The stark reality is that security incidents and breaches in operational technology (OT) environments are on the rise and, as such, IT and OT security worlds are colliding. Enterprise cybersecurity programs have traditionally been responsible for the security of IT infrastructure and applications. The OT environment – hardware and software that monitors and controls how physical devices perform, also regularly referred to as industrial control systems – was rarely touched.
Until recently, OT environments were disconnected, existing separately from the IT systems linked to the internet and the rest of the networked world. That changed, however, as the connectivity benefits of IT gradually seeped into OT environments and – bang! – new IT-driven OT exploit scenarios became a reality.
For example, a laptop connected to an industrial control system could be compromised, granting access to the OT environment, and not to only one device, but also any others that might be connected. These are not necessarily targeted attacks but opportunistic ones, relying on mass distribution malware. Even if only one out of 100, or even 1,000, attempts are successful, an attacker can their objectives, such as stealing secrets or causing disruption – and disruption is often an understatement.
The OT environment is full of "controllers," electronic devices that manage a wide range of mechanical systems. Knocking out one or more of these controllers can have a wide range of impacts – shutting down a production line, bringing down communications systems, contaminating water supplies, and so on – with the potential for disruption and even civil unrest. Now that adversaries widely recognize the potential ramifications of disrupting OT environments, organizations need to improve their security controls to prevent, detect, and respond to OT security incidents and breaches.
Organizations must adapt their security programs so that OT environments receive comparable protection to IT. However, bringing the two worlds together is complex. OT professionals know operational systems and networks, but do not generally have cybersecurity experience. Conversely, cybersecurity teams know digital environments, but typically do not understand operational systems and networks.
Technology, of course, is only one part of the solution. Yes, cybersecurity technology can provide some level of reassurance in prevention, detection, and response for security incidents and breaches. However, people and process are also necessary to complete the triumvirate of security controls. At least one member of the C-suite should drive the convergence – usually it is a risk-based decision that the chief risk officer (CRO) would lead, bringing in the chief information security officer (CISO) to implement.
Regardless of the specific approach, IT security needs OT and OT security needs IT. With C-suite sponsorship and commitment to collaborate and support the security needs of one another, the collision of these two worlds can ultimately improve the overall security posture of the organization.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.