Bridging the Gap: The Imperative for IT Expertise in OT Manufacturing Cyber Security

As industrial facilities embark on their digital transformation journey, the integration of smart technologies and the Industrial Internet of Things (IIoT) into existing manufacturing environments has unlocked unprecedented efficiency and connectivity. But with more connectivity comes an increased risk of cyber threats that can have severe implications for operational integrity and safety. Rather than continue with an engrained approach of maintaining independent management of IT and OT systems within an organization, we believe it is necessary to recognize the invaluable contributions of IT professionals in safeguarding the future of OT manufacturing. This blog explores the importance of developing more comprehensive and resilient OT cyber security policies by fostering a more collaborative and interdisciplinary approach to cyber security.

How We Got Here: A Brief History of IT/OT Convergence 

Around the same time new technologies enabled businesses to implement local area networks (LANs) in their offices, networking on the plant floor through proprietary protocols and serial communication also became a reality. As these networks emerged, there was no cross-over since industrial networks were based on custom, proprietary hardware and software with minimal gateway translation from network to network.

Fast-forward to the late 90s and early 2000s when standard Ethernet-based solutions were introduced in OT environments. While this allowed manufacturers to interconnect islands of automation on their plant floor, it also exposed industrial equipment to outside environments for the first time. Now, full utilization of Ethernet-based solutions in current installations is common as this allows for greater visibility and increased ROI, but at the cost of introducing security concerns to the plant floor. (You can check out more details on the evolution of plant floor network infrastructure here.)

During this same period of time, Windows-based PCs and servers became the de facto standard for operator interfaces in SCADA and DCS-based systems. As with Ethernet, using commodity computers allowed OT to leverage large and continuous improvements in costs and capability to increase the utility of modern digital control systems.

The Risks of IT and OT Team Misalignment

As this evolution happened, it seemed natural for most organizations to maintain OT and enterprise network independence. However, as more plant floor devices were connected, a lack of alignment between IT and OT created a variety of misunderstandings and an increased threat risk. In many organizations, it is likely that IT does not know about the existence of certain OT systems and what their critical functions are. IT also may not be aware of the limitations of OT systems using old components and designs. Therefore, when developing blanket policies designed to cover all computers in the organization, they may inadvertently impact critical functions of an OT computer they were unaware of. Similarly, OT may not know about IT expectations regarding policy adherence or the advanced tools and techniques available to support resilience and security in Ethernet-based and Windows-based systems.

A common example of IT/OT misalignment is a misperception around the criticality of the computer form factor in an OT environment. In IT, there is a base level of understanding that a workstation is a tool that provides end users with access to the critical part of the system – the server. Computers usually have relatively low importance to the system, making a desktop repair a much lower priority than if the server is broken. OT environments are drastically different though since it is common practice to run critical functions directly on workstation PCs. When a desktop is broken in OT, the consequences can easily extend to physical processes on the plant floor.

Another area where there may be misalignment is around the existing state of security practices in many OT systems. Because of the history of keeping OT systems separate from IT, for much of their existence, security was not a primary concern in the development of OT technologies. This is reflected in the inability to authenticate communications in common industrial protocols and in common practices such as permissions management in the base operating system.

It was previously a common practice to run workstations perpetually signed in with the HMI application running for operator view, and to do so using an account with Administrator privileges. Recently, many automation technology vendors have improved their products so that running without Administrator privileges is possible. However, even today, it often requires substantial expertise with a given application to successfully reconfigure it to use a modern least-privileges user permissions model. IT departments are right to push for changes to insecure practices such as not using Administrator accounts for simple user functionality; however, an understanding of the level of effort is required, and it may even require bringing in external subject-matter experts to help an OT team make this configuration change.

Understanding Common OT Concerns and Relevant IT Expertise 

From priorities and goals to key security concerns to system architecture, there are a lot of differences between OT and IT environments. A key first step to creating alignment is for both teams to understand these differences. OT systems must be built with a focus on minimizing downtime and limiting shutdown windows. OT systems are also often purchased as part of turnkey systems from a specialized vendor where the technology components are not separable from the overall equipment package. There also must be a thorough understanding of how the computing environment is coupled to physical processes. In an OT network, an interruption to the computing environment may cause disruption to physical processes that can extend beyond when the computing environment is restored.

While IT teams are usually oriented around supporting information- and data-based processes, they are experts in best practices around most network design and computing infrastructure management that can translate to the plant floor. IT teams have spent years defining and refining policies, controls, methods, and best practices to support business computing environments that OT professionals can use. For example, there is likely a lot to gain from leveraging IT expertise in tools and workflows for effectively administering Windows-based computers, proactively monitoring network health, tracking and deploying patches, identifying indicators of malicious activity, and effectively automating backup and recovery.

Fostering IT/OT Alignment in Your Organization

It’s clear that there are differences between IT and OT systems, but it’s important to realize that the experience, methods, and technologies used in the IT space can help with the development and implementation of effective OT cybersecurity policies. Aligning your teams allows for the deployment of all skills required to implement a robust computing infrastructure and a living cybersecurity program that will provide for secure, resilient OT systems.

So how can this be done? Start by encouraging your teams to use a mutual set of language/terms. You can also host an internal workshop designed to foster the development of expectations in an environment of trust and respect. You could run this workshop independently or bring in outside business advisors to lead the workshop and provide guidance on alignment as well as your cybersecurity initiatives. Some other tactics include performing OT cybersecurity projects together, creating temporary task forces, or performing one-time assessments or ongoing programmatic audits.

Learn how ACE can partner with your organization to foster alignment between your OT and IT teams and help better protect your plant floor from ever-evolving cyber threats.