In the world of critical infrastructure, there are typically two categories of computing technologies: Information Technology (IT) and Operational Technology (OT). You could think of IT as the servers, user workstations, networks, cloud services, and software that support a multitude of business and engineering tasks. OT consists of the embedded devices that are typically built to support specific tasks, such as field diagnostics, equipment monitoring, and interacting with physical devices.
The importance of OT cybersecurity seems obvious, but in reality, cybersecurity efforts are often skewed in favor of IT. The distinction between these two technologies has been obscured by the integration of IT network protocols in traditionally isolated OT technology. This blurring of OT and IT introduces additional cybersecurity risks into safety-critical plant operations that can often go unnoticed.
While there are overlaps between IT and OT cybersecurity, there are many differentiators that require special consideration. An enterprise cannot simply “bolt-on” an existing IT cybersecurity framework and expect good results. Failure to accommodate for those nuanced differences can result in cybersecurity solutions that do not adequately address threats. In the worst-case scenario, they can turn OT into Non-OT.
Because nearly every industry in the world relies on IT, there are a multitude of IT-minded cybersecurity professionals and IT-oriented cybersecurity service providers. Cybersecurity specialists typically start their careers in IT disciplines such as network operations, systems administration, systems programming, and desktop support. OT specialists are more associated with traditional engineering disciplines (electrical, structural, civil, mechanical, chemical) or field technician roles that are supported by IT.
While these disciplines are similar, they are often practiced in separate organizational departments, and each department is subject to its own unique challenges such as conflicting priorities, institutional politics, and dysfunctional baggage.
These respective differences can lead to a culture gap that results in ineffective communication between cybersecurity personnel and other operations teams within the larger organization. Ineffective communication and culture gaps can ultimately result in cybersecurity “blind spots” which, in turn, lead to vulnerabilities. To bridge this cybersecurity culture gap, it is necessary to establish common ground and foster a working relationship between cybersecurity roles.
One way to reach common ground is through education, such as industrial control system (ICS) cybersecurity training. These courses are tailored to be useful for IT cybersecurity personnel and OT practitioners. Enterprises can get the most value from these ICS cybersecurity courses if IT and OT professionals attend the same course simultaneously.
Beyond training, enterprises will benefit from fostering strong working relationships between IT and OT. A recurring cybersecurity/OT with meeting clearly established goals, like reviewing known vulnerabilities, scheduling maintenance activities, or discussion of troubling or abnormal events, can be helpful for keeping these groups engaged.
Without diving too deep into the specific technical differences between IT and OT tools, let’s briefly consider network security and host-based security.
IT security plans typically include robust host-based protections, such as secure operating system configurations, centralized patch management, anti-virus software, host-based intrusion detection, and vulnerability scanning and web security agents. OT computer configurations are often tightly controlled by the vendor and the options for additional host-based defenses may be limited. Adding unapproved security software to an OT system could cause abnormal performance and void critical vendor support agreements. Also, traditional IT system vulnerability scanning tools can cripple OT systems and, in extreme cases, potentially cause permanent equipment damage.
General network security solutions are often more “aware” of the common communication protocols of the IT world than the OT world. For example, a general-purpose network intrusion detection system may automatically detect abnormalities in a web browsing session. However, that same network intrusion detection system is unlikely to detect abnormalities in modbus over ethernet communications between a programmable logic controller and a control system workstation.
Luckily, there are numerous OT-oriented cybersecurity tools such as ICS network intrusion detection systems, data diodes, OT vendor-approved antivirus software, removable media scanners, and so forth. Any investment in ICS cybersecurity solutions/tools should be carefully selected based on product evaluations, and an understanding of specific risks, threats, and existing mitigations. While tools are helpful one must also ensure that properly trained personnel are dedicated to the operations, maintenance, and monitoring of cybersecurity tools.
The National Cybersecurity and Communications Integration Center released a list of “six questions every C-level executive (in infrastructure industries) should be asking. Unsurprisingly, the top question was “what’s at risk?”
The damage caused by IT and OT risks is different. IT security breaches can negatively impact productivity and result in financial loss, while OT security breaches can cause injury, loss of critical public services, and even loss of life. Even though the consequences of these threats are recognized, OT practitioners and IT-focused cybersecurity personnel may not easily recognize the cybersecurity risks that may contribute to plant service disruptions or catastrophes. While personnel at a small regional plant may consider themselves obscured from all global cybersecurity threats, the reality may be that they will face attacks from amateur hackers or even well-funded, nation-state adversaries that are pivoting to larger targets, or even just testing attacks.
An organization with an already mature IT cybersecurity risk management framework often can easily adapt to manage OT cybersecurity risks. However, the more significant work lies in integrating OT cybersecurity risk management into the larger process of system engineering and design. Sometimes it’s as simple as knowing when to even consider cybersecurity risks on an OT project.
If OT technicians are unsure whether or not an OT device poses a cybersecurity risk, they can ask the following questions. If the answers to any of those questions are “yes,” it is recommended that they evaluate the cybersecurity risks posed by the device:
- Can the device connect to a personal computer?
- Can the device wirelessly transmit/receive data?
- Is data loaded to or unloaded from the device using removable media?
- Is the device in an unprotected area with easy physical access?
- Is the device configurable through an on-board interface?
- Can the device be expanded to include network interfaces?
- Does the device connect to the internet?
Good cybersecurity requires a defense-in-depth approach that encompasses IT and OT. Bridging the gap between IT and OT cybersecurity is a significant challenge that can be overcome through problem recognition, careful planning, commitment to finding effective solutions to the issue, and dedication of required resources.