In a successful marriage, each partner understands what the other needs—and what they can’t tolerate. Industrial cybersecurity requires the same sort of partnership, in this case between the operational technology (OT) and information technology (IT) teams. IT contributes the cybersecurity tools and skills. OT brings an understanding of each asset, its impact on the business, and when it can be taken down without affecting safety or production. Neither team can succeed alone.
In our work with manufacturers and critical infrastructure providers around the world, we’ve seen that OT and IT teams often have biases that can derail collaboration. In this blog I’ll explain these misunderstandings and how to overcome them to protect industrial networks.
OT bias: “Cybersecurity is just another engineering task”
Cybersecurity is a relatively new concern for OT teams, who might see it as “yet another constraint.” Industrial control systems (ICS) engineers have dealt with complex process controls for years. Understandably, they tend to assume that cybersecurity is just one more. In their view, OT cybersecurity can be added early when designing an industrial project and managed in the same way as safety or reliability.
They are not wrong—but they need to be aware of important differences. For example, where electrical systems designs can be good for decades, new cyber threats pop up every day. Attackers have the motive (money) and the opportunity (a growing set of tactics and software) to find and exploit the weakest link in industrial networks. Cybersecurity requires continuous improvement to cope with the fast pace of change.
Our recommendations for OT teams:
- When designing new production infrastructures, loop in your IT colleagues very early in the design stage. Explain any constraints, such as uptime requirements, and ask for their cybersecurity recommendations. Work together to make your OT system “secure by design.”
- Ask IT to regularly assess workstation hardware and software for vulnerabilities. The Wannacry ransomware attack targeted workstations running Windows XP, introduced in 2001. Where decades-old control system designs might still be relevant, old computer systems require modern security protections.
- As for safety and reliability engineering, invest in skills, people, and processes. Plan for cybersecurity upfront—not as an afterthought. Make it a priority to train every ICS engineer. Regularly assess and remediate risks.
- Stay current on new threats. Criminal organizations are never short of ideas. Keeping an eye on new attack tactics and techniques will help you engineer stronger OT processes and systems.
IT bias: “We’ll just copy-paste what we did for IT applications”
IT teams might think they can apply the same security practices to OT systems that they use for enterprise applications like email. They’re also biased toward making IT the sole administrator of OT systems, reducing the risk of stolen credentials or configuration changes that could introduce vulnerabilities.
Both biases cause big problems. Take patching. While most IT systems can be briefly taken down for security patching, many OT systems can’t. OT is about producing goods and services 24 hours a day, seven days a week. A furnace operating at 1300°C can’t be stopped for a controller patch.
Restricting administration privileges to IT is another non-starter. ICS engineers are accountable for production and worker safety. If something goes wrong, they’re the ones who get the 2:00 a.m. phone call. An operator responsible for power distribution to hundreds of thousands of people can’t wait for an IT administrator to change a setting.
Unlike IT environments, which typically have few software and hardware vendors, industrial networks often connect solutions from hundreds of vendors—including niche products developed by local companies that might be key to running the industrial process. This variety complicates traditional IT security programs like patching and vulnerability management.
Our recommendations for IT teams:
- Give the OT team the tools to discover everything connected to the network. If you don’t know about it, you can’t protect it. Inventory can be complicated in OT environments because of the variety of assets—some in hard-to-reach locations. Inventory is much simpler with Cisco Cyber Vision, which automatically discovers every connected OT asset to provide an accurate view of your security posture.
- Keep in mind that OT teams can tolerate very little risk. Their systems have a direct impact on the bottom line and worker safety—and OT teams are ultimately accountable. When planning cybersecurity changes, get buy in from everyone the change will affect.
- Adapt your practices for OT systems and culture. For example, in some cases the costs of stopping an infected process can exceed the costs of the breach. Managing security risks while protecting safety and business continuity requires a strong partnership between IT and OT.
Like a marriage, industrial cybersecurity requires understanding and teamwork from IT and OT. Treat OT security as a change management process, encouraging each department to embrace the other’s perspective. Start by recognizing your biases so you can become a good partner to reach your common goal—stronger protection for critical operations.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels