonious unification of practices in IT and OT. In order to unify strategy, security thinking and practices, the objective of organisations is to create a culture of collaboration between the disciplines.
Despite the divide there are organisations that have successfully facilitated deep collaboration between IT and OT, the importance and driving factor of which rested within the remit of the C-suite and the support provided.
In order to facilitate convergence, some organisations have created C-level roles to bridge the gap between the two. For example, it is not uncommon to see a Chief Digital Officer whose role is to bridge the divide between IT and OT through the merging of culture and by the establishment of incident management responsiveness that spans both groups.
To make this happen, more and more organisations are taking senior, experienced engineers from OT units and assigning them to support incident response within the Security Operations Centre (SOC). This in itself helps to create an environment where people, knowledge, processes and technologies straddle and work to unify the IT/OT fence.
What consolidating IT and OT cybersecurity efforts achieves first and foremost is to clarify responsibilities, but more importantly, to eliminate security gaps. It also ensures that there is a consistency of security levels across the entire organisation and lead to reductions in the overall cyber risk. The key objectives set within this form of consolidation are therefore to entrench a shared responsibility for end-to-end cybersecurity, ensure global corporate governance of all cybersecurity policies, procedures, technologies and guidelines, and, supports global visibility and management of all cyber assets, vulnerabilities and threats.
The elimination of the IT and OT silos are critical for the goal of reducing risk. The aim should be to create a single digital security and risk management function/structure with a direct report into IT, but having a responsibility that spans all of the requirements for IT and OT security.
Therefore, in order to be effective, a converged IT-OT cybersecurity program needs to ensure a centralised oversight of the entire organisation’s cyber security efforts and additionally, have the authority invested in the group to be able to implement key objectives. Implementation of key objectives can be through formal organisational changes or via virtual teams that work in IT groups, OT groups, and security operation centres (SOCs). The integration of third parties with specific capabilities should also be a consideration in order to address the ongoing shortages in cybersecurity professionals.
Any organisation going through changes will inevitably encounter varying degrees of resistance. While the benefits derived from the convergence IT/OT cyber security strategies may seem obvious, the transition is likely to be arduous due to personnel implacability and the complexity of two stand-alone operating functions being subsumed into one cohesive structure.
Some of the initiatives that companies utilise to ease the transitions are:
- Establish cross-trained site teams in order to handle routine security hygiene
- Create a global support network within IT and OT experts in order to deal with more complex cyber issues such as malware intrusions and anomalous behaviour
- Update key IT/OT cybersecurity processes from vulnerability management to incident management
- Ensure compliance with corporate policies
- Integrate cybersecurity technology to enable coordinated cybersecurity management
There also needs to be understanding that whilst the tools required by IT and OT might need to be different, they do in themselves need to be compatible and fully integrated within key areas such as asset inventory, endpoint and network protection, security monitoring and reporting, and secure remote access.
Beyond the technical challenges posed, inherent cultural issues also need to be addressed. Distrust between the two groups may be the biggest hurdle to overcome on its own. Methods that might aid in the easing of transition in this regard might include workshops to reconcile perspectives and the cross-pollination of groups in order to build bridges and re-establish trust between the groups.
The challenges posed in bridging the gap between IT and OT security exist but are not insurmountable. As both IT and OT infrastructures increase in complexity and their dependencies increase accordingly, ownership of cyber security issues cannot take place in isolation. A siloed approach will not work in environments of interdependency because aside from the internal disruption and inefficiencies of this viewpoint, the gaps and grey area of ownership create the opportunity for attackers to take advantage.
Convergence of the IT and OT security realms needs to have C-level support and a framework set by which security for both resides in a single location under a single remit. Once a cohesive plan is in place and once collaboration occurs between both domains, then effective strategies for mitigation in a holistic sense can be made possible.
Interested in learning more about how your organisation can guard itself against cyber security threats? Click here to download the Report on Cyber Threats to Operational Technologies in the Energy Sector.