IT vs. OT security -- and how to get them to work together
While IT and OT security have historically been separate, the advent of IoT is forcing the two together. Cross-pollinating IT with OT is critical to ensuring IoT security.
IT has dramatically changed over the past decade with the advent of the cloud providing ubiquitous access, infinite compute and boundaryless storage. Operational technology, on the other hand -- the technology that runs nuclear reactors, oil rigs, power utilities and the like -- has evolved much more slowly.
As a result of this dichotomy, the maturation and evolution in IT vs. OT security have also evolved independently.
Within the IT side of an organization, incremental content is delivered continuously; for instance, frequent upgrades to the latest product, or software releases or patches being installed when critical vulnerabilities are disclosed. Then there are the more dynamic environments, for example, with DevOps teams delivering rapid releases on a continual basis.
Contrast this with the OT side of an organization, where software updates are few and far between. Even critical vulnerabilities may stay unpatched for months or even years, because shutting down a power utility or nuclear plant for upgrades needs to be meticulously coordinated and the confidence in the software update needs to be foolproof.
But these hitherto strict categorizations in IT vs. OT security are starting to break down as IT starts to extend into OT and vice-versa.
Bringing OT to IT teams
Imagine an enterprise that is installing facial recognition systems as the authentication mechanism to let employees into the office premises. Or sensors in conference rooms to detect usage patterns. Is this an IT or OT effort? If it is a traditional B2C enterprise and the business does not have an OT charter, this falls under the purview of traditional IT. However, this is anything but traditional IT -- it has an operational component that traditional IT departments have not had to deal with so far, clearly stretching the boundaries of IT. And with such a connected deployment comes a number of security and privacy implications. In the case of the facial recognition system these could include:
- Are employees aware their photos are being used for authentication?
- How long is data retained after the employee leaves the company?
- Is the data being shared with third parties?
The list doesn't end there. With this IoT deployment, the traditional IT organization is pushing into the realms of an OT provider.
Bringing IT to OT teams
Traditional OT sensors in a nuclear power plant have an average lifespan of 10 to 20 years. The security issue here is that it can take months or years to install any software patches for recently discovered vulnerabilities or important feature updates. Why? Because any downtime in such critical environments could have catastrophic consequences and requires careful planning.
That is fast changing, however. With the advent of IoT and 5G, and over-the-air updates becoming the norm, connected devices and the software running on them are suddenly more accessible -- not only to the OT team, but also to hackers. The traditional OT mindset of not worrying about cyberattacks because of physical isolation is immediately busted. Extending that argument, instrumentation of these sensors to drive efficiency suddenly becomes a real possibility. Dialing down the rpm of a cooling fan on a cold day, for example, could yield significant energy and cost savings. With IoT deployments, data collection, analysis, prediction and action are now added to the OT playbook -- and along with them, all the security, privacy and regulations surrounding them. It suddenly starts to look like an IT playbook.
Achieving IT and OT security
The hitherto separate worlds of IT vs. OT security are evolving quickly. Organizations should educate and train staff to embrace this change and prepare in advance for the security implications of IT into OT, as well as OT into IT.
Here are three practical tips to help with this cross-pollination and raising awareness:
- People -- Cross-hiring is a great way of bringing awareness into each other's organizations, or sides of an organization. For instance, a traditional IT organization would do well to go and seek technology talent from an OT enterprise. Likewise, any OT enterprise will have in-house IT talent that could be recruited to join the mainstream product development organization to raise cybersecurity awareness and impact of digital transformation into that community.
- Training -- There is never a shortage of things to learn. However, the sources to learn are varied -- ranging from online self-learning to instructor-led training to even vendor-sponsored training. The latter is something OT organizations going the digital transformation route could exploit to get training and learn from the vendor's point of view on the best practices of how their connectivity and data collection could be best implemented.
- Regulations -- While regulations are usually viewed cynically as a corporate compliance tax, it can be rich hunting ground for innovation and learning to not just be compliant but thrive within that framework. Both GDPR and California Consumer Privacy Act are great examples of practical and valuable frameworks to look at both IT and OT when it comes to data security, privacy and transparency.