The IT-OT Connection: How the Two Work Together

April 14, 2021
| |
4 min read

Where hardware meets software, attackers can sneak in. More and more, threat actors are targeting Industrial Control Systems (ICS) and Operational Technology (OT). IBM X-Force found that the number of attacks against those types of assets increased by over 2,000% between 2018 and 2019, with the number of ICS and OT attacks in 2019 having eclipsed the total volume of attacks for the preceding three years combined. Many of those IT-OT attacks involved password spraying. Others cover the exploitation of known openings affecting Supervisory Control and Data Acquisition (SCADA) and ICS OT assets.

How the IT-OT Convergence Contributes

This is partially due to the ongoing convergence between OT and information technology (IT).

For years, most entities kept these two teams separate. IT and OT teams worked in their own respective silos. IT workers came to understand the need for access controls, encryption and other security basics in order to defend the enterprise against an emerging array of web-based threats. Meanwhile, OT workers sought to keep their SCADA systems, ICS and other industrial assets running in the name of public safety and national security. There was no need to expose those OT systems to the web. They just needed to make sure those devices continued to function properly.

Side Effects of Digital Growth

Things changed for many entities when they launched into their respective digital transformations. Along the way, they realized that they could improve their industrial processes by bringing their IT and OT devices together. By introducing web-connected sensors, monitors and other Industrial Internet of things (IIoT) devices into their OT landscapes, for instance, they reasoned that they could gain real-time insight into their industrial assets. They could then use that insight to perform preventative maintenance and minimize downtime, thus improving their OT assets’ up-time through IoT cybersecurity.

The issue is that OT systems today lack the right features to withstand modern digital threats. Many of these assets are decades-old systems that can’t receive updates remotely. (That’s because they might not support the protocols that are needed to connect over the web in the first place.) Some might support an on-site update process; in that scenario, you still need to schedule a time for a team to arrive on-site, disable the asset for a short time, implement the fix and bring it back up — a process that costs time and money. Others are so-called ‘legacy’ systems that don’t have a viable means of receiving updates anymore due to their advanced age.

And, the IT-OT convergence risks exposing at-risk OT systems to the web. These connections give malicious actors all they need to conduct a brute-force login attempt or exploit an opening in the software. In some cases, those threat actors could undermine a victim’s industrial processes. In turn, that could threaten public safety and/or national security if that organization works in a Critical National Infrastructure (CNI) sector such as oil and gas, electric, transportation or medical.

A Critical Security Juncture

Entities that have embraced the IT-OT convergence find themselves at a critical juncture. They realize that digital attackers have them within their sights. Over half (51%) of U.S. industrial enterprises told Claroty they were more of a target in 2020 than in previous years, as an example. Two-thirds of survey respondents said they had witnessed digital criminals using new techniques to target them.

But they can only do so much when they have a cultural divide between their IT and OT teams. Professionals on both sides are used to working in their own silo. Therefore, they might not have a frame of reference for where the other side is coming from. They may not know what their security priorities are or what they might need to secure their assets. Without this, you can’t use the IT-OT convergence to align their defenses across all of their systems.

Teamwork as a People Problem

To foster teamwork between IT and OT, first focus on the people aspect of your security program. They need to help their two teams understand one another. They can look to another example of team-building in the tech space: that of bringing developers and operations personnel together into DevOps (or of bringing DevOps together with defense teams into DevSecOps).

Using those examples, the first step is to generate transparency between IT and OT. This will help them learn about each other’s priorities and concerns. A good step toward doing this is holding a meeting or a series of meetings with members of both teams. During those meetings, encourage members to share their roles, priorities and work with one another. They can also lead talks that use common security goals — that is, avoiding a security incident — to emphasize the duties shared by IT and OT.

You can then leverage more meetings as a foundation on which to build ongoing IT-OT teamwork. This is a process, so heed the advice of DEVOPSdigest and start small. For instance, you could begin with a pilot program with a few people in a limited setting. Perhaps they can use a single sensor deployment for their industrial processes as a chance to get things started. They can then have meetings with those members to find out what’s working and what’s not. From there, they can enshrine what they’ve learned into formal policies and processes. With time, those can apply to all of their security employees and environments.

A Collaborative Approach to IT-OT Security

Once your teams are working together, you can focus on how to use that connection to advance their security posture overall. This could involve putting in network segmentation in a way that reflects the organization’s data transaction flows while cutting down on the potential for OT security risks. Or, it could involve using the power of IT to harden OT assets more broadly against digital threats. Whatever the use case, it all starts from the same place: a shared mindset by IT and OT that securing their assets is the core of their work.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more