Much has been said about the need to protect the world's critical infrastructures from cyber threats. Risk factors, such as an increased threat landscape, geopolitical instability, and most importantly, the global shortage in OT cybersecurity skills, have turned today into the most dangerous period for industrial companies.
Bridging IT and OT networks lays the path for a more secure future. Unfortunately, very little has been written on how to do it. So let us begin . . .
Protecting IT and OT environments
Despite the similarities between IT and OT environments, (“It’s all T”) there are some critical differences in how both environments are protected. Most important is making sure that employees have the required knowledge and tools to implement the protection measures.
If you take away one thing from this blog, let that be it.
What’s the difference between IT, OT, and ICS?
Cyber defense workers may be familiar with and experienced in the processes and technologies for protecting the traditional computing environment (IT); however, their knowledge and ability to realize the same concept and level of protection for the operating environment (OT) is limited. This limitation is due, in part, to the following challenges:
- In IT data protection, information is guarded. Any damage inflicted to the information may lead to loss of trade secrets and/or sensitive data and impairment of data availability/data integrity. These events are classified into the following categories:
- In OT Systems, the protection of the confidentiality of the information and sensitive data is second to that of the operational process, namely, the "safety aspects and business operational implications related to the production line process," which can be impacted by a cyberattack.
It is therefore evident that in OT systems, the main priority is the organization’s ability to continue producing, and that comes down to the people, processes, and technology.
The differences between People, Processes, & Technology in OT systems
Knowledge – Those familiar with the protection of IT environments (protocols, products, tools and more) typically do not understand the knowledge shift required when assessing risks, choosing protection solutions, monitoring, and preparing a recovery plan for operating environments.
Collaboration – The ability to make reviews/changes and the hardening of the requirements should demand deep collaboration and trust between the organization’s two units.
While cyber defense professionals usually have the knowledge required to talk to IT professionals, building trust and conversing with operations/control professionals is different for the most part.
External parties' dependencies – Support and maintenance are often provided by dependent professional parties and are under warranty. The client’s ability to influence them is low (such as a system vendor or expert software from abroad).
Expensive cost of the production line and business operations - As part of risk reduction, a dedicated area for running files and simulations can be considered a preliminary process to the network online process. (Learn about Sophic Zone)
The limited supply of dedicated protection solutions – While solutions such as code analysis, vulnerability detection, staging systems simulations and others are available and embedded into many systems around the world, they may not always be compatible with dedicated ICS environments or approved for use by the manufacturer or by the equipment’s operators.
Use of old and unchangeable technologies - A network that has not been given proper security inputs in the characterization and construction process, the use of old controllers, protocols and traditional communication based on old and unsupported classical technologies; all leading to difficulties in running antivirus or security updates, etc.
Equipment Lifecycle - While IT equipment is replaced relatively frequently, the replacement of a controller or component of SCADA involves significant efforts, resources, and financial costs to the organization. These increased costs lead to keeping equipment that is 10-30 years old or more, which can be protected using limited tools that do not fit with the contents.
Now that you understand the differences between IT and OT, in a future blog, we will reveal steps to bridging IT and OT personnel to create a unified cyber team.