Cyber Playbook: Information Technology vs Operational Technology – How to Leverage IT to Secure Your OT Systems

January 31, 2022

Contributed by Chris Thomas, Senior Security Consultant, Advisory, Professional Services

Information Technology (IT) primarily refers to hardware, software, and communications technologies like networking equipment and modems that are used to store, recover, transmit, manipulate, and protect data. 

Operational Technology (OT), on the other hand, was born out of the need for Industrial Control Systems (ICS) to keep up with the innovations and progression we've seen in complex physical processes like factory operations. Gartner defines it as "hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events." Industrial Control Systems are a major component within OT that comprises of systems that are used to monitor and control industrial processes. They are typically mission-critical applications with a high-availability requirement. 

In the past, IT and OT security have generally had very different priorities. IT security focused on securing system and data confidentiality, integrity, and availability. OT security focused on protecting physical operational safety, productivity, and reliability. 

Today, OT systems, Industrial Control Systems, and physical industrial processes are becoming increasingly complex and meticulous in their purposes and capabilities. This has resulted in the need to leverage IT systems and security tools to manage and secure OT networks. 

The Need for Greater OT System Security 

Securing your OT infrastructure has never been more important. While there has always been a risk associated with not protecting your Industrial Control Systems, using established IT-style practices, today’s landscape shows that it is no longer a matter of "if" but "when" an organization's system will be targeted.  

Operational technology has seen innovations that allowed it to become safer, more efficient, and more reliable. But technological advancement inherently results in greater cyber risk, and today's OT systems are more vulnerable than ever. 

As threat actors continue to target critical infrastructure and industrial assets, we have seen ICS cyber-attacks increase in frequency and sophistication. Not only are threat actors using IT attack techniques to access OT systems to disrupt operations, and production, but they are also using poorly secured OT systems to gain access into enterprise IT networks. These attacks take advantage of the siloed dynamic between Operational Technology and Information Technology systems and security and are costing victims in lost production, revenue, ransomware payouts, and overall loss of faith in businesses once an incident has occurred. 

Leveraging IT & OT for More Comprehensive System Security 

Traditionally, ICS systems have been considered to be "air-gapped", meaning that while they used some IT equipment and practices, they weren't externally connected. However, as physical devices and processes become more dependent on IT systems to operate and as the need for data collection and analytics has grown, it has become clear that we need to start adapting our approach to securing OT by integrating IT security tools and best practices. Simply put, OT devices and networks should be brought into the Information Technology security realm of control. 

While this task is simple, it isn't necessarily easy. Fully integrating Operational Technology with Information Technology hasn't come without its challenges. Many IT practices that have been well developed in the IT world, such as regular and remote vulnerability patching, are not always well adjusted for Industrial Control Systems. If tools like a vulnerability patch have not been properly tested for use within the ICS environment, implementing them can result in system failures, loss of visibility or control of the process, and in some cases, entire plant shutdowns. 

Furthermore, addressing Operational Technology system security with Information Technology security controls requires a keen understanding of both IT systems and your enterprise's specific ICS systems. In short, you can't just integrate the two and get results. A successful OT cybersecurity program requires a specialized mix of people, processes, and technology that can best secure OT specific equipment and software. 

Developing IT/OT Convergence  

Information Technology and Operational Technology convergence enables the two technologies to integrate and interoperate as a single cohesive system. Ultimately, it seeks to help physical devices and processes adapt and improve by leveraging digital technologies, systems, and security solutions. Here are some key considerations when developing IT/OT convergence for your enterprise: 

Take a Collaborative Approach from Start to Finish 

Historically, enterprise OT and IT teams haven't worked closely, and their different priorities tend to be at odds. Addressing disparate teams requires regular collaboration and consistent and transparent communication. When either group's priorities are overlooked, it can lead to:  

• Discord within your team 
• Security oversights that lead to gaps in your coverage 
• An increase in costs due to duplicated efforts 

Engaging a third-party partner like a Managed Security Services Provider to act as an extension of your IT/OT cybersecurity team can be a great way to mediate and guide this process. Taking a collaborative approach to converging your OT and IT systems will not only result in a better cybersecurity program but will also ensure more efficiency, buy-in, better cooperation from both OT and IT teams.  

Develop and properly communicate your goals 

Work with both teams to develop clear, feasible, and measurable objectives for your IT/OT security strategy that include both teams' priorities and goals. Ensure everyone understands the goals and the ways in which Information Technology and Operational Technology systems management will overlap. 

Build your team the right way 

Define and assign roles and responsibilities for everyone who will be involved with the IT/OT cybersecurity program. Once you have defined and assigned roles, training your team in both IT and OT systems to ensure everyone is familiar with both is essential. At the end of the day, both Information Technology and Operational Technology expertise will be required for an effective cybersecurity strategy. Educate your OT and IT teams on your organization's specific IT/OT system needs along with general best practices. 

Leverage the Right People, Processes, and Technologies 

Assign an IT/OT Security System team lead 

Along with your diverse team of IT and OT talent, the National Cybersecurity and Communications Integration Center recommends your team include a cybersecurity manager to oversee the development and implementation of: 

• Policies 
• Procedures 
• Monitoring and protective/detection controls 
• Employee training 
• Regular assessments 
• General best practices 

Include efficient processes specific to your enterprise's OT system needs 

While asset discovery is a common process in IT cybersecurity, OT systems rarely include it in their protocols. It's time for this to change - identifying all OT devices on a regular basis provides crucial visibility for your cybersecurity team. Remember - you can't secure what you can't see. 

Your processes should also consider mission-critical demands. OT production systems are often required to function 24/7/365. Turning off or pausing operations for upgrades or updates often leads to significant loss of revenue and sometimes even physical risk. This puts businesses in a difficult position and in many cases, results in potential security vulnerabilities being ignored. Develop processes that address this challenge by ensuring your cybersecurity protocols and policies accommodate your operational technology system's limitations. 

Choose your technologies wisely 

Before building your IT/OT cybersecurity program, assess your current Operational Technology system. Many organizations still have legacy OT systems that incorporate few, if any security features. More times than not, these legacy systems can't be upgraded to include new security features due to proprietary designs. Evaluate your systems for security - OT devices that can't support the requirements and meet the objectives outlined by your team for your IT/OT converged security system may require a new or updated Operational Technology device. 

Once you've assessed your current system, take a collaborative approach to identify and deploy tools that provide visibility and control over your Information Technology and Operational Technology assets. Together, your tools should form a program that provides solutions for: 

• Discovery 
• Configuration 
• Management 
• Security  

Operational Technology and Information Technology will only continue to intertwine as we move forward. As with any specialized and essential enterprise component, securing your OT system will require identifying and deploying proper structure, governance, staffing, tooling, and training. Understanding the difference between IT and OT systems and how you can converge them to accelerate your enterprise cybersecurity program will be key to ensuring the security function for your overall industrial environment.  

To learn how Herjavec Group can help you leverage IT security tools to better secure your OT systems, please connect with a security specialist here.