Information Technology (IT) / Operations Technology (OT) Convergence Security industry leaders from around the world regularly submit applications to speak at the annual RSA Security Conference which takes place this coming February. RSA reviews the more than 2,400 responses they receive to not only select speakers for the conference, but also identify key trends that are influencing organizations and security approaches worldwide. One of the ten trends identified for the upcoming year is the convergence of Operations Technology (OT) and Information Technology (IT). The merging of these two worlds is introducing multiple challenges for CIOs, not only from the perspective of security and protection, but contending with a diversity of cultures between the two. It seems that OT and IT professionals see the world through different lenses and are accustomed to disparate practices and conventions in how they do their job.
Network connectivity introduces vulnerability
The challenges introduced by this convergence is but one example of the macro trend of digital industrialization, otherwise known as Industry 4.0. This fourth industrial revolution is forcing physical and cybersecurity worlds to congregate. In order to digitally transform their organizations and obtain essential advantages such as automation, machine learning, agility and transparency, business units that have been traditionally siloed are now becoming connected to the world. This of course includes manufacturing. While it may prove highly beneficial to tear down protective walls and open formerly sequestered networks to telemetry data, it also creates attack avenues for hackers, cybercriminals, and advanced malware strains. In the same way that unforeseen cultural and societal influences are introduced to an isolated country that suddenly opens itself to the world, the worlds of OT and IT are finding it difficult to work with another once the initial salutations and acknowledgements are over.
How IT and OT are different
While both acronyms may share a common letter, there is a lot of dissimilarity into how these two units are managed. IT deals with digital information, an invisible stream of binary 1s and 0s that flow between virtualized nodes encased within software-defined infrastructures. OT deals with machines, things you can see and actually touch that involve processes that have historically been manually operated. According to Gartner, OT consists of hardware and software that is involved in the direct monitoring and/or control of industrial equipment, assets, processes, and events. Traditionally this has included industrial control systems (ICS), supervisory control and data acquisition systems (SCADA), and other OT devices. Because OT worked in isolation, cybersecurity was an afterthought at most. By IP-enabling these systems and devices however, cybersecurity is now suddenly paramount in order to secure the increased attack surface that these devices create within your IT estate, as many are not created with security in mind. OT now must contend with dangers such as APT (Advanced Persistent Threats) that are not prepared for.
Cultural Differences between IT and OT
Because of all of this, OT must now not only enhance manufacturing industrial processes, but protect them as well. In order to do so, they must turn to IT who is all too familiar with combatting these menaces. IT however, works in a very different world, and thus brings different experiences and perceptions that do not always coincide with OT. Some of the notable diversities include the following:
- OT has historically focused on physical security while IT is focusses on digital threats.
- OT is accustomed to risks related to reliability and availability. OT customarily defines risks as operational consequences, environmental damage, or production shutdowns due to human error. IT on the other hand defines threats in the context of nefarious actions initiated by an attacker in order to attain malicious objectives.
- While OT is versed in technology, OT professionals often come from an industrial background and do not have the broad technology perspectives of dedicated IT professionals.
- Both groups use different protocols and tools. OT comes from a perspective of scaling workloads and manufacturing processes as much as possible while IT dedicates themselves to segmenting processes through firewall rules, access control lists, and VLANs.
- OT environments are far more static when compared to IT networks, as change has historically evolved far more slowly. This is evident in their purchasing patterns as OT groups often plan for 10+ year cycles while IT groups think in terms of three-plus year cycles.
Communication and collaborated understanding are the key
While these differences of culture and perspectives present real challenges, they are ones that can certainly be overcome. Time of course is the great equalizer that breaks down communicative barriers and entrenched viewpoints, but time is not something that companies have much of as they race to complete their digital transformations. One approach to help break down communicative differences and encourage greater collaboration between OT and IT is through the implementation of the Duty of Care Risk Analysis Standard (DoCRA). A duty of care risk analysis can identify and evaluate risks and safeguards to develop reasonable security controls. This risk assessment enables IT, legal, and executive teams to communicate in a common language that can be understood and accepted. DoCRA takes all perspectives and develops a security strategy based on their mission, objectives, and obligations. The purpose of a risk analysis is not to identify and align every possible outlying or internal threat with an involved solution. The goal is to define what is “reasonable” and what strategies can make sense to all of the involved stakeholders.
DoCRA at RSA Conference 2020
As authors of the Duty of Care Risk Analysis Standard (DoCRA), HALOCK Security Labs has a unique insight on finding that balance with compliance, security, and social responsibility. We look forward to sharing best practices and how to define acceptable risk at the RSA Conference in San Francisco in February 2020. We invite you to join our partner, Jim Mirochnik, as he presents how IT can translate their InfoSec requirements to executives and get the resources you need by simply speaking in a language all teams can understand and accept.
InfoSec speaks the language of risks and costs, while Business speaks the language of rewards and revenue. The lack of a common language leads to InfoSec struggling to secure the budgets they truly need. This session demonstrates, using case studies, how the invention of Duty of Care Risk Analysis (DoCRA) can create a common language with the Business and help secure appropriate budgets.
- DATE: Feb 28, 2020
- WHERE: Moscone Center – San Francisco
If you want to learn more about the collaborative approach of DoCRA, request one of our Duty of Care Risk Analysis (DoCRA) presentations from key conferences this year:
- Infosecurity ISACA North America
- (ISC)² Security Congress
- Cyber Security Summit Chicago
- Health Management Academy
- CyberNext Summit 2019 – KuppingerCole Analysts
- Compliance Week Webinar: The Questions A Judge Asks You After A Data Breach
- American Health Lawyers Association (AHLA) Webinar: Duty of Care Risk Analysis (DoCRA) “Adopting Duty of Care Risk Analysis to Drive GRC”
- Health Care Compliance Association (HCCA)