How to Bridge the OT / IT Knowledge Gap
The first step in bridging the gap between IT and OT is in recognizing and understanding it. As we talked about in Part 1 of this blog series: The OT Infrastructure Challenges, OT was for many years isolated from mainstream IT technology resulting in proprietary and non-standard systems, devices, networks, and protocols.
These were the domain of electrical, industrial, and process engineers with the goals of reliability, accuracy, and safety. IT infrastructure, network, and systems administrators for the most part had no exposure to ICS and OT. IT infosec especially being an area in which there is little OT expertise. Likewise, most OT personnel were relatively ignorant of IT technology. And getting them to a common understanding was and still is a significant challenge.
As discussed in Part 2 of this blog series: The Business Drivers Acting on OT, the needs of the business have forced these two groups together. In some rather unceremonious cases, with CISOs suddenly told that they are now responsible for OT infrastructure and systems, an area of technology that they were alienated from. Similarly, the OT engineers and experts were now forced to understand the ins and outs of the IT world. In addition to the technological knowledge gap, there exists a gap in the philosophy, approaches and goals between IT and OT personnel.
IT personnel have endured and learned a lot about dealing with and building protections against forces outside their control like sudden spikes in traffic (whether circumstantial due to business or social drivers or targeted like in DoS or DDoS attacks) and the behavior of actors that have access to their networks and systems (including incompetent / malicious employees, hackers and nation states).
IT networks have to be connected to the rest of the world in order to provide value to the business. And this accessibility means any exposure of a weakness or vulnerability is a potential vector of disruption and exploitation. Coupling this with the fact that IT is used to perform a vast array of tasks and provide very flexible capabilities, broadens the potential for impact even further. Nowadays, the same technology used to power a high-end workstation and 3D modeling tool needs to also be able run a highly available eCommerce platform and relational database.
OT personnel on the other hand have been focused inward on their ICS to maximize reliability, accuracy, and safety. One of the ways they did this was by building simple, single function systems and devices with very controlled hardware and software. They relied heavily on vendors and manufacturers to provide these fit-to-purpose devices that could handle the varied environmental conditions that could exist at a plant’s remote well-site or a water pump.
And it shows when it comes to the types of security solutions that are typically implemented within OT infrastructure. Very often, OT security solutions boil down to one of three types:
- Rigid, static, controlling solutions that require highly involved and brittle policy definitions (these would never work in the IT world due to the need to be flexible and adaptable)
- False-positive prone solutions (that have been shown to have limited value in IT and are typically "squelched" to the point of diminishing returns due to their inherent noisiness) that have now gotten a second life by virtue of still being relatively novel in the OT world.
- Detection-only systems that require non-trivial security tool and process integration to potentially be used in incident response.
Whatever solution is ultimately decided on to help secure OT networks and devices, one absolute truth is that the operators and engineers that have built and run these infrastructures need to define the policies and rules that will secure them. IT personnel can provide technical assistance by bringing their substantial network and system analysis experience and tools to bear, but the OT experts need to retain control of any new solutions implemented.
A short aside, one of the primary means of building rapport between the IT and OT personnel is through the use of context. With a contextualized view of the networks, traffic, devices, and services, OT personnel don't have to try and build a mental model of what can be seemingly abstract and arcane security policies. It's much more familiar to them which enables them to ahieve the level of granularity and safety they require in a security control. We will discuss this in much more detail in part 6 of this blog series: How a dynamic contextual, preventative solution can deliver OT security.
CISOs that are suddently tasked with security the organizations' OT infrastructure would be wise to listen with great care to the OT operators and engineers before acting too hastily to apply solutions that may have worked for them in the past for the IT world. Success may also require acknowledging that their finely calibrated risk quantification and mitigation strategies developed over years of working with IT may not be appropriate for OT.
Conversely, OT operators and engineers need to understand that their IT brethren have been living and breathing information security for the last 20 years. They've been on the receiving end of extremely impactful breaches, and they have the scars to prove it. OT experts need to realize that by properly articulating the unique attributes of their OT networks and devices along with the impact they have on the physical processes they control, they can avoid years of losing strategies and blind alleys.
So utimately, the gap between IT and OT can be bridged through recognition of the differences in the perspective and mutual respect for the journeys that both have traveled. Once that happens, the "two sides" can begin to figure out a way to talk about satisfying the goals of the IT "side" and the OT "side" simultaneously. Hence, implementing tools and techniques that provide enhanced visibility and security on OT networks without compromising reliability, safety, and performance.
Continue on to Part 4 of this blog series: Why "Catching up" to IT security is a bad strategy in OT.
PacketViper OT360 is a dynamic, contextual, preventative solution that can deliver OT security. It can work on the OT/IT boundary of an organization's infrastructure, within plant facilities to provide protection internally and between the plant and distributed assets, and within remote OT locations to provide prevention and containment.
