Is the IT/OT Merge Holding Back Your Cybersecurity Strategy?

(SPONSORED ARTICLE)

It's been said that IT cybersecurity is not only a technology problem but also a people problem. IT/OT convergence, or the merging of IT and OT under a single cybersecurity umbrella, will be an even bigger people problem.

It’s not a matter of competency. The problem is with these two environments developing and maturing in completely different fashions. OT developed as a siloed, isolated environment focused on production -- whether that’s manufacturing goods or critical infrastructure delivering power, water, or oil and gas. Introducing cybersecurity into this environment is challenging not only from a technological standpoint, but also from the standpoint of convincing people that it’s necessary in the first place.

Taking the Time To Understand One Another

So, while IT focuses on the behavior of people, especially with regard to zero trust, the focus is on the users of the environment. In OT when you talk about zero trust, the emphasis is on the assets and the physical makeup of the environment, which is very different from IT. There are a substantial number of legacy systems still present as well as a number of systems that will not tolerate a software agent installation due to impact on the system, or restrictions set by the manufacturer design. While the environment may be more complex to protect based upon these differences, protection is a critical component to OT environments based upon the current threat environment.

For most organizations, administrators that run OT environments have not come together with their IT counterparts and created a proactive cybersecurity strategy for their OT environment. This is partially due to numerous pre-conceived ideas in OT that IT cybersecurity principles don't apply when in fact, a number of IT principles do still apply in the OT environment.

Additionally, there's a lot of pushbacks from OT administrators, people managing the shop floor, or the people running the OT environments. Since it was developed in a silo, there was previously very little need for cybersecurity infrastructure. But times change and as connectivity grows, so does the threat risk to the OT environment. You could even say that pre-COVID requirements were substantially different than post-COVID. In this new world that we live in, connectivity and access to OT environments are imperative to gathering data and controlling the environments remotely.

Recognizing the Need for Collaboration

IT/OT cybersecurity convergence is really a challenge of bringing the administration together to create a cohesive cybersecurity strategy that is relevant to IT and applicable to OT. It must be a comprehensive strategy developed in a holistic manner to deliver an enterprise-wide solution to prevent compromise and attacks in the environment.

The process of creating a comprehensive cybersecurity strategy that fits the entire enterprise is about bringing people together. IT and OT architects need to collaborate to develop their specific solutions in order to satisfy the business use case for cybersecurity across the complete area of attack. This process is very reminiscent of what happened back in the early 2000s with cloud.

Cloud was in the early adoption phase in 2006 when Amazon first brought about EC2, but how to protect those environments was just coming into focus while cloud remained the Wild West of cybersecurity. There wasn't a lot of know-how as workloads were moving from IT into the cloud without concern or regard for cybersecurity, and it took a while for cybersecurity architects to catch up and offer solutions that would protect the environment while satisfying the business’s use case. It also took a retooling of our human cybersecurity assets to gain knowledge and understanding of cloud architecture and how to apply cybersecurity principles to the cloud. What it also required was people coming together in a collaborative effort. The cloud engineers, cloud developers, and the cybersecurity folks of IT to create solutions that could protect cloud instances according to enterprise requirements.

I believe the same is true with OT. Collaborating to develop a zero trust approach in OT that secures the assets is a practical approach. If we start with the assumption that the environment is compromised, and our priority is to protect the agent-based workloads and restrict access based upon machine identity and protocol communication, we can proactively implement an OT-tailored approach to cybersecurity.

The challenges of securing OT environments are not insurmountable, but they do require collaboration between our internal teams to create effective and efficient cybersecurity protection strategies within our OT and critical infrastructure environments.

Author Bio:

Jim Montgomery is a 30-year veteran of IT security working in all aspects of solution design, deployment and implementation. During this time, he has helped several fortune 100 companies implement complex strategies for operational efficiency and secure processing. Jim is currently focused on OT/ICS architecture design and implementation, emphasizing targeted approaches to solve specific functional goals while keeping the environment operational.