April 30, 2020
Beyond IT / OT to Shared Risk-Based Decision-Making

Bridging the gap between IT (Information Technology) and OT (Operational Technology) is a difficult yet crucial challenge to fully protect organizations who have both.

Although IT and OT both have their roots in electrical engineering, they diverged years ago in terms of what is important for them. IT and OT professionals behave in fundamentally different ways, with different focuses and priorities, and few people are well-versed in both. This can create challenges for the two groups to work together smoothly, so it is important for them to make an effort to understand each other better.

Most OT environments are run by engineers and technicians. OT systems are synchronous and complete repeatable process-related tasks such as running electric generators or machines making “widgets” on a factory assembly line. They are deterministic and repeatable with little to no change from one cycle to another.

On the other hand, a majority of IT professionals have a background in computer science. IT systems typically do not focus on repetitive processes; the work is computation-related and changes rapidly depending on different input. In fact, computers are designed to calculate answers to questions and statuses based on ever-changing input that is non-synchronous in nature.

OT equipment was designed with physical security, not cybersecurity, in mind. In the past, work on OT systems was done in physical plants. Safety meant locking the doors, and the main concerns were keeping workers from getting hurt, protecting the process and keeping the process reliable. By contrast, IT views security as stopping attackers from getting data. The process is less important than completing tasks quickly and efficiently, while protecting the data. The concern for IT is getting consistent repeatable answers, not ensuring consistent, repeatable processes.

Today, OT has moved into the digital age and is connected to IT systems and the internet.  Unfortunately, that means OT environments are also open to all the risks found online – in many cases, without changing an approach to security that was mainly physically focused.  Attackers no longer need to access plants to harm OT systems; they can now attack the equipment through the internet, which drastically increases the attack surface.

OT systems are designed to have a 15-30 year life expectancy, compared to the 5-10 year lifespan of equipment in IT networks. While IT has grown up addressing cybersecurity issues like ransomware for 10-15 years, many OT systems still in use were designed 15 or more years ago. To put this in perspective, the first Wii game council was introduced in 2006 (1) and HyperText Markup Language (HTML) was created by CERN researcher Tim Berners-Lee in 1990, giving rise to the World Wide Web.(2) In short, OT people work on technology developed before the internet and the security threats it harbors came into existence.

In a typical IT environment, if your computer breaks, you may lose a word document or an excel spreadsheet (as long as you have backups). You simply get a new computer, reload the data, and you are reconnected and running relatively quickly for a relatively low cost.

If your OT system breaks, you could lose a critical system or process that can take weeks or even months to repair or replace. OT systems typically comprise many sub systems combined together to complete a specific task. Unlike a computer, OT sub-systems are expensive – $100k or more – and are designed to do a specific subset of tasks within the entire system. You can’t replace it with a new powerful part without doing an engineering analysis of how it would affect the overall OT processes, and replacing individual parts can causes complex issues. You can’t easily update, patch or replace OT systems when a new threat is found.

Both IT and OT perspectives are necessary to protect the organization. Here are some ways to effectively bring IT and OT together to make important cybersecurity decisions.

  1. Get executive buy-in.

Keep in mind that people with OT experience typically don’t fill the senior management ranks, so there may be a knowledge gap of how OT works at the executive levels. Ensure that your leadership takes into consideration all points of view from ALL stakeholders including OT.

It is crucial that management understands that OT needs support. If you don’t have buy-in from management, don’t waste your time. Having management support helps force individual stakeholders to work together because they all report up to a central authority. They have stakes in the game.

Keep the communication with all levels in the organization open. It is not a project; it is a life process. Security needs to be in beginning, middle and end, and then repeat because the threats change day by day. Technology evolves, and you have to always questions your decision based on new information from threats, the environment, emerging technologies, and more.

  1. Look at everything as a business decision.

There is always more than one way to solve a problem. A solution that works for one business might not work for another because they make decisions based on their unique goals, risk tolerances and definitions of success.

Identify the stakeholders.

Be sure to include all of the stakeholders involved. These stakeholders could include: IT, which understands the network; executives, who understand the business; controls engineers and technicians who understand OT environment; and Production, which understands costs per minute for the production line. If you leave out any stakeholder, you risk missing a major factor that could affect the entire process and the company

Make sure all stakeholders understand how to take a risk-based approach to cybersecurity.

Stakeholders need to understand real risks and the risk appetite of the organization as they think through what aspects of the business are most important. Is it the widget-making machine? The network? What is needed, and what is not? Safety is paramount in engineering processes, for example, but after that you can start making decisions. Maybe you make fewer widgets an hour to reduce the risk of having the machine shut down for a month to do an upgrade. Can we run at 50% and still be safe, or do we have to stop the process completely?

Share the hard facts and ask the hard questions.

The best way to help people to start thinking in a risk-based approach is to get them together in a room to do a workshop. Challenge them to walk through the answers to questions like: do we shut down now for an hour, or let the machine break and be down for a week? What is the cost?

Using the FUD factor is not ideal, but the issues facing organizations ARE scary, and that fear is motivating. Use real examples of attacks on IT and OT to get your people thinking though how the organization should be ready to respond in the case of similar attacks. Ask them: are they at risk? How should they prepare? Help them understand the risk and think differently. If an attack impacted the IT side of an OT-type business, ask them to consider the impact if the attack had targeted OT computers? (STUXNET was an OT systems attack that was started as early as 2005.)

Ask your team to think about the risks by going through problems on a case by case basis. This is a continuous, evolving process, which organizations will have to work through on an ongoing basis.

  1. Continually question your decisions.

Of the many different frameworks that exist, pick one that makes sense for your organization, and follow through with it. Follow the “PLAN WORK, DO WORK, CHECK WORK, REPEAT” cycle. Take a systematic approach that enables you to continuously assess plans and execute amid the changing threat landscapes and technologies.

  1. Engage people by keeping them informed of new threats.

Keep the people in your organization informed of new threats as well as new approaches to address them across all stakeholders. Review attacks and determine if they could happen to your company or what kind of impact they could have and what your response should be.

Don’t get narrow-minded and think that hacks happen within an industry; look across industries at attacks that are occurring.

  1. Make sure your BC/DR plan takes OT into account.

Test the plan. Make sure it can be executed. Also realize that how each department responds will be different. IT’s approach can and often should be different than that of OT or other stakeholders. Make sure your plan accounts for the differences of each group.

  1. Keep monitoring your environment.

Look at how it’s changed. Determine the key points within your organization where, if someone attacked, you can triage, sectioning off part of network, but keeping the other parts going.

Remember this is ongoing. Rinse and repeat. Forever. And keep changing the plan.

  1. Don’t underestimate what can and cannot be done.

Don’t assume something can’t be done. Problems have been solved by those who did not know that it was considered unsolvable – and with IT and OT bringing their different perspectives together, anything is possible!


1,2  History of Computers: A Brief Timeline, Kim Ann Zimmermann – Live Science Contributor September 07, 2017 found at: https://www.livescience.com/20718-computer-history.html

About the Author
CBI, A Converge Company
CBI Cybersecurity
CBI, A Converge Company, is a leading cybersecurity advisor to many of the world’s top tier organizations. Founded in 1991, CBI provides innovate, flexible and customizable solutions that help ensure data is secure, compliant and available. We engage in an advisory-led approach to safeguard our clients against the ever-changing threat landscape—giving them comprehensive visibility into their entire security program and helping them avoid cyber challenges before they can impact their data, business and brand. We are dedicated to the relentless pursuit of mitigating risks and elevating corporate security for a multitude of industries and companies of all sizes.
I Need To...