To try and find a word to describe the IT-OT co-existence is to illicit an indifferent look from information technology professionals.
Before we delve deeper, let’s set the scene by standardising on one of set of definitions. Below are Gartner definitions.
Information Technology (IT) refers to the spectrum of technologies for information processing, including software, hardware, communications technology and related services. It does not include embedded technologies that do not generate data for enterprise use.
Operation Technology (OT) is hardware and software that detects or causes a change through the direct monitoring and/or control of industrial equipment, assets, processes and events.
Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.
Industrial Internet of Things (IIoT) is the market for industrial Internet of Things platforms s a set of integrated software capabilities. These capabilities span efforts to improve asset management decision making, as well as operational visibility and control for plants, depots, infrastructure and equipment within asset-intensive industries.
Rolf O’Grady, vice preside of customer success at Mocana, refers to OT as the commercial side of IoT, driven by consumers and end-users. He thinks of IIoT as extensions of IoT but deployed in siloed environments. The challenge with IIoT is the sheer volume of devices across operating environments, operating systems and hardware types.
In an OT environment, losses or disruptions go beyond the financial aspect or disruption to operations that is often associated with kinks when something happened to IT. OT disruptions can extend to include human experiences including the potential for loss of life.
This presents a different level altogether when consider the security aspects of OT.
In a YouTube presentation on IT vs OT approaches to IT security, O’Grady refers to IT security as a position where “you are always playing defence, always trying to get to a security posture that is either good enough or reasonable enough or manageable enough to at least ascertain what your current risk posture is.
In the dialogue that follows, FutureCIO spoke to Vincent Liu, regional director, APAC, Nozomi Networks on his take on securing IT and OT.
What are the key challenges that businesses in APAC are facing with IT and OT integration?
Vincent Liu: One of the biggest challenges with the integration of IT and OT is that they are traditionally seen internally as being segregated and independent. While they have shared values around confidentiality, integrity, and availability, how each group prioritizes and implements their policies is vastly different.
As Industry 4.0 drives the convergence of IT and OT, there are financial benefits for APAC executives to ensure both teams work in concert to optimize operations and to secure the entire organization from cyber threats.
The Security Conundrum
How can culture hinder the security of integrated IT and OT systems?
Vincent Liu: In APAC, we do see significant cultural differences between IT and OT. IT cybersecurity teams are apt to embrace new technology since the cyber threat landscape evolves so quickly.
On the other hand, it is understandable that OT security teams focus on physical security measures such as video surveillance systems, ID badging systems, and prevention of physical manipulation or destruction of assets. Historically, OT has operated under the guise of security through obscurity when it comes to cyberattacks.
In general, IT teams focus on securing information, while OT teams are mandated to ensure their physical systems are running 24x7. Therefore, perceived vulnerabilities dictate spend and resources in securing their environments.
What steps can businesses in APAC take to achieve a culture shift and overcome the barriers in implementing a strong security framework?
Vincent Liu: An easy way to understand this is to look back at the achievements we have made in securing organizations from zero-day attacks in the past decade. Governments and large enterprises received board level or executive support in highlighting the importance of building resilience to these emerging threats. IT cyberattacks often made headline news, and a shift toward more IT cybersecurity spend gained traction quickly.
In the past several years, cyberattacks against OT environments have been on the rise. Though OT cyber incidents have not be as numerous compared to attacks on IT, the stakes are high. Successful attacks have shut down production, caused extensive financial damage and threatened public safety.
A top-down approach to security along with education can effectively shift culture and motivate both departments to develop initiatives to jointly create a holistic cyber framework.
How can businesses implement a holistic approach in securing both cyber and physical systems?
Vincent Liu: Organizations need to anticipate and prepare for changes in their existing people, processes, and technology practices. Here are examples of initiatives companies use to ease the transition:
- Run tabletop exercises with IT and OT teams to evaluate the organization’s cyber crisis processes, tools, and ability in responding to cyberattacks from strategic and tactical perspectives.
- Adopt technology that can provide visibility into OT assets, while detecting threats to their network.
- Conduct an integrated IT/OT compliance mapping initiative to bolster corporate compliance.
Beyond the technical challenges, cultural issues such as overcoming distrust between the two groups can be a big hurdle all on its own. Methods that might ease the transition include conducting workshops designed to reconcile perspectives and to cross-pollinate experiences to build bridges and establish trust.