alphaspirit - Fotolia
443 Consulting LLC
Published: 02 Sep 2014
There's a discussion going on in offices, plants and factories that may result in crossed arms and staredowns between information and operations technology teams because one team just "doesn't get it" when it comes to understanding the other's security issues.
Aren't all computer and processing systems the same?
The answer is, Absolutely not! As Tim Conway, technical director of industrial control systems security for the SANS Institute, noted in an August 2013 interview with Computer Engineering magazine:
"When you take people with an IT background and bring them into an industrial control system environment there's a lack of understanding from operations [as to] why they're there, and there is a lack of understanding of the specific controls environment needs from IT."
As systems based on TCP/IP, Ethernet, Linux and Windows have moved into industrial control systems and supervisory control and data acquisitions (SCADA) networks, operations technology faces IT security challenges.
Alignment of IT and OT
The majority of security executives have a pretty good sense of what information technology includes; essentially, IT is key to the underpinnings of the business -- it keeps the information flowing, email running and databases populated. Operations technology (OT) is a recently coined term. It refers to the industrial control systems that keep power plants running, manage factory process lines, and essentially work together to achieve an industrial objective, such as manufacturing, transportation or energy generation. According to technology consulting firm Gartner, OT is hardware and software that detect or cause a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.
To better understand the nuances, take a look at the differences between the staffers who manage IT and OT systems. The IT department works on the "enterprise side" of the business, typically, reporting up the chain of command to the chief information officer. These technicians and engineers normally work on Windows workstations and servers, email systems and enterprise resource planning systems. The OT technicians work under the operations or manufacturing management teams. They are focused on the smooth operation of industrial systems-based equipment, such as programmable logical controllers; pressure, temperature and level sensors; valve and motor controllers; and so forth.
Historically, OT systems and components were non-networked, standalone devices that never touched the enterprise or IT side of the business. Alternatively, if the devices did have any "computerization," they usually ran a proprietary control protocol using specialized software and hardware. Over time, however, IT capabilities were inserted into existing physical and OT systems; for example, the original mechanical governors used on motors and steam engines have been replaced by embedded digital controls.
Legacy industrial controls used in manufacturing are beginning to be replaced by OT that resembles IT systems, but fundamental differences remain. One of the better -- and readily available -- comparison tables is in the National Institute of Standards and Technology Special Publication 800-82, Revision 1, Guide to Industrial Control Systems Security. A summary of these fundamental differences between IT and OT systems, with some added perspective, is shown in the table.
As the NIST comparison table illustrates, a profound difference between IT and OT still exists, and these gaps raise issues regarding operating practices, software patching, system upgrades and other security and networking functions. Patching IT systems is fairly straightforward and essentially has become a regular task for the IT staff that deals with Microsoft's monthly Patch Tuesday and constant bug fixes. Because industrial systems are systemic and small changes can have large impacts, OT engineers store patches until the next plant or factory outage when these fixes can be installed on the affected systems: A simple patch and reboot is out of the question. Industrial systems may also run older versions of embedded Windows systems -- a security risk to many IT departments -- because manufacturing does not adhere to the shorter upgrade cycles common in IT environments.
Networking the factory floor
Changes relative to both the IT environments and industrial control systems are afoot. More industrial control systems are becoming TCP/IP-centric as legacy plant systems -- after 15 years of solid service -- are finally retired. The newer components and operating schemes more closely resemble those of their IT cousins.
The labor force and skillsets are also evolving: Many industrial control system technicians who managed legacy HMI devices with proprietary software and touch screens are retiring or leaving the workforce. It's difficult to locate experienced operations staff as younger, TCP/IP-trained technicians enter the OT ranks. This changing of the guard may help smooth any resistance between the siloed IT security and OT teams as the lexicon of the two groups becomes more in tune.
Security executives and associated management need to realize what the differences are between IT and OT and manage expectations to create secure networking environments. As Gartner analysts wrote in their 2012 report "Hype Cycle for Operational Technology": There are significant opportunities to be derived from aligning IT and OT, but they will not be easily gained in the short term.
Patience will be required as the IT and OT cultures merge. And executives who have knowledge of the differences need to take action to help with these conversations to avoid IT security and OT organizational boundary disputes.
Senior executives need to recognize that security policies, practices and procedures are different for IT versus OT. While IT is focused on protecting complex data environments, OT is tasked with high system availability in real time. Many information security professionals have strengths in IT, but industrial control system security is not their forte. The SANS Institute is spearheading an industrial control systems and cybersecurity certification initiative that includes training and Global Industrial Cyber Security Professional (GICSP) certification.
The chief information security officer of one major consumer products manufacturer recognized this difference. He established an industrial controls security manager on his staff to not only focus on OT security issues but also to aid in the dialogue between both groups. The industrial controls security manager is especially helpful when both teams are working on legacy systems and making changes to more "IT-centric" controls.
Security and risk professionals must look hard at the processes and procedures already in place for such areas as IT governance, procurement and configuration management. The operations organization must be woven into the governance processes and conversations in order to avoid an IT versus OT debate later on. Also, executives from both groups need to recognize that there are architecture variations between IT and OT systems and strive for an integrated planning and implementation scheme to help all teams focus on business outcomes and not on technology wars.
Finally, Eric Byres -- chief technology officer for Belden and the founder of Tofino Security -- has recommended the following actions to bridge the divide between IT security and OT:
- Annual staff surveys to measure cooperation between IT security and OT and look at utilization of resources, trust issues, conflicts, clarity of goals and objectives;
- Cross-department training for both technical training but also to support values and behaviors expected to foster cooperation and communications;
- Cross-functional teams to develop policies, standards and projects with both IT and OT perspectives;
- Reach over the wall to encourage the IT security and OT teams to interact and be willing to walk in the other team's shoes. This "bridge" is supported by the security and operations executive teams taking the same actions.
Think big -- start small
Take time to look at "quick hits" and greenfield opportunities, such as building a new factory, to bring IT security and OT teams together for projects. Lastly, recognize that this alignment between siloed technology teams will take time, but when the IT and OT staff see that senior security management is involved in these efforts, morale will improve and cooperation should move quickly ahead.
About the author:
Ernie Hayden holds certifications as a Global Industrial Cyber Security Professional (GICSP), Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). He is an executive consultant at Securicon, LLC, and was previously global managing principal for critical infrastructure and industrial controls security at Verizon. He has also served in information security officer and management positions at the Port of Seattle, Group Health Cooperative (Seattle), ALSTOM ESCA and Seattle City Light.
Send comments on this article to firstname.lastname@example.org.
Cybersecurity critical for modern manufacturing