Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Five Ways to Overcome the Cultural Barriers to IT/OT Security Convergence

Working Together, IT and OT Must Mitigate Risk and Address the Inevitable Mandates that Follow Successful Attacks

Working Together, IT and OT Must Mitigate Risk and Address the Inevitable Mandates that Follow Successful Attacks

In my previous column I provided some insights into the disconnect that exists between IT and operational technology (OT) environments and some practical steps for getting started with convergence. Given that nearly two thirds of utility executives Accenture Consulting recently surveyed (PDF) identify overcoming cultural barriers and organizational silos as the top challenge to IT/OT integration, this aspect of convergence bears further discussion.

The need to bridge the disconnect between IT and OT environments is being driven by two main factors. The first catalyst is regulatory requirements. When assessments and audits reveal that an organization is not in compliance with certain standards or emerging requirements, boards of directors and executive teams will mandate that leaders in the IT and OT domains come together to comply. The second catalyst is the increasing focus by malicious actors on industrial targets – the power grid, manufacturing floors, and other critical infrastructure. Working together, IT and OT must mitigate risk and address the inevitable mandates that follow successful attacks.

Trying to deal with cultural barriers and silos while under pressure to respond to directives or an attack is rarely advisable. Instead, here are five recommendations that can help you, as an IT security professional, proactively work in partnership with your OT counterparts to protect the business better.

1. Involve the right people. From inception you need to ensure the right people are at the table. Typically, executive management establishes the desired outcomes that drive policy, procedures, and requirements. Senior IT personnel must ensure that the right security controls are in place to align with the needs and requirements of the business. They must also develop a plan for the operations domain that supports the broader security strategy and goals without negatively impacting operations. This should be created in collaboration with OT leaders and lead support personnel from the top performing or most critical facilities. Trusted advisors, whether internal or external, can also play an important role in facilitating discussions, helping to make connections, and providing innovative solutions and approaches to problem solving.

2. Look for alternative technology-based solutions. IT staff look for the most efficient ways to address threats and vulnerabilities, for example patching systems directly. But this approach can involve taking systems offline for hours at a time, which is often not viable for mission-critical systems in an OT environment. Instead, think about the desired outcome and look for alternative ways to reach it. Usually there’s another technology option that will respect the limitations of systems in the OT environment while accomplishing the security goal. For example, if you can’t touch the system directly, then isolate it and only allow authorized communication through.

3. Appreciate that technology isn’t always the answer. There are many ways to support security strategy and goals that don’t require technology-based controls. For example, there is a relatively simple security regulation that states every time a user accesses a company PC, a login banner must be displayed to warn possible intruders against illegal uses of the system, and to advise legitimate users of acceptable use policies and that systems may be monitored. But in an OT environment, where systems run continuously, and authorized users change at each shift without logging in again, how do you address this requirement? A simple workaround that doesn’t involve any IT investment for costly software modifications, is to print, laminate, and affix the banner physically to the monitor.

Advertisement. Scroll to continue reading.

4. Dispense with the fear of duplication. The IT and OT environments both have their own technical staff, so there is some overlap of skill sets which can cause each side to view the other as a threat. But this can be overcome by understanding that the two teams have very different responsibilities and typically neither is interested in assuming the responsibilities of the other. OT has relinquished critical business services to IT including email, internet access, and backups, which is in the IT team’s comfort zone. On the other hand, IT isn’t prepared to assume responsibility for system failures in the OT environment that can have grave consequences. The reality is that IT and OT skill sets are complementary and honed for their respective domains.

5. Tool up to expand support for OT. Visibility across your infrastructure is critical to better protection. But getting comprehensive visibility into the operations domain is a challenge when everyone isn’t using the same technology. The latest Windows and Mac OS environments on the IT side don’t necessarily translate to the OT side. Not when OT has had systems in place for years. And not when many of these systems require Linux or Unix. Here’s where IT investments in tools and people should be prioritized, to expand visibility across the entire enterprise and support systems the operations domain relies on.

Change is never easy and across the OT environment the appetite for change is generally low. But as with all things, timing is everything. You must pick your moments, for example when research about an attack targeting the industrial sector becomes available or new regulations are in the works, and be prepared to seize those windows of opportunity for change. By working in partnership and showing real benefit to the OT environment and the business, you’ll start to find those windows of opportunity will remain open for longer.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.