Digital Forensics & Incident Response Strategic Services Advanced Testing Services Managed Security Services
July 10, 2019
How To Achieve IT/OT Convergence

IT/OT convergence can be a challenge, but with some basic insights and effective relationship management, these crucial projects can succeed.

Operational Technology is Information Technology in non-carpeted areas, like plants and factory floors, and usually controls something physical. This could include industrial control systems (ICS), energy management systems, supervisory control and data acquisition (SCADA), distributed control systems, power grid, and HVAC systems.

Typically, OT is proprietary while IT is highly standardized. OT systems can last up to 25 years while IT has a short 3-5-year lifecycle. Twenty-five years ago, they cared only about operations; no one really cared about security. When these systems were installed 10 to 25 years ago, security wasn’t the top concern, operations were. Now that these systems are being connected to the corporate networks and beyond (i.e. the Internet), OT has become a target for terrorists and nation-states, who are going after our grid and our infrastructure, critical infrastructure and even devices in the supply chain. In light of this, security has obviously become a crucial concern.

Another major driver for IT/OT convergence is the challenge of meeting complex compliance standards and using common cybersecurity frameworks that requires IT and OT to work together. In addition, the push to the cloud means that OT vendors must adopt IT standards.

The IT and OT organizations typically exist separately and have vastly different organizations and culture. With the need to combine these, many challenges need to be overcome. As an individual who has had the great fortune of working in OT, IT and cybersecurity functions, I have seen the challenges from all sides. Here are some tips to ensure your IT / OT convergence project is a success.

Relationship management is key.

IT and OT have to work together, or it won’t work. Pure and simple.

Cross-training between the organizations and open communication with leadership are absolute necessities. The best-case scenario is to let your security or IT professionals live in the OT realm for a year or so first, but barring that, cross-training for a few months or weeks before actually making changes is necessary. In a 6-month project, for example, at least half of that time should be cross-training to understand how the goals of IT/Security differ from the goals of OT.

Once you understand the difference in business goals, then you can work together to get to security maturity.

Be sensitive to culture.

Culture is the biggest reason people have trouble with these projects.

Generally, OT personnel have been around for 20 years or more, working on proprietary technology they may have helped create. They are not always receptive to change, especially when it comes from some upstart who doesn’t fully understand the very real implications of the changes they are recommending – changes that could impact things they rightly care very much about, like safety and availability.

The CIA triad ingrained in every security person – confidentiality, integrity, availability – is flipped for OT experts, who often only care about availability. Many OT systems have no info to steal because no information is stored there. On the other hand, availability is paramount. The system needs to be running all the time to not endanger the safety of the workers and to ensure the business keeps running.

The fact is, OT is being asked to come around to IT’s thinking more than the reverse, and they are less used to change given their generally static experience. IT and cybersecurity professionals need to understand this to ensure success.

Understand what OT cares most about and why.

It helps to walk in each other’s shoes. OT personnel often don’t want you there. Spend time with them, learn their world, and get to know them before you try to change it.

As an IT professional with a degree in cyber defense, I had the opportunity to work at one company first on the OT team and then on the security team. The company took the practical, unique approach of taking Security people and teaching them OT instead of the opposite. This gave me the unique experience of living all three functions – IT, security and OT.

When you live and breathe OT, you learn quickly what security means in that world. I remember walking through the halls of the plant, looking at photos memorializing beloved co-workers who had been injured or even killed on the job, and the truth sank in quickly. OT has its reasons for resisting change without the full understanding of the implications. Your average IT person doesn’t have the same pressure.

With that said, focus on the common ground of what you all care about. Often, that is staying out of the headlines and knowing what’s on the network and when changes happen.

Making a mistake can literally be life or death.

Often you are making changes on production systems. You have to know what this means. Making a mistake on an OT network is a big deal. It is a tightly orchestrated environment, and the system needs to be running all the time. The physical consequences of going down don’t exist on an IT network. IT cares about revenue, and OT cares about safety. It matters to the business financially, and OT understands that. But most importantly, they know a mistake could hurt someone.

Learn how to communicate.

Communications is vital to success. Sometimes you have leadership buy-in, but no actual authority, so you have to be able to convince and persuade before you actually do anything.

Recognize you are a salesperson selling the benefits of security. You have to explain why this is a good thing for them and for the company. Put it in practical terms, not technical ones – for example, “We all want to stay out of the headlines.”

Listen, explain what you are doing, take their concerns into account. And build trust – do what you say you are going to do and nothing more.

You can’t treat each OT system the same.

Every OT system is different. As plants, devices, or manufacturing lines are typically built at different times, the same company could have OT systems that each have a different control system from different years, maybe with different vendors. They operate the same but with different underlying technologies.

The plants also may be very culturally different. You can’t assume anything; you should approach every experience as a unique one.

The example needs to come from the top.

Leadership buy-in is another non-negotiable for these projects to succeed. Visible, ongoing support from the top will go a long way to keep the momentum going. It is necessary, although not sufficient, for these projects to work.

Find someone influential who believes in what you are doing.

A shortcut to building trust with the larger OT group is to build trust with someone who is well-respected. Let them spread their belief in you to the rest of the organization.

Don’t engage in a culture battle.

Fighting them fighting you won’t get you there. If you hit a culture roadblock, go to your leader and let them engage the OT leadership. Let them get everyone on the same page. Then, proceed professionally as before.

Work physically, not remotely, whenever possible.

When you work on OT systems, it is good policy to do it physically, not remotely. There are a lot of reasons for this.

  1. You can show them what you are doing and why. It is a good idea to teach the person it impacts, and whose job it will be in the future. This is a good opportunity for cross-training, as you are learning from them at the same time. This also builds the feeling of partnership.
  2. If something goes wrong, they won’t panic like they would if you are remote.
  3. You can react quickly if you are there and something goes wrong or an alert goes off.
About the Author
Benjamin Carroll
Senior Security Analyst
Benjamin, previously an Industrial Security Engineer, holds a number of certifications, including CISSP and GIAC, as well as trained with Homeland Security in defending industrial control systems.
I Need To...
S
Safeguard my data and my brand
Solutions
E
Envision my cybersecurity program
Digital Forensics & Incident Response
C
Comply with regulations
Strategic Services
U
Uncover what I have
Advanced Testing Services
R
Run my cybersecurity operations
Managed Security Services
E
Elevate my business
Why CBi