In a successful marriage, each partner understands what the other needs—and what they can’t tolerate. Industrial cybersecurity requires the same sort of partnership, in this case between the operational technology (OT) and information technology (IT) teams. IT contributes the cybersecurity tools and skills. OT brings an understanding of each asset, its impact on the business, and when it can be taken down without affecting safety or production. Neither team can succeed alone.
In our work with manufacturers and critical infrastructure providers around the world, we’ve seen that OT and IT teams often have biases that can derail collaboration. In this blog I’ll explain these misunderstandings and how to overcome them to protect industrial networks.
Cybersecurity is a relatively new concern for OT teams, who might see it as “yet another constraint.” Industrial control systems (ICS) engineers have dealt with complex process controls for years. Understandably, they tend to assume that cybersecurity is just one more. In their view, OT cybersecurity can be added early when designing an industrial project and managed in the same way as safety or reliability.
They are not wrong—but they need to be aware of important differences. For example, where electrical systems designs can be good for decades, new cyber threats pop up every day. Attackers have the motive (money) and the opportunity (a growing set of tactics and software) to find and exploit the weakest link in industrial networks. Cybersecurity requires continuous improvement to cope with the fast pace of change.
Our recommendations for OT teams:
IT teams might think they can apply the same security practices to OT systems that they use for enterprise applications like email. They’re also biased toward making IT the sole administrator of OT systems, reducing the risk of stolen credentials or configuration changes that could introduce vulnerabilities.
Both biases cause big problems. Take patching. While most IT systems can be briefly taken down for security patching, many OT systems can’t. OT is about producing goods and services 24 hours a day, seven days a week. A furnace operating at 1300°C can’t be stopped for a controller patch.
Restricting administration privileges to IT is another non-starter. ICS engineers are accountable for production and worker safety. If something goes wrong, they’re the ones who get the 2:00 a.m. phone call. An operator responsible for power distribution to hundreds of thousands of people can’t wait for an IT administrator to change a setting.
Unlike IT environments, which typically have few software and hardware vendors, industrial networks often connect solutions from hundreds of vendors—including niche products developed by local companies that might be key to running the industrial process. This variety complicates traditional IT security programs like patching and vulnerability management.
Our recommendations for IT teams:
Like a marriage, industrial cybersecurity requires understanding and teamwork from IT and OT. Treat OT security as a change management process, encouraging each department to embrace the other’s perspective. Start by recognizing your biases so you can become a good partner to reach your common goal—stronger protection for critical operations.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels