IT vs OT Security: Challenges and Solutions

More and more organizations are embracing cybersecurity programs and requirements for their operational technology (OT) environments. This is a positive step forward for those who have been advocating for more robust cybersecurity measures and the cultivation of a security-conscious culture within OT.

Many of these organizations initiate new cybersecurity initiatives as a result of direct orders from their board of directors or top-level executives. These directives then filter down through the Chief Information Security Officer (CISO) and the corporate IT teams. However, this can lead to a bias toward an IT perspective, where IT teams, equipped with IT tools and backgrounds, are entrusted with driving OT security programs. This situation can pose significant challenges if these IT teams are not fully aware of their inherent IT bias when implementing OT programs.

The three common bias conditions that consistently contribute to a disconnect between IT and OT can be categorized into three groups: philosophy, project, and technology biases.

• Philosophy biases revolve around the overall perspectives on the operational technology function.
• Project biases delve into the physical and mental obstacles that hinder progress.
• Technology biases center on the selection of appropriate tools for OT-defined projects, with the support, budget, and perspective of the OT department.

The Philosophy Bias

Below are three important points to consider about ‘The Philosophy Bias,’ highlighting the fundamental differences in how IT and OT see things, and explaining why some vital aspects of OT might get overlooked or misunderstood.

1. Operational Technology often goes unnoticed in analyst research.

When IT organizations seek guidance and insights, they typically rely on traditional IT research sources. These research firms invest significant time, resources, and effort into studying a wide range of IT tools. However, it’s important to note that these analyses are carried out by IT professionals, primarily for IT purposes within IT environments. As a result, when it comes to selecting technology and aligning it with components for an OT environment, there can be a significant disconnect between IT and OT programs.

To put it differently, IT tools don’t always seamlessly integrate into an OT environment, at least not in the way they are originally intended for use in traditional IT settings.

2. OT network systems aren’t uniform.

In many cases, IT teams rely on outsourced expertise and centralized tools to manage a fleet of similar and nearly identical systems. This approach allows them to efficiently handle hundreds or even thousands of assets using a single toolset or a small, centralized, or offshore team.

However, in the realm of OT, things are different. Although there may be numerous IT-looking assets, they come in various configurations, run different software, have unique modifications, and may have special requirements. This diversity often leads to a situation where a tool selected for a particular generation or profile of operating system may not be suitable for all types of assets in the OT domain. Consequently, any tool choice that only caters to a subset of assets falls short of providing comprehensive coverage.

For instance, a corporate standard like SCCM (System Center Configuration Manager) is not equipped to handle the needs of over 1,000 Linux or Unix operational assets frequently encountered in operational environments.

3. In OT security, it’s essential to prioritize the fundamentals over complexity.

How often have you come across reports indicating that the operational side of a business lacks crucial elements like perimeter monitoring, SIEM (Security Information and Event Management), or SOC (Security Operations Center) oversight? While these aspects are undeniably crucial for a robust security program, the challenge lies in the fact that alerting or monitoring often occurs as an after-the-fact response. What’s been overlooked or neglected for years in many OT environments are the fundamental building blocks of security, such as patching, backups, system hardening, and implementing the principle of least privilege.

If you aim to bring about a significant improvement in OT security, it’s imperative to start with these foundational measures

The Project Bias

Below we walk through the unique challenges of ‘The Project Bias’, arising from the tightly integrated nature of OT with its immovable components. These 3 insights shed light on why managing OT projects differs significantly from traditional IT endeavors and the complex factors that may lead to overlooked or misunderstood aspects of OT.

1. Operational Technology is tied to immovable objects.

We understand that OT systems often involve outdated hardware and operating systems that are no longer supported, which makes a straightforward upgrade to Windows 10 impossible. These older systems typically run specialized software and communication protocols that are essential for the safe functioning of facilities. If the vendor doesn’t offer an upgrade solution or if the facility lacks the budget and downtime required for software upgrades, testing, documentation, and getting back to regular operations, then upgrading the asset becomes impractical. In some cases, these assets oversee significant portions of an operation. Upgrading a Distributed Control System (DCS) or Supervisory Control and Data Acquisition (SCADA) system demands a substantial amount of time and financial resources, resulting in extended production downtime. When contemplating an OT upgrade or requesting a system upgrade, it’s important to understand that it’s not as straightforward or isolated as simply upgrading a single operating system; there are broader implications involved.

2. Operational technology systems require OT services and support.

Firstly, OT teams need to be comfortable with the idea that anyone in their environment could access or make changes to their assets. This concern becomes especially important when corporate IT pushes for software updates or the introduction of new machinery or technology. IT and OT often have different perspectives, so it’s crucial to build trust between the two groups. Building this trust takes time but is essential for the successful deployment and maintenance of security tools in OT.

Another key source of support and cooperation in OT comes from Original Equipment Manufacturer (OEM) vendors. Frequently, these vendors hesitate when OT teams want to implement security solutions because they worry about how these changes might affect their support for critical systems. The relationship between OT and OEM vendors can be one of complete reliance, where the plant depends entirely on the vendor for operational support and adheres to the vendor’s objections regarding security changes. Alternatively, there can be contractual pushback from the OEM vendor if the OT team tries to use tools that the vendor hasn’t tested or endorsed. In both cases, understanding the role of OEM vendors in plant operations poses a significant challenge within OT, an area where IT may lack experience.

3. The IT budget should be separate from the OT budget.

Often, CISOs or IT executives hesitate to approve security proposals for OT because they underestimate the sheer number of assets in an OT environment. In larger facilities or global companies, there can be tens of thousands of assets, sometimes even surpassing the number of IT assets. When an OT project requests substantial budgets to enhance plant security, it faces resistance. They may be told to reduce the project scope or phase the deliverables, and the already stretched operational staff may be assigned the deployment and maintenance tasks to cut costs. Unfortunately, this often leads to projects that are never fully implemented or properly maintained. Many OT environments lag for months or even years in basic security practices, and the initial investment required to deploy technology and secure these assets represents a significant upfront cost.

Technology Bias

The below three insights provide a better understanding of the unique difficulties involved in OT security management, explaining why OT projects differ significantly from traditional IT projects and the complex factors that can sometimes cloud or hinder critical aspects of OT security.

1. IT management solutions assume relatively robust endpoints.

The reality is quite different in IT and OT.

In truth, most scan-based IT tools can be invasive and have a history of causing disruptions in the more delicate and proprietary OT systems. To make use of scan-based technology in OT environments, you have to carefully scale down the scan, allocate extra time for OT staff supervision, and limit scanning to offline systems or during planned outages. When you factor in all these conditions, you end up with minimal security coverage from scan-based security tools.

To truly succeed, you need reliable, OT-tested profiling and data collection tools that can maximize asset coverage and automate asset insights while keeping operations safe. In other words, it’s crucial to adapt security measures to the specific challenges and nuances of OT rather than relying on standard IT approaches that may not be suitable in this context.

2. IT best practices break OT systems

One common IT practice for system hardening involves having endpoints display a logon banner when the system starts up. The idea behind this is to remind users that they are working on a corporate-owned or critical system. However, there’s a challenge in OT because these systems must maintain 100% uptime. Consequently, these assets are often configured for auto-reboot and auto-login to ensure redundancy and continuous monitoring of safety systems. When logon banners are introduced, they disrupt the auto-login process for these vital OT systems.

This is why most OT environments only implement around 40 to 50 of the top 100 security controls outlined in the CSC 20. Many of these controls are either not applied or can interfere with critical operations. In essence, adapting standard IT security practices to OT can pose significant challenges and may not always be suitable for the unique requirements of OT environments.

3. Service Level Agreements (SLAs) in OT are more demanding than those in IT.

In typical IT environments, users expect internet and mail or file servers to be readily available when they connect. If there’s an issue, they can usually carry on with their tasks while IT resolves the problem and restores connectivity. These outages or scheduled maintenance windows in IT typically take three to four hours, during which end users may not have access to the system or service. However, in OT, a reboot or misconfiguration of a switch or communication point can immediately disrupt safe operations.

For many industries, this disruption can result in a loss of product specifications and quality. In more critical cases, it can pose a safety hazard, as there’s no visibility into vital parameters like pressure, flow, temperature, or speed, leading to instant product degradation or even a complete shutdown. Such production interruptions can significantly impact revenue. This problem becomes even more complex in industries where restarting production is not as simple as turning a conveyor belt on or off. For instance, coal-fired generation units may take 25 to 30 hours to reach full capacity after a shutdown, and in fields like refining and petrochemicals, it can take hours or even days to return to the proper product specifications.

I remember a particular OT security presentation to an operating company. They had recently suffered a severe cyber incident in their corporate network, resulting in substantial damage. During my presentation, the IT team raised numerous concerns about potential security vulnerabilities, which was not surprising, as no security system is foolproof. They assured me they had it under control, but I later found out that this meant they had disconnected internet access for all operational facilities.

I expressed my concern that plant managers might resort to using “sneaker nets” and USB drives to transfer data, updates, and files in and out of the facility. They didn’t believe their plant managers would defy the USB usage policy. However, when we visited the facility later that day, the plant manager’s desk was littered with USB drives. I asked him why he was ignoring the corporate USB policy, and he simply smiled and said, “How much trouble do you think I would be in if the plant stopped producing? I’m pretty sure I’ll get a pass on USB use.”

Balancing Production and Protection

Your primary focus when working for an operating company is safeguarding production. Do you need to help OT make it more secure? It’s a resounding yes. But can you simply impose security measures onto OT solely for the sake of security? Probably not.

Instead, the path to success lies in educating yourself about the distinctions between IT and OT needs, questioning the prevailing IT bias, exercising patience, fostering creativity, and understanding that the journey toward enhanced security is a process. It’s crucial to set realistic expectations that security improvements won’t happen swiftly or without encountering challenges along the way. In this dynamic landscape, the key is perseverance and a commitment to making OT security stronger over time.