IT/OT Integration success relies on alignment of people, process, and technology.
Industrial control systems typically weren’t designed to be connected to the internet, so they weren’t built with cybersecurity capabilities to ward off hackers.
–How to prevent hackers from taking down critical infrastructure, Business Insider
Until recently, Operational Technology (OT) and IT departments operated completely separate from one another. As we previously discussed, the introduction of networks into the industrial space has created a more efficient and capable production environment but has also introduced online and offline security vulnerabilities.
Successful integration of IT/OT environments can be measured through the lens of the cybersecurity triangle – people, process, and technology. In this post, we’ll discuss the second part of the triangle: process.
As stated in A Fresh Approach to Cybersecurity, Part 3, processes can be used to streamline reactions to events and give a solid foundation to all aspects of the organization when dealing with events that may cause undue stress. Specifically for an OT/IT integration, process is how people address issues and security vulnerabilities on an ongoing basis. This is an area that often creates tension – everyone has an opinion about the best process to use. Each organization needs to understand its requirements and then implement processes to fit those requirements. Organization-wide adoption of defined processes is imperative to prevent breaches due to human error.
Here are a few high-level processes which need to be addressed to successfully integrate OT and IT environments. Getting these processes right will make or break the integration.
One of the most important processes to define is how OT personnel will access their equipment. This may seem like a rather straightforward process, but it is more complicated than it appears on the surface. OT personnel are, for the most part, ease-of-use network users. They are usually overworked and overtasked, so any place where they can recoup some of their time is greatly appreciated. This is where the issue lies: security and ease-of-use are terms not normally associated with one another. The more controls an IT professional places to secure an environment, the greater the chance the OT personnel will figure out ways to circumvent those controls. This is not done out of malicious intent, but if work productivity is affected and customer support in the community suffers, matters are out of IT’s control.
This does not mean security must be ignored to appease OT’s desire to get work done. There needs to be a balance, which is why this process is so important. IT and OT must understand each other’s needs and requirements to effectively define a process for accessing substation devices. When an IT organization can work side-by-side with OT to reach mutual agreements, it is much more likely that the process will be adopted by all personnel.
Another process which needs to be considered substation access. This is a very important aspect of the OT environment. Substations are where the bulk of the OT environment exists, once you strip out ICS/SCADA systems. Substations have historically only been locally accessible by an engineer who drives to the substation to perform necessary work. As substations have become more connected, OT is taking fewer trips to substations for routine activities. However, there are still reasons for an engineer to go to the substation to work.
Once OT personnel arrives at the substation and follows the substation access process, they must connect their computers to those installed at the local substation. This wasn’t as much of an issue when the computers at the substations were not connected to other external systems.
The introduction of networks to the substations requires organizations to have processes in place for how OT personnel locally accesses the substation equipment. These processes must address what devices can be connected, if any access controls for those computers/users are required, and the level of security implemented at both the substation and on the computers themselves.
For OT/IT Integrations, the three key processes your organization must master are how OT personnel will access their equipment, how engineers will access a local substation, and how OT will access the substation equipment. Getting these processes right will make or break an OT/IT integration. What are a few other “must-have” processes in an OT/IT Integration?
Photo Credit: Flickr