October 17, 2018 at 5:30 pm #25656
- Topic 42
- Replies 0
- posts 42
Over past year we read many posts and papers from a range of experts introducing a new concept called “IT-OT convergence”. It is not difficult to guess what experts or teams within the organization are pushing for this new trend. IT experts were around since early 80’s when personal computers started their penetration to the organization, replacing the mechanical typewriters. Initially operating as a stand-alone PC’s and later connected to the organization and to external data networks. Industrial Control Systems (ICS) and Operation technology (OT) systems managing critical infrastructure were traditionally disconnected from external networks and the main were directed to assurance of operating safety and reliability. Data connection between the IT and OT networks started after the Stuxnet event, when management realized that the “airgap” is not protecting their operation and internally generated cyber-attacks are possible. Consequently, organizations started developing the OT cybersecurity expertise. Although both IT and OT systems utilize similar computer hardware and operating systems, the cyber defense concepts are different. While IT experts focus on assurance of CIA (Confidentiality, Integrity and Availability), OT experts must focus on SRP (Safety, Reliability and Productivity). This article outlines the main reasons why organizations must develop internal OT cybersecurity expertise and keep it as a separate team in the organization. While positive collaboration is appreciated, IT cyber security experts shall not impose their practices for OT Cyber defense.
Why the talks about IT-OT convergence started?
IT architecture experts and IT cyber security experts started their activity in organizations much earlier than OT experts. They earned high reputation by frequent patching the operating system, deploying antivirus, perform quick fixes by remote access, upgrading the memory, formatting the disk, providing internet access, etc., activities that the ordinary employee needed for conducting his daily tasks. Consequently, the IT team in each organization grew, and every department had his own IT guy. Although OT systems are using similar computers, operating systems and firewall defense, the architecture is built differently. Based on my experience with OT architectures, I wonder what is the true definition of the “IT-OT convergence” considering that both worlds use the same hardware, software, firewalls, operating systems. I ask that question because control architectures were built SRP in mind, versus IT systems which were built with CIA in mind. You should not be surprised hearing an OT operation manager saying the IT guy: “I’m responsible and I’ll not allow any changes that might create safety risks”.
Being aware of cybersecurity risks, organizations started realizing this situation and also accepted these differences, as a reason for employing OT Cyber security experts. But then, the team of IT security experts took the CIA Triad, they rotated the letters to a new order (ICA, AIC, etc.) and said: “OT Cybersecurity also use the same 3 letters… so what is the difference?” Then comes the IoT, which expand the activity of the IT experts and justifies more people added to their department. They learned that each IoT device increases the cyber-attack surface and creates new risks that must be treated. Then came the Industrial IoT (IIoT), which is significantly different from the IoT, but also increases the attack surface. So, shall we handle the cyber defense for IIoT devices in the same way we handle the cyber defense for the IoT devices just for the sake of “IT-OT Convergence”?
Can we live without “IT-OT Convergence”?
Of course, the answer is “Yes we Can”. As already stated above, cybersecurity tools for ITare absolutely not suitable for Industrial architectures and as a result cyber defense for OT systems and especially legacy-age OT system requires a different approach. While IT networks are defended by standard cyber defense components, for properly defending OT systems you must be an OT expert. You must understand the control architecture, understand the principles of the industrial process, understand the level of damage that might occur and realize that you deal with legacy components which can not be upgraded nor replaced. Can you imagine an IT expert dealing with these challenges? When something goes wrong in the IT world, you might lose data which can be generally recovered from backup systems. If something goes wrong with the OT system, the mechanical machinery might get damaged (Stuxnet event) and people might lose their lives.
You must be logged in to reply to this topic.