Summary
In a recent roundtable discussion hosted by ICS Village, various industry experts, including Garland Technology CEO Chris Bihary, sat on a panel to discuss the ins and outs of operational technology (OT). They gave insights into how it differs from information technology (IT), the most common threats to OT, and best practices for managing and securing OT networks.
Intro
Saying that the world of OT management is complex is a massive understatement. Engineers must handle the stress of maintaining consistent uptime and upholding safety while dealing with emerging threats targeting their vital equipment. Additionally, they're stuck working in plants built before the internet with pressure to modernize for the sake of a business bottom line with minimal resources.
As the stakes are high, here are the key takeaways you can apply to better understand and manage your OT network despite these adversities:
Understanding the Basics: OT vs. IT
Before diving into OT management best practices, it's essential first to understand how OT and IT differ in terms of purpose, scope, and risk implications.
OT vs. IT: Technology purpose
IT focuses on optimizing the business side of things. It's the software applications and data systems that enable a company to better develop, sell, and distribute their product or service, plus oversee administrative activities like human resources management, accounting, customer service, etc.
Alternatively, OT systems is the technology that is controlling operational and physical processes. For example, the machinery used to manufacture the product being sold. It could also be a power generator or other equipment producing resources for a city, such as electricity, gas, or clean water.
OT vs. IT: Primary objectives
IT is all about getting the information needed to optimize profits. That said, an IT manager's focus is ensuring their systems follow the CIA triad of information security. Information systems must only be accessible to those authorized (confidentiality), the information used needs to be complete, accurate, and untampered with (integrity), and users must have their systems ready at all times (availability).
For OT systems, uptime is the top priority. OT and their industrial control systems (ICS) are significant components of our critical infrastructure. So if there's any downtime or slowdown caused by an environmental disaster, malfunction, or security breach, it doesn't just impact the business but the entire population it supports.
OT vs. IT: Risk considerations
Cyber threats that can cause data loss or network shutdowns are the main risks to IT systems. Data centers must also consider temperature control to ensure the servers hosting the data and applications don't overheat.
The risks and consequences of OT are far more severe in a worst-case scenario. If an IT system goes down, people might get mad. If OT assets go down, people could die. There are much more safety considerations for OT because the equipment used can harm the individuals operating or maintaining it.
OT vs. IT: Typical titles responsible
Since the scope of work around IT and OT management are so distinct, each will require a unique set of skills and, by default, a different set of job titles. IT sees roles like director and IT, network, or data center engineer.
OT personnel are more blue-collar by nature. They are electrical, chemical, and industrial engineers, as well as frontline operators who must wear steel-toed boots and handle the on-site activity.
Managing Your OT Network: Acknowledging Common Challenges
What makes OT management tricky, at least compared to IT, is ownership. In IT management, it's much easier to track all the assets attached to a network and decipher who is responsible should anything go wrong. Aside from the network router, which the internet provider oversees, most of the system maintenance and security responsibility is on the organization, so they always have the right people and procedures ready to go.
OT management is far less convenient. A business could own certain machinery and outsource others despite the burden of maintaining security and uptime still falling on that company. It's also common for personnel to be unaware of who has responsibility for which OT equipment. Then, when something goes wrong, you're stuck in the routine of "that's not my responsibility" or "we aren't the vendors for that machine."
Similarly, there's the issue of visibility. Many engineers couldn't even tell you where some of their OT systems and devices are located. Even scarier, they couldn't tell you where the IT systems stop, and OT starts. For all they know, the two environments are intertwined, connected to the internet, and ready to be compromised by a threat actor.
OT Management Starts with Identification
A thorough assessment is the best place to start for OT asset owners looking to transform their environment. You must identify and document all critical processes, OT assets, and their dependencies within the operation. From there, you can assign ownership to the proper personnel. Robust OT management is a complete program of people, processes, and technology.
It doesn't do you any good just to buy a fancy new device and throw it in the production line. Train your engineers accordingly on the technology and ensure standardized procedures are set for maintaining, operating, and securing your OT assets. For security purposes and to preserve uptime, your ultimate goal is segmenting the OT assets from the IT systems and evolving it into a "turtle-like" state that can lock up when there's a threat and quickly open up when the danger has passed.
Securing Your OT Networks
As previously mentioned, a breach in an OT network has catastrophic, life-threatening potential. It's not like IT, where financially motivated hackers deploy a smash-and-grab operation, such as ransomware, to make a quick buck. OT threats, often adversarial nation-states, are trying to cause significant issues to our critical infrastructure. A successful attack affects large populations by shutting down the electric grid or poisoning the water supply.
Obtain visibility
Security is not something to take lightly in your OT network, and it starts at the physical layer. As our CEO Chris Bihary always says, "The truth is always in the packet." In other words, OT visibility is vital for monitoring purposes. You need sensors on your network, ideally starting with your most critical assets and processes, that can pull and transfer packet data to your security devices for analysis.
Develop a holistic program using industry-standard practices
Leverage security frameworks like the SANS Five ICS Cybersecurity Critical Controls, Zero Trust, and the NIST Security Framework to construct a blueprint for your OT security program. Always remember that one solution will not make you secure. Maintaining a strong posture takes many layered controls of people, standardized processes, and technology.
Coordinate with IT
While you should never mix the two types of assets in the same environment, you should make friends with your colleagues in IT to create harmony between the two sides. Make time to understand their unique objectives and pain points so you can prepare for the worst. Cross-functional activities like incident response planning will involve both the business and operational stakeholders.
Looking to take your first step toward enhanced network flexibility, visibility, and security but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.
Key Definitions
- Operational Technology (OT): Hardware and software controlling and monitoring physical processes in an industrial operation, such as manufacturing.
- Information Technology (IT): Hardware and software, such as applications, databases, and computing equipment used to control and communicate data for users; typically used for business purposes.
- Industrial Control Systems (ICS): The combination of software tools, equipment, and devices used to operate, monitor, and automate industrial processes.
- CIA Triad: The data-security model used in IT that prioritizes Confidentiality, Integrity, and Availability of IT systems to identify risks and implement solutions.
- Packet: Referred to as a network packet, it's a unit of data that is transmitted from one network to another that includes control information, like network source, destination, and error detection codes, as well as payload which provides user data.
