Due to the isolation of operational technology (OT) environments from IT environments, cyber threats have historically been of little concern to asset owners. However, as the business benefits of digital transformation to industrial environments represent too much of a competitive opportunity to ignore, the convergence of the distinct worlds of IT and OT introduces cyber risk to highly vulnerable industrial control systems.
To realize the benefits of digital transformation while mitigating the inherent cyber risks, IT security teams and asset owners must lay the groundwork for effective cooperation by adopting the following best practices:
To successfully engage with OT asset owners, IT security teams must understand how these teams’ objectives and priorities differ from their own, and also gain alignment on their common goals. While operations teams on the front lines of manufacturing floors are primarily interested in productivity and efficiency, it is equally important to them to manage operational risks that could negatively impact safety or business continuity.
Rather than getting caught up in the jargon of cybersecurity, leveraging the common language of risk management can enable IT security and asset owners to establish common desired outcomes and gain alignment. As an example, avoiding incidents that result in unplanned system downtime is particularly top-of-mind for asset owners, as such events can quickly cost millions in lost revenue. In contrast, the primary objective of IT security is to protect and uphold the integrity of data, as a data breach. Much like OT personnel, avoiding financial loss is a major concern for IT security teams—a single data breach can easily cost an organization millions.
While the overarching objectives of IT and OT teams are aligned in this regard, the inherent differences in their priorities can cause friction without proper alignment. While an IT security team may be inclined to recommend patching and compensating controls to minimize the risk of an incident, OT teams are particularly concerned about downtime of their fragile environments, and will often resist the implementation of controls they perceive as risks to the business.
To overcome this tension, IT and OT teams must take a collaborative approach to addressing the cyber risks posed by IT-OT convergence with a strong sense of mutual understanding. On one hand, OT personnel must recognize cybersecurity as an organizational imperative, while on the other hand, IT security teams must recognize the importance of OT efficiency and the staggering opportunity cost of downtime. Strong organizational leadership can be instrumental in overcoming the cultural differences between IT and OT in order to achieve alignment.
Overcoming differences in culture and objectives is crucial for successful engagement between IT security teams and OT personnel, but that’s the first step. To make any meaningful progress in fortifying their organization’s industrial environments, IT security must be able to accurately identify risk leveraging comprehensive and timely visibility into OT assets, processes, and networks. Achieving this visibility involves overcoming numerous hurdles, such as a lack of standardized technologies and protocols, potential operational disruptions, remote access connections, and difficulty obtaining sufficiently granular data.
Overcoming these challenges is a worthwhile endeavor. Crystal-clear OT visibility is essential for empowering IT security teams with the situational awareness needed to quickly identify vulnerabilities and threats, accurately assess the level of risk, and set priorities accordingly. And since OT personnel are averse to unnecessary operational disruption, the ability to accurately prioritize OT security concerns is foundational to effective IT-OT engagement and the creation of win-win business outcomes.
The useful life of OT assets can span several decades, and most OT environments include extensive legacy architecture that far predates digital transformation and modern cybersecurity standards. So after gaining much-needed visibility into their organization’s OT environment, IT security teams are likely to find an outdated environment that was clearly not designed with security in mind. Upon such a discovery, the knee-jerk reaction of many IT security professionals may be to completely restructure the OT environment. But given the fundamental imperative to avoid costly operational disruptions, IT must instead work closely with OT personnel to gradually build out implementation of cybersecurity best practices in a non-intrusive manner. This frequently involves a conversation around the common goal of risk management around prioritized mitigation of the ones that matter most, and an engaged dialogue of how to mitigate cyber risk without creating an unplanned outage through hasty action.