In today’s connected world everything, from power grids and public transport to manufacturing and logistics, has had an upgrade to become ‘smart’ (self-monitoring analysis and reporting technology). The race to fully embrace the benefits delivered by this functionality has led to the convergence of both the data side of the business, traditionally the realm of IT, and the operational technology (OT) side, used to manage industrial control systems (ICS). This convergence has created the perfect cyber security storm, with who is responsible to secure both environments a topic of much debate.
Traditionally, OT environments had very limited and/or restricted connectivity — both internally with local networks, and externally to the internet, third party contractors, etc. Given this segregation, typically when the subject of security was discussed it was either dismissed, due to the perceived ‘air-gap’, or synonymous with safety — with the key objective to ensure that no individual is put in physical harm’s way. Conversely, security within IT was focused on ensuring systems and data were protected to prevent data theft or downtime.
As IT and OT converge, the concepts of safety and security become inextricably interlinked. A cyber attack that impacts IT systems could equally affect OT infrastructure, halting processes or even damaging machinery that creates physical risks. Similarly, an incursion within OT environments could traverse across to infiltrate IT networks.
The main challenge in having a single person responsible for both IT and OT infrastructure is that, historically, each environment faces a disparate challenge as previously discussed. A further complication is that both sides of the divide typically speak a different language. This incites the fear that, if OT security is left to the IT team, they may ‘break’ it.
These arguments shouldn’t be dismissed, but can be overcome.
The best person for the job
Given the interreliance between the two environments, it is imperative that OT security falls under the jurisdiction of one individual who is held accountable for the organisation’s overall security. For most, this position is held by the Chief Information Security Officer (CISO) although, depending on the sector and organisational structure, it could be beneficial for the role to be held by someone with an OT or engineer background, rather than the traditional IT skill set.
Whatever their job title and background, it is imperative they possess the following attitude and skill set:
Security champion: facilitate the necessary dialogue between both the IT and OT teams, providing regular briefings to top management detailing the cyber risks present within the organisation. As part of this, it’s imperative to understand and be able to communicate the value of OT security — particularly in the case that a company’s survival relies on IT and OT infrastructure. This not only elevates the importance of OT security, but also ensures the allocation of essential budget and resources.
Chief negotiator: The role requires both a technical and business understanding which is particularly important when seeking further investment. For example, being able to convey the financial impact should a production line be taken offline by a cyber incident not only illustrates the severity of the threat, but also makes it easier for the board to calculate the risk, versus the cost of implementing mitigating measures. As previously mentioned, OT is profoundly intertwined with health and safety regulations. If a system were to suddenly stop working, there could be significant safety consequences in some industries. As such, there is merit in being able to highlight this to upper management to ensure the general health of the overall organisation.
Peer to senior business leaders: The seniority of the role is much debated, with many of the opinion that it should be board level. It could be necessary for vital safeguarding actions to be taken, without the risk of being overruled by senior management.
Open minded: While advocating that a single person should be accountable, the role should not act in a silo. The competent security professional will seek counsel from those with the relevant expertise — either from within the business or outsourced. Also, given the interreliance of IT and OT, it’s important to facilitate the necessary dialogue between both OT and IT teams to avoid blindspots and mis-comprehension.
The only way of achieving parity between IT and OT security is by having the conduits in place between the board and the CISO (or equivalent).
For any meaningful decisions to be made, and to ascertain its rightful resources, there needs to be a champion either liaising or sitting within the board. It is up to this individual to keep upper management updated on the risks they are accepting as well as justifying the value in investing in security.
Author: Marty Edwards, VP of Operational Technology Security, Tenable