IT, OT Must Adapt for IoT: Experts Share How

Wednesday, July 15, 2015 @ 10:07 AM gHale

By Heather MacKenzie
The Internet of Things means more and more devices are connecting to industrial networks. And these “things” aren’t just the controllers and related computers “owned” by the OT department or the computers and network devices “owned” by the IT department.

The “things” might also include everything from physical security IP cameras and networked badge readers to HVAC systems and mobile devices.

Duqu 2.0: Defend Against APTs
Industrial Security: A CEO’s Perspective
Essential ICS Firewall Concepts
Realize IIoT Benefits

One vulnerable system is a potential pathway to all systems. Given the mammoth nature of this change, we decided to work with our corporate sibling, Tripwire, to poll IT and ICS security experts about IoT.

We asked them:
1. How the IoT changes the dynamics between IT and OT?
2. What practical tips they have for how the two groups can work together effectively?

We present their responses and explain how they add up to news you might want to be sitting down to read – there are three ways OT and IT have to change. Click here to view the list of experts.

How Does the IoT Change the Dynamics between IT and OT?
Most security experts say the IoT is changing the size and shape of the industrial network. At one level, this is about the ongoing adoption of Ethernet infrastructure and Common Off-the-Shelf Technologies (COTS) for factory and critical infrastructure communications.

At another level, all kinds of other systems might be connected to the industrial Ethernet infrastructure. This includes connections to more and more enterprise systems, cloud-based applications, building systems, physical security systems, BYOD, BYOIOT and more.

“The ‘IoT’ is in large part the ultimate physical merging of many traditional OT and IT components.”– Chris Blask (Click here to tweet this thought.)

“At some point in the not too distant future, we will only have technology. Not more IT/OT distinction. Just T.” – Patrick Miller

Many experts see the integrated network of the future as requiring a “holistic security strategy.” – Eric Byres

The above narrative is not consistent across all experts though, particularly when it comes to legacy ICS.

“The factory floor is typically pretty static, with little change, since the objective is maximum profit at highest production availability and least risk impact.” – Pat Differ

“IoT is not changing the dynamics between IT and OT….. [While] the systems have been converging for years…. OT specifically focuses on the control of systems and the physical processes…. IoT’s inclusion…. will not impact the difference between IT and OT”. – Robert M Lee

“The ‘OT is different than IT’ fallacy stems from ICS professionals comparing OT to desktop management. OT is mission-critical IT.” – Dale Peterson

While not everyone agrees on the impact of the IoT, all of them see a future where IT and OT will be working together a lot more closely. It might take “the culture 20 years to catch up”, as Patrick Miller says, but it is going to happen.

“In an IoT environment, it is abundantly clear the fractured IT/OT relationship will need to become stronger and more connected.” – Greg Hale (Click here to tweet this thought.)

“Achieving the vision of the IoT requires closer cooperation between the OT and IT worlds than has been historically been the case.” – Jeff Lund

What then, are the practical tips for adjusting to this new world order?
1. Practical Tip: Get Ready for Cross-Functional Goal Setting and Metrics

Technology convergence and/or the IoT will erode typical departmental silos. You can be a constructive player in this changing game by accepting it and bringing forward ideas to foster cross-functional teamwork.

Support the leader “who creates a collaborative environment and metrics that emphasize teamwork.” – Gary Mintchell

Work towards establishing “one playing field with role-based training and awareness programs for IoT. [These programs should] outline corporate objectives, eliminate potential silos and insure daily cooperation with all stakeholders.” – Pat Differ

“Senior management can first identify all the various IoT systems, be clear who is responsible for each one and then drive consistent behaviors for security throughout the company.“ – Eric Byres

2. Practical Tip: Improve ICS Security Skills and Capabilities
If you do not have strong security or ICS skills today, make a plan to either get them yourself, add them to your department or form a close partnership with a third party who can provide them.

“The days when engineers could connect things to the network but not know how to make them secure are over…Get educated [on security] or get help but don’t wing it. That doesn’t work any longer.” – Doug Brock (Click here to tweet this thought.)

“For IT security pros that want to start to cooperate on security with OT, learning about how OT works is a great starting place. Whether that means buying a PLC training kit and learning what these devices actually look like in OT environments, or taking an Industrial Security Controls class, or just reading a book on the subject, go in with an open-mind and learn about that other side.” – David Meltzer

“Work with consultants who have IT and OT capabilities and live in both worlds on a daily basis. They will provide real balance and clarity as they understand the objectives of both disciplines.” – Pat Differ

3. Practical Tip: Improve Teamwork and Communication Skills
“When IT and OT understand they must work together, efficiently communicate and leave any and all egos and fears at the door for the greater good that will be the start of a positive dynamic.” – Greg Hale

“Walk a mile in their shoes. Spend some time (like more than a day – try a week or a month) working side by side with the other.” – Patrick Miller

“Having OT personnel integrated into an IT security operations center or security team and having IT personnel learn more about ICS will ensure a better approach towards security.” – Robert M Lee

“Buy more coffee and lunches. In all honesty, the most practical tip is to execute on having some people skills and cooperating to ensure that there is a bright-line for responsibility and that where knowledge transfer can be undertaken it is obvious that the transfer happens. There is no need for conflict – and if necessary, sit people down and let Big Bird teach them about cooperation.”– James Arlen

“Both sides need to remember that it is a two-way street and if they work together, they can support each other.”– Chris Blask
Heather MacKenzie is with Tofino Security, a Belden company. Click here to view Heather’s blog.