Unifying IT and ICS/OT Security Ecosystems

Joanna Burkey

Senior Analyst, TAG Infosphere

A challenge that many Chief Information Security Officer (CISO)-led teams must address today involves the cultural, educational, and day-to-day business focus differences that exist between traditional industrial control system (ICS)/operational technology (OT) practitioners and the corresponding teams involved in IT-related cyber defense.

This is most prominent, obviously, in industries such as energy, oil, gas, and utilities where ICS/OT is such a key issue.

As mentioned earlier in this blog series, one of the primary challenges in this space is the integration of IT and OT systems. These systems differ not only in their design and operation, but also in their physical environments, business processes, and the people that administer and use them.

One of the most important aspects to the convergence of IT and OT systems from a security standpoint is that there is not a single “right way.” While it might make sense for one organization to have a completely unified approach to the monitoring and operation of all systems regardless of type, another organization might have very good reason not to.

What is non-negotiable, however, is that every organization intentionally must develop their IT/OT integration strategy to address two key aspects of doing business – operations and culture.

IT/OT Operations

Not too many years ago, there was very little similarity in the daily tasks of an OT practitioner compared to an IT practitioner. As OT systems become increasingly connected and digitized, we now see both types of operators performing tasks that appear identical on the surface – applying software upgrades, managing patches and vulnerabilities, and conducting software failure checks.

But there is a key difference in these two types of systems that strongly influences their operations – in general, IT systems exist for the movement and storage of data, while OT systems exist to perform certain behaviors.  

In practice, this means that IT systems are often tightly connected and run on common, well-known operating systems such as Windows and Linux. On the contrary, OT systems are often autonomous, contained, and run on proprietary operating systems.

What does this mean? Consider patch management for example – the idea of patch management means the same for both system types, but HOW it is done will vary dramatically.

It is tempting for the security professional to design a security strategy with IT systems in mind, usually with an unconscious bias. An awareness of the ways that these systems differ in their operation and function, especially specific to a particular organization, is vital for the security engineer.

Culture of IT and OT 

It is easy to focus on the functional differences between IT and OT systems and therefore overlook the significant cultural and mindset differences that often exist in their respective operators. Reference the standard CIA terminology for Confidentiality, Integrity, and Availability and one finds that there is a shared critical need for both integrity and availability across both IT and OT.

However, historically, confidentiality has been less of a focus in OT than, for instance, safety. It is not too much of a stretch to say that CIA is the rule of the day in IT, but SIA might well rule the day in OT.

Thinking safety-first versus confidentiality-first has a subtle but important influence on the mindset and the working approach for operators and administrators of these OT systems.

One side of this effect, as reinforced by Cloud Range for its users, is that there is already a strong cultural focus on safety in the OT world, so augmenting that with security is a logical evolution.

But this difference in thinking can also mean that certain operations that seem innocuous to the IT practitioner – rebooting a system to apply a patch for example, which has no measurable effect on confidentiality – are not trivial actions to the OT practitioner as safety can be hugely impacted.

There are often strong regulatory and practical components that come into play as well – the act of restarting systems in certain power plants can take hours due to the safety and redundancy checks that must be done.

Similar to the point above about differences in operations, these differences in culture and mindset can be critical blockers if they aren’t considered in the cybersecurity strategy that applies to both IT and OT environments.

Lessons for IT and OT Practitioners

While there are many lessons that IT practitioners have learned over the years with respect to cyber that easily apply to the OT world, we must be cautious to think that both environments are the same in all respects.

The recommended first step when unifying IT and OT/ICS environments is to pull teams on each side together for combined tactical planning. This should include both strategic and operational work that equally relies on the knowledge and context that the various team members bring to the table.  

One of the best tools to accomplish this operational unification is to conduct tabletop and trial incident situations as a joint team, giving both sides an opportunity to learn each other's language, ways of thinking, and what threat mitigation looks like in each environment.

These exercises are where a cyber range, such as Cloud Range’s, can be extremely valuable as it provides a virtual environment in which to execute a variety of possible threat simulations impacting both IT and OT ecosystems.