When providing cybersecurity in converged IT and operational technology environments, it’s critical for infosec pros to understand the differences between the two and utilize a toolset that delivers a comprehensive picture of both in a single view.
If your organization has IT and operational technology (OT) environments, it’s virtually guaranteed that they’re converged, even if you don’t realize it. Gone are the days when OT was air-gapped. Instead, connectivity is delivered through the IT infrastructure, thereby leaving the door wide open for adversaries to reach critical OT infrastructure. And, based on our experience working with organizations around the globe, we believe that IT devices account for approximately half of what’s found in an OT environment these days, making it nearly impossible to draw a hard line between the two.
As a result, an increasing number of IT security professionals suddenly find themselves managing the security program for both environments ― and many are at a complete loss as to where to even start. That’s because IT and OT environments were built differently from the ground up. Consider this comparison:
Comparing IT and OT environments
|Focus||Top-down ― operations and systems required to run the business||Bottom-up ― plant, processes and equipment required to operate and support the business|
|Reach||Global wide area network (WAN)||Local area network (LAN)|
|Network posture||CIA ― confidentiality, integrity, availability||AIC ― availability, integrity, confidentiality|
|Response to attacks||Quarantine/shut down to mitigate||Non-stop operations/mission critical (never stop, even if breached)|
|Biggest fear||Network intrusion||Reduced safety; loss of view/control|
|Level of cybersecurity maturity||High||Low|
|Weakness||Stringent security controls||Insecure behavior|
Source: Tenable, December 2021
So where do you even start? A great first step is to understand the differences highlighted in the table above and consider how those differences might affect attitudes, beliefs and, ultimately, security decisions.
What’s in a name?
The word “security” takes on a different meaning in an OT environment. I will be forever grateful to a friend and former colleague of mine who saved me from making a fool of myself in front of 100 OT practitioners when I was just getting started in IT/OT security. I was reviewing my presentation with her prior to a talk I was preparing to deliver to this audience. In it, my plan was to tell them that OT practitioners needed to start paying attention to, and really prioritizing, security. She explained to me that the OT audience would react negatively to this message. They already consider security to be at the heart of everything they do. So, what was the problem? I was defining “security” in the context of my IT experience, meaning cybersecurity. In the OT world, “security” means safety and physical security. So, one word with vastly different meanings.
Why do IT and OT professionals view “security” so differently?
In IT, data is king, so it stands to reason that the biggest security fear is that there could be a network breach. An adversary gaining access to the network can damage the integrity of the data, exfiltrate it, or even lock it up so that it can’t be accessed by the organization. In contrast, OT environments are inherently more physically dangerous, so the biggest fear is that there could be an accident that disrupts critical operations and possibly jeopardizes employee safety, or that of the community. As a result, OT professionals are highly driven to manage an “always-on” operation, as well as to maintain a high degree of safety ― and, by extension, the physical security controls of the environment.
Vastly different structures
With that background in mind, the rest of the table starts to make a lot more sense. IT security professionals opt for centralized control, providing an infrastructure that can conceivably be used to permit any asset or person to access any other asset, or any data, anywhere on the network. These are wide area networks (WAN) housing the systems and processes required to run the business.
Conversely, OT environments are designed with a great deal more privacy and limited control in mind. These highly segmented environments make it impossible for authorized people and assets to access other assets that are outside their purview. These are local area networks (LAN) that house systems and processes that support the business. Most of these devices are intended to only communicate with other devices within their zone and not with the outside world.
Given their disparate network topologies and definitions of what it means to be secure, it shouldn’t be surprising that the priorities of OT and IT security groups, and their reactions to attacks, are at polar opposites, even within the same organization. While IT security professionals prioritize their world in the form of C-I-A (confidentiality, integrity, accessibility), OT professionals take the diametric opposite perspective, prioritizing their world as A-I-C. As mentioned above, for IT security, data is absolutely the most important thing, so ensuring its confidentiality and integrity will trump availability every time. But for a safety-conscious OT professional, the operations must always be available to ensure that the environment runs smoothly and without failures that have the potential to lead to catastrophes.
What do these different priorities look like in action? In the event of an attack, IT security pros will quarantine and shut down the affected systems as quickly as possible in an attempt to contain the problem and minimize any data leakage. OT, however, will take the opposite approach by keeping the critical infrastructure running at all times. The only deviation from this strategy, of course, is if the attack causes OT devices to malfunction and possibly present a danger to the business, its employees, or the surrounding community.
Variety of tools
Arguably the biggest challenge faced by IT security professionals as they attempt to get their arms around OT security is the fact that many of their traditional IT security tools don’t work in an OT environment. In fact, the most basic IT security tool of all ― the scanner ― can actually crash an OT network. So, you need to be sure to choose a scanner that’s proven in an OT environment. But then you run the risk of having two sets of security tools, one for each environment. While this will certainly help ensure that you have the right tools for each job, it can become challenging, at best, when it comes to managing them all, and ensuring that your staff is trained to use them all properly.
Then comes the true complication ― figuring out how to merge all of the disparate data, from the two completely different environments, into one dashboard so that you can view all assets and prioritize all security issues across your entire attack surface. Without this ability to comprehensively view and assess all environments across the extended attack surface in a single, fully-integrated solution, your team will spend exponentially more time understanding the full security picture. Plus, you run the very real risk of missing major security issues.
The bottom line
If you’re responsible for managing the security program for a converged IT/OT network, it’s absolutely essential that you understand the differences and unique challenges of an OT environment. And just as importantly, take care to ensure that you’re utilizing the right security tools for the job ― those that will support an OT environment, and that fully integrate with complementary IT security tools, to deliver a comprehensive picture of the organization’s security landscape. Then, from a people and process perspective:
- Ensure that your IT security professionals meet with the OT leaders to truly understand the inherent differences that are unique to OT environments.
- Take the time to truly understand the needs and priorities of of OT ― and why they’re important ― rather than pushing IT security philosophies on them.
- Understand that OT environments have only experienced outside connectivity for a relatively short period of time, so OT leaders are still at the beginning phases of security maturity.
- Winning hearts and minds is essential, so be open to phasing in changes, rather than pushing for the “ideal” security solution overnight.