A friend of mine, who was helping a client achieve their goal of modernizing their factory a few years ago, narrated a moment that really stuck with him. The client was planning to integrate real-time analytics from the operation floor with a cloud-based dashboard, targeting optimum production efficiency using IoT sensors and predictive algorithms.
The problem, you ask? The OT teams had never connected their systems to anything public cloud and were wary of it.
My friend could understand the hesitation (and now, so can I). The PLCs (programmable logic controllers) and industrial control systems were built for fulfilling manufacturing objectives (i.e., stability, uptime and safety), but not cyber resilience. However, their leadership had already made the decision and were continuing the path of “digital transformation,” the onus of which was put on him. The key learning in this scenario was that this will require a cultural shift, as it’s not just a technical problem.
Inspired by this story, I’ve explored this convergence and how it’s re-prioritizing cybersecurity in key “non-high-tech” industries (manufacturing, energy, logistics and even FMCG sector) in my related ISACA Journal article. Here, I’d like to walk through some of the key practical learnings on how to bridge that divide in the real-world.
Connectivity Comes at a Cost
With the line between IT and OT thinning as time progresses, the biggest challenge faced now becomes the attack surface, which is increasing drastically. This is owing to the journey from once air-gapped systems to now being exposed through remote access tools, cloud platforms and connected IoT devices. These systems, however, were always designed for their own functionality and reliability, and not for modern-day cybersecurity threats. This means things like unpatched firmware, hardcoded credentials and flat network topologies are still incredibly common knowledge, especially to cybercriminals, leading to increased attacks such as ransomware and supply chain attacks.
IT and OT: Different ‘Security-verses’
Confidentiality, Integrity and Availability are the three tenets (or triads) that traditional IT security prioritizes. However, the OT security world revolves around Availability, Safety and Reliability. To put things a bit crudely, you can’t reboot a power plant to install updates or run active scans during business hours if it risks disrupting operations. Therefore, a more customized IT security approach is required to accommodate the unique constraints of the operations environment.
IT Meets OT: From Isolation to Integration
Below are some practical steps to begin bridging this gap:
- Inventory and Visibility: This is where OT can start tracking their assets (devices or sensors), especially the ones that are connected to networks and/or without documentation, and where network monitoring tools can help them keep a clear view of what they have. A basic audit of devices with internet exposure (ones that control critical processes, etc.) will bring about a tiered strategy that goes a long way in prioritizing risks.
- Network Segmentation and Zero Trust Principles: Absolute security is a myth. When it comes to practical approaches, it’s always recommended to create smaller segments of your networks to minimize the blast radius of a potential security breach. A good start would be to isolate IT and OT systems by firewalls or ACLs (access control lists).
Beyond segments, adopt and embrace Zero Trust. In the context of OT, this means granting access based on real-time context, wherein every interaction should require explicit trust.
In this context, think of it like replacing a wide-open warehouse with a series of badge-controlled rooms. - Culture and Communication: This is the most underrated point. Generally, IT and OT teams are like two diplomats who don’t speak each other’s language. Both may have good intention; however, IT professionals are used to agile methodologies and software lifecycles that run for weeks, and OT folks are focused on safety and reliability standards that stay similar for years, and sometimes decades. The onus of this communication falls on the shoulders of the leadership (and sometimes an evangelist) who helps translate and filter the important parts to the other side of the table.
Tuning the Tempo: Getting the IT/OT Rhythm right
In the project I mentioned at the top of this blog post, all-in connectivity was not achieved on day one (or even day 60). They started with non-critical systems first, created a digital twin of the factory, and slowly introduced segmentation. This helped bridging the trust gap before anything else.
Bridging this gap is a journey. It requires planning, technical knowhow and, above all, understanding and respect for the distinct values each side of the aisle brings.
However, it always helps to remember that cybersecurity is an ever-evolving and fast-paced field in which attackers keep finding newer ways to penetrate the system.
