Carric Dooley has extensive experience leading comprehensive security assessments as well as network and application penetration tests in a wide range of industries across North America, Europe and Asia. As the Worldwide VP of Foundstone Services at Intel Security, he works with companies around the world in various industries, including financial services, insurance, healthcare, software, manufacturing, retail, pharmaceuticals, government, food services and entertainment.
The first step to really understanding OT is to forget everything you know about IT.
It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the time of information technology (IT), it was the time of operational technology (OT), it was the time of clouds and revolution, which would cause their paths to cross in a way that neither anticipated.
Industrial control, SCADA, DCS, process automation, OT; there are many names and flavors in the various relevant verticals, and there are a lot of verticals. Many of these environments were designed to last for 20 or 30 years or more, with vastly different lifecycles than IT. Surprisingly, OT environments seem to generally have a better understanding of their assets and associated criticality. They see the potential damage to those assets from physical-world incidents – like a vat that gets too hot can explode – but may fail to recognize how the condition or scenario could be precipitated by a cyber threat.
IT has a stronger sense of cyber threats like malware and Indicators of Compromise (IOC’s), but lacks the same insight into how IT assets support critical business processes, and the associated level of criticality. Sometimes companies conduct a Business Impact Analysis or full IT Risk Assessment and get a better sense of this, but we find this to be somewhat rare, even in what would be considered fairly mature environments.
IT and OT are often worlds apart. Usually this is by design, banning IT from the shop floor because these are business-critical processes, and a single patch or pushing AV could halt the process – and the money. In fact, another quote from Dickens’ novel may be relevant: “Keep where you are because, if you should make a mistake, it could never be set right in your lifetime.”
The revolution is upon us with an Internet of Things (IoT) and clouds, and it is causing upheaval on both sides. OT has been adding functionality and connecting to the cloud to the cloud as a way to improve, often with little or no experience or consideration of IT security issues. OT is lurching toward IoT, connecting previously isolated machines and control systems to each other and to the internet, for the sake of convenience or analytics or a vendor’s monitoring service, which leaves many IT-savvy people with the willies!
Comments such as “we had to make it work so we put a rule at the end of the policy allowing any traffic to any host in any direction,” are common. Devices are inappropriately segmented, anti-virus is turned off, or violates the vendor SLA because it affects performance, and additional controls are blocked or never considered because the production line cannot be impacted. The desire for convenience and efficiency is eroding the traditional air gap between OT and IT, sometimes to the point where there is no gap at all. Attackers can get at OT devices from IT, or IT systems from OT, disrupting processes or stealing data.
Cyber incidents like the Ukrainian power grid are changing attitudes and bringing awareness to fundamental issues. OT is becoming acutely aware that physical incidents can now be precipitated by IT incidents, such as attackers and malware.
When all seems darkest, we are given a vision: “I see a beautiful city and a brilliant people rising from this abyss.” Unfortunately, getting there requires some significant sacrifice for the greater good. There really is a problem, a cultural gap between the two groups, and it requires a big behavioral and cultural change to overcome.
Start by setting assumptions aside, listen and actively try to understand each other, and realize that none of this is black and white. OT is often business critical, so you cannot break the process, but at the same time, the risk of leaving it unprotected could mean the end of the business. IT has learned a lot of lessons over the past 20+ years, and starting from scratch means relearning those lessons in a very painful way.
Do not wait until one of you has to head to the guillotine. Sit down and talk to each other before you are forced to because of a catastrophic crisis. Make sure that IT/OT integration is on the CEO’s agenda. Then maybe we can all rest easier, knowing that OT and IT have protected each other, without one of them having their head on the chopping block.
Intel Security is a Strategic Partner of the Collaborative Automation Partner Program. Leveraging Intel’s field-proven security expertise, Schneider Electric is able to offer a complete solution for customers.
To learn more about Schneider Electric’s strategic partner program, click here.
6 years ago
Great post about security assessments applied in IT and OT, a more important field in networking than most people think.