IT-OT Convergence and Conflict: Who Owns ICS Security?

Summary

By Katherine Brocklehurst, Director - Industrial Cyber Security Marketing, Belden

Who’s responsible for industrial cyber security in your organization? Whether it’s Information Technology (IT) or a cross-functional ICS operations and process control group – often labeled Operations Technology (OT) – they are likely to have incompatible approaches to resolving cyber security risk.

To both secure ICS and reap the productivity benefits of IT-OT convergence, the industrial cyber security program must be recognized as a cross-functional lifecycle and journey. IT and OT must work together for either team to be successful. Obviously, this is easier said than done.

Pre-internet, the line between IT and OT was quite clear. Today, that line has been blurred, with new technologies capable of enabling connectivity to nearly any device on the plant floor and out to field locations. And it’s also connecting IT and OT in new ways too.

IT and OT are very different organizations that have begun to converge very rapidly. This convergence has led to conflict, perhaps which has even been felt in your organization. This article addresses a major cause of their conflict and how to start resolving the growing pains.

IT and OT Resisting Convergence

IT and OT are resisting convergence happening all around them. At least, that’s the opinion of Luigi De Bernardini, CEO of Autoware, an MES and smart manufacturing automation firm in Italy. When working with clients in large manufacturing automation projects he finds that “many manufacturers still see strong resistance to bringing information and operational technologies together, with mistrust coming from both sides.”

Bernardini says this resistance must end. “Continuing to operate separately not only slows the adoption of solutions based on technologies that fall outside of ICS operations’ comfort zone, but also exposes companies to fault or security risks that could significantly impact production.” I couldn’t agree more.

(Source: Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82 Revision 2 (NIST SP800-82r2), Executive Summary, pg. 1, May 2015)

Different Worlds

IT and OT are very different worlds with very different responsibilities. Fundamentally, IT secures data. An intentional or unintentional cyber threat could result in the loss of intellectual property, corporate financials and employee or customer information – and the ripple effect can be costly, ranging from $200K to $4M per incident.

In contrast, ICS logic executes control processes with physical impact. A cyber threat could have devastating physical consequences to critical infrastructure and services, employees, human life and safety and the environment – as has been shown in numerous publicized incidents.

As seen below, the Purdue Manufacturing Model gives context to each group’s realms.

The Purdue model (pictured above) uses the concept of zones to subdivide an Enterprise (IT) and ICS (OT) network into logical segments comprised of systems that perform similar functions or have similar requirements. (Source: SANS Institute)

If you’re in OT, how many times have you heard that “IT thinks” they can solve “the security issue” in the plant? If you’re in IT, how many times have you worried about cyber threats and risks coming into relatively flat ICS networks, and yet offers to assist are not welcome? 

Differing Security Priorities

The different priorities of IT and OT are a key point as to why conflicts arise so easily between the two groups. The figure below is the classic CIA Triad, which helps to show how the two functions’ security priorities are inverse. And let’s not overlook that IT doesn’t even factor plant or employee physical safety in, except where physical access systems are under their domain.

IT’s top priority is to protect the data. OT’s priority, however, is to protect the availability and integrity of the process with security (confidentiality) coming last.

The security solutions each might choose for the ICS operations environment would also be very different, due to many variables. This could include regulatory and compliance requirements, network architectures, performance/production requirements, employee and environmental safety considerations, risk tolerance and management goals, asset types (hardware, software and operating systems), availability requirements or security goals – the list goes on and on.

Each group has a biased lens when considering ICS cyber risks and consequences.

The “CIA Triad” of Classic Security Priorities (Source: TechTarget)

IT’s View

IT’s top priority is protecting data (confidentiality), such as intellectual property, corporate financials, employee or customer private data. They figuratively look across the demilitarized zone (DMZ) thinking of the many changes that could bring a stronger security posture to OT environments.

A few of the things IT pulls out of their kit bag include:

• Stronger network segmentation
• Access control lists to restrict and manage permissions and access to key resources
• Geographic or organizational groupings of data and assets
• Strong password hygiene
• Routine patching processes (automated and with much higher frequency)
• Universally-applied security policies

OT’s View

OT’s top priorities would certainly add the safety dimension to the usual top priority of availability. When considering suggestions from IT to secure ICS environments, OT will often invoke cyber security inertia to ensure control processes and production yield are not placed at risk due to changes.

Reasonable explanations that ICS security cannot be implemented are:

• Fragile PLCs may not have enough memory to handle high traffic, such as a broadcast storm or unexpected function codes that cause a reboot.
• Not all patches, even those released by ICS vendors, are required. It takes time to assess whether even the ICS-CERT Advisories are appropriate for the devices in place.
• Anti-virus or automatic patching is completely atypical and requires considerable testing, scheduling and may even require vendor participation to ensure warrantees stay intact.
• Flat network architectures are favored with minimal or no subnets or secure zones to isolate unrelated systems and processes. In this way, OT can minimize performance latency that could disrupt time-sensitive processes, and ensure that all resources are easily available to operators should they need to quickly pivot to manage another set of systems and processes.
• Shared credentials are common on many types of systems, both new and legacy. This allows users to quickly gain access without strong password hygiene and frequent password changes that are difficult to keep everyone in sync. 
• Remote access is ideal for staff to connect from home, or even vendors to connect online to conduct maintenance or diagnostics on equipment.

The Conflict

Protection of information is important, but production losses translate immediately into business losses. Typically, OT teams are hesitant to accept IT changes in the operating environment for fear of disrupting production. Preventing downtime is the main concern, whether that’s time to implement the changes or worse, an unplanned or extended outage caused by an issue with the implementation. On the other hand, cyber threats can also disrupt production, cause damage, affect visibility and control or jeopardize safety -- which would also affect business profitability. Still OT can be skeptical of the real risk cyber threats pose to their ICS operations and control processes, believing the threats to be overhyped and rare.

Solving the Conflict: How to Get Started 

Unfortunately, consultants that perform risk assessments in ICS operations environments say that many organizations must experience a cyber incident before they’re willing to take serious action.

So, what are potential actions your organization can take to ease the IT and OT convergence and reduce conflicts and mistrust and at the same time increase ICS security?

1. Get Strategic Alignment at the Highest Levels

Luigi De Bernardini says that most of his clients “still have two strongly separated departments for operations and IT. They have different people, goals, policies and projects.”

To remedy this, Bernardini recommends starting by reorganizing IT and OT departments to be strategically aligned and unified. He suggests that, at a minimum, the Chief Information Officer (CIO)/ Chief Information Security Officer (CISO) and Chief Operations Officer (COO) should have “partly common and overlapping goals and targets, which would force them to work cooperatively.”

The CIO/CISO must also accept complete responsibility for the cyber security of the ICS and for any safety incidents, reliability incidents, or equipment damage caused directly or indirectly by cyber incidents.

2. Coordinate a Joint Task Force

Next, both NIST SP800-82r2 and Bernardini recommend creating a joint task force, as a cross-functional cyber security team, to share their varied domain knowledge and experience in order to evaluate and mitigate risk to the ICS. NIST goes so far as to specifically name titles that should be a part of this cyber security task force, which they suggest should include:

• A member of the IT staff
• A control engineer
• A control system operator
• A network and system security expert
• A member of the management staff
• A member of the physical security department

The task force should also consult: site management/facility superintendent, a control system vendor and/or system integrator and the CIO/CISO.

3. Pilot Projects and Governance

One of the first things the joint cyber security task force can do is to identify simple pilot projects to work on together. A suggestion might be to jointly create a list of the most critical ICS assets that absolutely MUST be secured. Rank them in priority order, and begin to assess what needs to be done.

These pilot projects will offer value with a low-risk benchmark, helping the company train and progressively build a specific mix of shared IT/OT skills. This will also aid in determining how to jointly reduce conflict when deciding on steps toward ICS security improvement.

Ultimately, the joint cyber security team should have “joint governance and responsibility to execute projects, harmonize duplicated or overlapping systems and processes, and promote the development of the interdisciplinary skills that are now missing in most companies,” per Bernardini.

Summary

Successful mitigation of the conflicts inherent in IT and OT convergence, and the subsequent improvement of ICS security, doesn’t happen overnight. This is a serious challenge for any organization and one that is difficult for many to undertake. Managers need to learn to share goals, jointly evaluate business risks and consequences together, and train the broader group on shared skills, which will ultimately lead to appropriate ICS security products, processes, policies and people.

Also, joint governance for IT and OT projects shouldn’t be underestimated. IT commonly has stronger project management models, but they cannot just be taken “as-is” into ICS operations. The two collaborating and cooperating departments need to extend their skills, learning to adapt IT security project models for use in operations, with careful consideration of all the differences inherent in their security priorities and risk biases. An effective industrial cyber security program is a lifecycle and a journey – the first step is getting the journey started.

About the Author

Katherine Brocklehurst is responsible for industrial cyber security marketing within Belden’s Industrial IT group. Her area of responsibility covers industrial networking equipment and cyber security products across four product lines and multiple market segments. Katherine has 20 years of experience in product management and marketing in network security, most recently with Tripwire. Katherine’s experience spans technologies that touched every layer in the ISO model and she is a subject matter expert on cyber security. With a passion for helping organizations thrive in today’s challenging security environment, Katherine is guiding Belden’s delivery of industrial cyber security solutions.