We recently had the privilege of hosting a series of roundtable webinars with IT and OT security leaders from around the world, in diverse industries including manufacturing, pharmaceuticals, energy utilities, oil & gas, and transportation & logistics.
The webinars addressed key strategic and tactical questions including:
- How do you bridge the gap between OT and IT people?
- How do you educate OT people about security?
- What are the most effective ways to communicate OT risk to the board?
- How is cloud affecting OT security?
- What strategies is your firm adopting to keep production running in the current situation?
- With OT equipment maintenance being handled remotely more now, how are you protecting against malicious remote access to your OT networks?
- How are you maintaining security defenses now that security teams are all working from home?
- How are you prioritizing OT security projects?
It’s All About Communication
In this blog post, we only look at the answers to the question about bridging the gap between OT and IT. In summary, the panelists’ recommendations are to:
- Encourage ongoing communication between IT and OT teams.
- Show teams they have a common goal — support the business.
- Send IT security people onsite so they can understand how OT processes work.
- Show OT personnel that, by providing deep and continuous visibility into their OT environments, cybersecurity also delivers operational efficiency benefits (as well as security and safety benefits).
- Find a way to help OT with IT-related issues.
You can view or listen to the entire webinars on-demand — and/or read the transcripts — in the links below:
[Responses below have been edited for clarity and brevity.]
Summary of Responses
Question: How do you bridge the gap between OT and IT? We’ve seen for many years that the two groups were quite separate, and with a convergence of OT and IT and the need for stronger security, we’re having more conversations between the two groups and how they need to work together more.
Arieh Shalem, First Quality Enterprises: Find a Common Goal — and Show Operational Benefits
- It can be IT and OT, it can be IT and information security, it can be whatever it is. There’s always a challenge when you want to do something, and there’s another department or another part of the organization that doesn’t want to do that.
- You need to find a common goal. The way we did it successfully with CyberX was to unite around the goal of protecting our company. And by using CyberX, you’re also going to get something that helps OT, which is visibility.
- You can’t just say, “We have to do it, because security is saying it.” When you say things like that, the project is going to fail. If you’re not able to provide OT with a seamless security solution that also provides them with operational benefits, the project will fail. It doesn’t matter how amazing the tool is.
- An example of an operational benefit is when we found out, during the CyberX POC, that our VLAN network was misconfigured and bandwidth consumption was sky high in one of our locations. And by just deploying the CyberX sensor in one location, they saw that and were able to fix it, and they were amazed. They said, “What? You’re able to do that?” It was running inefficiently for years, but they just thought “This is just the way these machines work.” So when you give them an operational benefit like that, it gets them started on even more discovery and they say, “Okay, we can see value in implementing this monitoring solution. Let’s do that.”
Headquartered in Great Neck, NY, First Quality Enterprises is a diversified CPG manufacturer with nearly 5,000 employees.
Paul Brager, Baker Hughes: It’s All About Enabling the Business — People Want to Do the Right Thing
- Traditionally, as you mentioned, there’s always been kind of this us vs. them mentality around IT and OT. And what we’re finding now, as we’re starting to leverage data and information coming out of those OT environments, and subsequently that data is being fed back into OT for performance enhancements – what we’re realizing is we’re really not all that different.
- Certainly our day-to-day operational responsibilities and accountabilities are very different. But at the end of the day, we’re all trying to enable the business to generate revenue and profits. And so oftentimes when you’re talking about bridging the two, what you’re really talking about is how do you work together in order to make this do what it intends to do and what it would like to do. Certainly in the security realm of the world, again, when you start looking at OT, obviously the OT threat landscape and threat surface are very, very different. So certainly, being able to have reasonable conversations between IT and OT security-related resources will certainly help to close that gap.
- And then as Arieh mentioned, certainly getting business advocates and business partners to champion what it is that you’re doing and seeing the real value – and not from the technical bits and bytes that we typically care about, but how the value is being pushed forward for them and making their environments more productive, more available, limiting the amount of impact to certain areas of the supply chain – things that you can enable by converging this gap and making sure that everyone is working from the same sheet of music.
- When we go out and talk to people at our sites, we’ve never encountered anyone that didn’t want to do the right thing. It was more of a question of, we’re not sure exactly what the right thing is to do. And so, from a standpoint of a security professional, you have to recognize that these people are not cybersecurity experts, in many cases they’re not IT experts either. And so what you have to do is you have to make this relevant to them.
Headquartered in Houston, TX, Baker Hughes is a $23B firm providing products and services to the oil & gas industry.
Niyo Little Thunder Pearson, ONE Gas: Use Red Teaming to Help OT Understand the Risk
- One of the fundamental issues that you have with OT and IT is that – and I’ll start from the perspective of the IT corporate side – there’s not a firm understanding of what they’re trying to protect on the OT side. Because if you don’t know what you need to protect, you don’t know how to build anything around it or create a culture of awareness for it.
- By doing that and sharing that with the IT folks, it helps separate out what they thought as the traditional, “Well, these IT security solutions should work.” And I compare it to putting a square peg into a round hole. IT people constantly try to take IT-related things and push them into OT – without having an understanding of how the OT environment functions.
- And by taking the time to go and understand how it works and how it’s all laid out and how it works together, I think you build a greater partnership with the OT folks, in that you show them that you want to understand how their environment actually works vs. interpreting it in your own way.
- On the OT side, I would say one of the biggest things is that OT has been done the same way for the last 30-40 years. They have a lot of gaps in understanding the reality of the threat situation as it exists today. So one of the approaches we’ve taken is to show them just how real these kinds of things are. Taking red team approaches to show them, “Look, this is the after-effect of what could be caused, and it’s out there today. And here’s why it’s important.”
- And when you close that gap in understanding, they become invested in trying to help protect it. Because in the end we all want to protect, whether it’s critical infrastructure or a manufacturer, any kind of platform that is using any kind of SCADA, ICS – from that standpoint we’re invested in making sure that it’s protected.
Headquartered in Tulsa, OK, ONE Gas is one of the largest natural gas utilities in the United States.
Henrik Perrson, Essity AB: Use OT Security Audits to Create Shared Risk Assessments
- We say IT and expect everybody to know what IT means, and then we say OT and expect everybody to know what OT means. And one thing I’ve been very clear about is what operational technology stands for, so when we talk about it, people actually know the definition. Be very clear when communicating, both with IT about what OT is, and vice versa. Otherwise you can never determine the boundary between them, because they are more interlinked and intertwined than ever before.
- Essity is a large corporation. We have an IT organization and also a global manufacturing organization. That is a boundary from a corporate point of view. But then, we have other boundaries — from a network point of view, an integration point of view, function, safety, all that. Traditional IT security is all about governance and having standards. But if you take all those IT standards and apply them just straight off towards operational technology, there might be a slight mismatch between those areas.
- So it’s about understanding that we have our methodology, now how do we adapt it to OT? And also then add the statement – accept the similarities, but also respect the differences between IT and OT.
- We’re seeing a lot of benefit from our OT security audit program. When we do OT security audits, instead of only assessing availability, integrity, and confidentiality, as soon as you step into the OT world, you add safety, and talk about that and involve the local IT teams and the local OT teams over a table session to do that risk assessment together. It kind of goes with the entire data flow, from the sensors to the MES systems and to centralized IT systems, so you need both IT and OT to be involved.
- We have 18 manufacturing sites around the world and multiple business units. We have personal care, consumer tissue, professional hygiene, and hygiene and health. So it’s also important to understand and respect the differences between our various business units.
Headquartered in Stockholm, Essity AB is a $13B CPG manufacturer.
Ashtad Engineer, Adani Energy: Send IT People Onsite to Live and Breathe OT
- It’s a fantastic opportunity for IT to actually understand the business and our OT processes by sitting with the process engineers. That is where the appreciation comes from – what IT is, what technology is, and what OT is. It’s a fantastic opportunity for the IT guys to understand it’s a multilayered approach rather than the traditional enterprise approach. We’ve been able to have the security guys and IT guys go to the plants, sit with the operators, understand stuff and how it’s architected and that has become a very good enabler for us.
- [Phil] One of the things we talk about with our clients is about protecting the crown jewels. We recognize that you can’t patch everything, but you need to protect the most important assets. And the way to find out what are the most important assets is to talk to the business as you were just talking about, to understand what production lines generate the most revenue or which production lines, if they were to be compromised, might cause a major safety incident. So yeah, you can only do that by talking to the business.
- The OT guys are control engineers. If you really look at it, if you go to a site, it’s a control engineer who’s actually looking after your DCS, your PLC, or SCADA with a bit of IT background, and the IT guys coming down from, “Hey, I’ve got a firewall switch, blah, blah, blah.” But, at the end of the day, it’s the understanding of both these worlds, which needs to converge, from an understanding of the process. And I think that is where it’s very important for each one of them to understand each other’s background, where they come from. And the best thing is to just have them sit together and talk it out and understand.
- The best approach is to just go and live the daily life of a controls engineer down in the plant. That’s the best way to actually understand the process. Because again, making sense of events coming from OT and IT, and bringing that convergence – the people have to understand, is it actually an anomaly, or is it actually part of their process? I think that understanding can only come if you are in the plant and at the site. Go live, breathe, and eat there for at least two weeks, three weeks at the plant and just understand.
Headquartered in Ahmedabad, Adani Energy is India’s largest private power company.
Aaron McKeown, Vector Ltd: Create Shared Responsibilities — and a Unified SOC
- I’m coming from a heavily cloud-focused experience of late, and I see this as the same sort of gap between traditional IT infrastructure and cloud that I’ve experienced over the last six or so years. And really, when I thought about this question, I think about risk and the cloud adage about shared responsibility. And realistically, it’s a shared responsibility between OT and IT, and that’s how we tend to approach things. What that really means is that between the OT and IT teams, they share the responsibility of the risk, the management of the risk, and the implementation of the mitigation for those risks.
- And so those teams have to work together to address those shared responsibilities. At Vector, for example, we have cybersecurity architecture and data teams. Those teams work very, very closely with our business units. And those business units are the units that operate the OT platforms. And so every project we kick off, we see those data and cyber architecture teams working very, very closely with the part of the business that operates the OT systems. And that builds a shared investment and a shared responsibility. So that’s how we’ve been able to bridge that gap.
- But then there’s another point which is the technical gap. We’ve been able to bridge that technical gap by having a unified security operations center (SOC) where we take feeds from both our OT and IT security platforms, add threat intelligence, and then have that unified view for the entire business. So, that’s how we’ve sort of thought about it and how I’m thinking about it myself personally.
- [Phil] So that makes a lot of sense. What did you have to do in your security operations center to get your analysts to understand what a PLC is, or what a PLC stop command looks like and how that’s different than what they might be used to?
- Well, I guess that’s really down to that entire cooperation and handover process. But most importantly, it’s really about them not necessarily understanding what a PLC should do, but rather what a PLC shouldn’t be doing. Anomaly detection platforms are a very, very important part of our entire security operations center capability, so it’s really about developing runbooks and having the security operations analysts knowing what to do when certain things happen inside the environment. Without having runbooks and regular processes, we wouldn’t be able to operate the way we are. But those runbooks can’t just be created by IT security operations people, they need to be created in consultation with the business during the project lifecycle before things are handed over.
Headquartered in Auckland, Vector is the national number one provider of electricity distribution.
Stephen Kraemer, Ports of Auckland: Understand the Differences
- At Ports of Auckland, we are on the cusp of adopting more automation and converging IT and OT [automated cranes, autonomous vehicles, etc.]. We know traditionally that the skillsets and mindsets and even the way technology is managed on the OT side is significantly different than on the IT side. On the IT side, things move fairly quickly. Things are pushed out. 80/20 rule, largely operational. We’ll fix the rest of it as we go, but we need to get it out there and start making it productive, gain those efficiencies, start making money off of that, and all of those types of business pressures.
- But on the OT side, the demands of the infrastructure are quite specific, and the tolerances are very low for information that’s not flowing properly to the right place at the right time. And so it creates a real divergence in mentalities. And so, when it comes to cybersecurity, the only thing the OT people are really concerned about on a day-to-day basis is availability. They need the ones and zeros and the information and the signals to be flowing to the equipment so that it can do its thing, and it has to happen in real time.
- On the IT side, it’s more about the confidentiality and the integrity of the information. We don’t want our information shared. We need our information to be accurate when we’re doing finances and that sort of thing. And so it’s not that these principles don’t apply to the other side, but they start from different ends of the spectrum and that does create that gap.
- So the approach from a cybersecurity side, which traditionally has its roots in IT, is to take a different perspective and learn from people on the OT side, and try to bring them along on a journey that, in many regards, CISOs themselves are just getting their heads around.
Ports of Auckland is a major container port.
Gareth Stewart, Mundipharma: Help Someone Solve a Problem
- The way I approach the integration of OT and IT, especially with people, is I was a bit lucky where I had done enterprise architecture in my company before, and the main thing I did was a couple of networking projects with the OT folks that really opened me up to knowing who they are, knowing what they have to deal with on a daily basis, and how can I help them. Then, when I moved over to a security role, I was already well-known to them, and they were also well-known to me. So there’s a bit more of an open door than other people might experience.
- But the main thing is being in a position to help somebody. That’s what will get you a good reputation – to help someone with a problem, whatever it is. If you’re an IT security person, you should leverage your other IT functions to help them with a problem if they’ve got one, or bring to bear some of the enterprise skills that the manufacturing team may not have just because they’re used to working in a very different way. That was my approach, anyway.
Headquartered in Cambridge, UK, Mundipharma is a leading pharmaceutical company with revenues in excess of €1 billion.