According to a recent ARC Advisory Group survey, 70 percent of respondents said their companies are on the road to information technology/operational technology (IT/OT) convergence. That means a lot of organizations have become familiar with the challenges of securing and integrating industrial systems and devices — but not all challenges are technology-related. In fact, just as many are man-made, such as conflicting priorities between teams, limiting beliefs and improper investment in pilot programs.
How can organizations overcome these obstacles to ensure their IT/OT convergence journey is a success? The first step is awareness. Here are three common challenges that IT and OT teams face and how to overcome them.
Conflicting Priorities Require Compromise
One of the biggest challenges for IT/OT convergence projects is that IT and OT teams have different priorities. A director of IT security is concerned with implementing security controls and policies that reduce their attack surface, but an industrial control systems engineer is more concerned with automation and efficiency of processes. IT teams want new solutions for new problems, but OT teams want tried and true methods to ensure reliability.
OT professionals tend to be more concerned about the availability of their systems, rather than their security. As a result, an anti-virus solution deployed on an industrial control system might never get updated because it isn’t connected to the internet, or an outdated operating system required to run a decades-old industrial system might remain vulnerable to a decades-old attack.
For example, an organization with several manufacturing plants had a security risk assessment performed by an IT consulting firm. Their conclusion was that the workstations were not secure enough and should lock themselves after some period of inactivity. This new policy raised a red flag for the process automation team because they believed it was possible for the inactivity timeout to be activated during normal operations. After a lengthy discussion about the possibility of production downtime, they reached a compromise to enhance the physical security of accessing the control rooms instead of the workstations.
Break the Mold of Rigid Thinking
One of the biggest limiting beliefs for convergence projects is that OT systems need to converge into an IT framework or vice-versa, but the reality is that both perspectives are equally valuable (and each have their own priorities).
There is now an industry shift to promote internal OT leaders into security officer roles. Establishing an IT CISO and an OT CISO can help balance objectives and perspectives to enhance collaboration. For organizations that do not yet have two distinct CISOs, an IT-focused CISO should make it a priority to collaborate with the OT asset leads, such as factory owners, plant directors and so forth to ensure that multiple points of view are taken into consideration while problem-solving.
For example, an organization wanted to monitor their entire production network with 100s of sensors. The IT department suggested a wireless connection to avoid running more cables through the production floors. However, some of their factories were close to a shipping route that was already interfering with the wireless connectivity of some of their existing devices. Every time a ship drifted too close to a factory, many of the devices — including its wirelessly-connected autonomous robots — stopped working. Needless to say, the OT team was not thrilled with the idea of bringing in more wireless devices (not to mention they were concerned with the cost and complexity of certification efforts). Both teams agreed to investigate deploying the sensors on existing networking equipment to avoid the cabling and certifications.
Expand Your Scope
There is a short-sighted trend across the industry where organizations are restricting their OT security initiatives to smaller pilot implementations. This prevents effective scaling and evaluation since the small teams tasked to assess the value of an initiative may not realize the benefits beyond their own experience. It’s imperative that companies encourage scaling implementations in a coordinated manner by identifying a larger group of internal champions to evaluate solutions, lead teams and internally promote pilots.
Another issue with pilot programs is that they may take place at newer facilities that don’t experience the same challenges as older sites. Case in point, one organization made plans to implement new security policies at every remote site, only to realize that they lacked the bandwidth and infrastructure to do so.
When pilot programs don’t bring all stakeholders to the table, there is potential to overlook more holes in the attack surface. For example, a plant manager implemented security controls within the plants, but expected the firewall between the plant and the corporate network to be managed by IT. Later, an assessment showed that the firewall had very few restricting rules because the IT network engineers didn’t know what access was required in order to not impact the production environment.
A Convergence of Opinion
Threat actors are constantly working to create new attacks capable of shutting down critical networks, so it is imperative for IT and OT teams to unite against this common foe. Understanding how IT and OT networks interoperate can help holistically manage risks to the entire enterprise. Taking their different needs into consideration can minimize the potential for disruption. Channel your inner Abe Lincoln to become a great compromiser, consider things from a different point of view and don’t be afraid to broaden your horizons. After all, the process of IT/OT convergence is an opportunity for IT and OT teams to converge together, as well.