Security Experts:

Five Ways to Overcome the Cultural Barriers to IT/OT Security Convergence

Working Together, IT and OT Must Mitigate Risk and Address the Inevitable Mandates that Follow Successful Attacks

In my previous column I provided some insights into the disconnect that exists between IT and operational technology (OT) environments and some practical steps for getting started with convergence. Given that nearly two thirds of utility executives Accenture Consulting recently surveyed (PDF) identify overcoming cultural barriers and organizational silos as the top challenge to IT/OT integration, this aspect of convergence bears further discussion.

The need to bridge the disconnect between IT and OT environments is being driven by two main factors. The first catalyst is regulatory requirements. When assessments and audits reveal that an organization is not in compliance with certain standards or emerging requirements, boards of directors and executive teams will mandate that leaders in the IT and OT domains come together to comply. The second catalyst is the increasing focus by malicious actors on industrial targets – the power grid, manufacturing floors, and other critical infrastructure. Working together, IT and OT must mitigate risk and address the inevitable mandates that follow successful attacks.

Trying to deal with cultural barriers and silos while under pressure to respond to directives or an attack is rarely advisable. Instead, here are five recommendations that can help you, as an IT security professional, proactively work in partnership with your OT counterparts to protect the business better.

1. Involve the right people. From inception you need to ensure the right people are at the table. Typically, executive management establishes the desired outcomes that drive policy, procedures, and requirements. Senior IT personnel must ensure that the right security controls are in place to align with the needs and requirements of the business. They must also develop a plan for the operations domain that supports the broader security strategy and goals without negatively impacting operations. This should be created in collaboration with OT leaders and lead support personnel from the top performing or most critical facilities. Trusted advisors, whether internal or external, can also play an important role in facilitating discussions, helping to make connections, and providing innovative solutions and approaches to problem solving.

2. Look for alternative technology-based solutions. IT staff look for the most efficient ways to address threats and vulnerabilities, for example patching systems directly. But this approach can involve taking systems offline for hours at a time, which is often not viable for mission-critical systems in an OT environment. Instead, think about the desired outcome and look for alternative ways to reach it. Usually there’s another technology option that will respect the limitations of systems in the OT environment while accomplishing the security goal. For example, if you can’t touch the system directly, then isolate it and only allow authorized communication through.

3. Appreciate that technology isn’t always the answer. There are many ways to support security strategy and goals that don’t require technology-based controls. For example, there is a relatively simple security regulation that states every time a user accesses a company PC, a login banner must be displayed to warn possible intruders against illegal uses of the system, and to advise legitimate users of acceptable use policies and that systems may be monitored. But in an OT environment, where systems run continuously, and authorized users change at each shift without logging in again, how do you address this requirement? A simple workaround that doesn’t involve any IT investment for costly software modifications, is to print, laminate, and affix the banner physically to the monitor.

4. Dispense with the fear of duplication. The IT and OT environments both have their own technical staff, so there is some overlap of skill sets which can cause each side to view the other as a threat. But this can be overcome by understanding that the two teams have very different responsibilities and typically neither is interested in assuming the responsibilities of the other. OT has relinquished critical business services to IT including email, internet access, and backups, which is in the IT team’s comfort zone. On the other hand, IT isn’t prepared to assume responsibility for system failures in the OT environment that can have grave consequences. The reality is that IT and OT skill sets are complementary and honed for their respective domains.

5. Tool up to expand support for OT. Visibility across your infrastructure is critical to better protection. But getting comprehensive visibility into the operations domain is a challenge when everyone isn’t using the same technology. The latest Windows and Mac OS environments on the IT side don’t necessarily translate to the OT side. Not when OT has had systems in place for years. And not when many of these systems require Linux or Unix. Here’s where IT investments in tools and people should be prioritized, to expand visibility across the entire enterprise and support systems the operations domain relies on.

Change is never easy and across the OT environment the appetite for change is generally low. But as with all things, timing is everything. You must pick your moments, for example when research about an attack targeting the industrial sector becomes available or new regulations are in the works, and be prepared to seize those windows of opportunity for change. By working in partnership and showing real benefit to the OT environment and the business, you’ll start to find those windows of opportunity will remain open for longer.

Related: Learn More at SecurityWeek's ICS Cyber Security Conference

view counter
Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.