The main security issue with convergence of IT and OT, people

Most people will know what IT is, let’s face it.. IT has changed our lives forever. We carry processing power around in our pockets that NASA would have paid for very dearly only a a decade or so ago. Even if this may seem as an exaggeration, it’s probably not far from the truth. Just think about the little amount of time it takes to download a 30 MB size app to your smartphone and install it. It’s become so normal that we have to remind ourselves how different things were.

Now try and imagine a train from A to B (fill in your from and to of choice). The train in question changes course by signaling on the rail. A mechanical process you might say, and yes it is, but one that is managed by a piece of technology known as OT, or operational technology. Just like with trains there are very many other processes, industrial or otherwise, which are managed by this kind of technology. SCADA and other industrial control systems are mostly focused on managing a single process. As you may imagine both up-time and safety are the two most important things that really matter in this kind of an environment. You would not want your train to collide with another just because an old piece of kit failed to control a critical signal on your way home after a long day at work. If you live in or near London, you will have often heard the most commonly used excuse of “signaling failure between Waterloo East and London Bridge…”. Makes you wonder. With signaling failure the remedy is to delay trains, serving safety. Up-time needs work clearly.

Just like trains need to run, preferably in the right direction, power stations need to function, nuclear reactors need to react and oil refineries need to refine. There are countless industries where OT plays a major role in the running of the enterprise. This technology, even though often based on very similar technology as found in IT, is managed by a different group within an organisation. Not IT, but operations engineers. They live by different rules and a completely different set  of best practices. As an example you will often find servers that have not been patched for years, with engineers boasting that their servers have not been rebooted in the past four years.

So why is this a problem? In the past systems in the OT environment were air gapped. This means they were physically separated from other systems or networks, meaning not connected in any way to the corporate network. Direct physical access was required to work on them. That is often not the case anymore. With requirements for lowering management cost of equipment, ease of use and maintenance and the omnipresence of the internet, came inter-connectivity of IT and OT networks. In some cases on purposes, but sometimes simply as a result of poor network architecture design. Even if an organisation insists that  the two environments are “firewalled off”, this will never be good enough. Not if you believe in the “assume breached” paradigm, which is today’s reality if you like it or not.

There are many other technical and process oriented challenges that I could highlight between IT and OT, but none of that will matter unless companies will be able to deal with the organisational aspect.   As stated above, OT is typically managed by a different part of the organisation, and quite rightly with different metrics and definitely a different approach to maintenance. Without being too sexist, IT and OT and kind of like men and women, with the one group hailing from Mars and the other from Venus. They don’t think alike, they act differently and they sure as hell do not want you meddling in on their turf. Not sure that last bit is exactly true for men and women, but you get the point.

So, unless a company, with a fair amount of critical infrastructure under its wings, is able to adopt an organisational structure with ownership over IT and OT appropriately organised and resulting in real collaboration between the two, none of the potential technical solutions will matter.

I will be speaking about this at an ISC2 conference later this year, and welcome your comments and feedback on this topic.

Leave a Reply

Your email address will not be published. Required fields are marked *