The first step to really understanding OT is to forget everything you know about IT.
It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the time of information technology (IT), it was the time of operational technology (OT), it was the time of clouds and revolution, which would cause their paths to cross in a way that neither anticipated.
Industrial control, SCADA, DCS, process automation, OT; there are many names and flavors in the various relevant verticals, and there are a lot of verticals. Many of these environments were designed to last for 20 or 30 years or more, with vastly different lifecycles than IT. Surprisingly, OT environments seem to generally have a better understanding of their assets and associated criticality. They see the potential damage to those assets from physical-world incidents – like a vat that gets too hot can explode – but may fail to recognize how the condition or scenario could be precipitated by a cyber threat.
IT has a stronger sense of cyber threats like malware and SOC, but lacks the same insight into how IT assets support critical business processes, and the associated level of criticality. Sometimes companies conduct a Business Impact Analysis (BIA) or full IT Risk Assessment (IRA/ERA) and get a better sense of this, but we find this to be somewhat rare, even in what would be considered fairly mature environments.
IT and OT are often worlds apart. Usually this is by design, banning IT from the shop floor because these are business-critical processes, and a single patch or pushing AV could halt the process – and the money. In fact, another quote from Dickens’ novel may be relevant: “Keep where you are because, if you should make a mistake, it could never be set right in your lifetime.”
The revolution is upon us with an Internet of Things (IoT) and clouds, and it is causing upheaval on both sides. OT has been adding functionality and connecting to the cloud in an attempt at improved operational efficiency, often with little or no experience or consideration of IT security issues. OT is lurching toward IoT, connecting previously isolated machines and control systems to each other and to the internet, for the sake of convenience or analytics or a vendor’s monitoring service, which leaves many IT-savvy people with the willies!
Comments such as “we had to make it work so we used the any>any rule,” are common. Devices are inappropriately segmented, anti-virus is turned off, or violates the vendor SLA because it affects performance, and additional controls are blocked or never considered because the production line cannot be impacted. The desire for convenience and efficiency is eroding the traditional air gap between OT and IT, sometimes to the point where there is no gap at all. Attackers can get at OT devices from IT (Target), or IT systems from OT (Ukrainian power grid), disrupting processes or stealing data.
Cyber incidents like Aramco or Ukraine are changing attitudes and bringing awareness to the fundamental issues. OT is becoming acutely aware that physical incidents can now be precipitated by IT incidents, such as attackers and malware. Insurance claims for OT incidents can be declined if the root cause is cyber.
When all seems darkest, we are given a vision: “I see a beautiful city and a brilliant people rising from this abyss.” Unfortunately, getting there requires some significant sacrifice for the greater good. There really is a problem, a cultural gap between the two groups, and it requires a big behavioral and cultural change to overcome.
Start by setting assumptions aside, listen and actively try to understand each other, and realize that none of this is black and white. OT is often business critical, so you cannot break the process, but at the same time, the risk of leaving it unprotected could mean the end of the business. IT has learned a lot of lessons over the past 20+ years, and starting from scratch means relearning those lessons in a very painful way.
Do not wait until one of you has to head to the guillotine. Sit down and talk to each other before you are forced to because of a catastrophic crisis. Make sure that IT/OT integration is on the CEO’s agenda. Then maybe we can all rest easier, knowing that OT and IT have protected each other, without one of them having their head on the chopping block.