Three Tips to Help CISOs Close the IT-OT Security Gap, Part 2
Thinking of Your OT Network as an Extension of Your IT Network Will Give You a Consolidated Picture of Your Technology Infrastructure
In Part 1 of this two-part series, I discussed the flaws in trying to apply trusted IT cybersecurity best practices to the Operational Technology (OT) environment, and provided the first of three recommendations for how to bridge the IT-OT security gap: eliminate complexity. Now let’s discuss the next two recommendations: align IT and OT teams, and simplify governance.
2.) Align IT and OT teams. As discussed before, most Fortune 500 companies have the support of their board of directors and the budget to strengthen the security of their OT networks. However, when they start to build a security program, they soon realize that alignment between IT and OT teams is not there fully. The disconnect is reflected in two main ways:
• The first source of misalignment stems from the confidentiality, integrity, and availability (CIA) triad because IT and OT teams prioritize these three principles differently. The teams that manage information security typically prioritize confidentiality of data over integrity and availability, whereas the teams that run OT networks prioritize availability (or uptime) over integrity and confidentiality. To make headway in bridging the IT-OT security gap, we must respect those priorities. The risk of disruption and downtime to implement a new security control, patch or system upgrade is a non-starter for OT teams. Not to mention that making changes to the multimillion-dollar systems that run production environments usually voids warranties.
• The other disconnect is a result of siloed teams and efforts. As large organizations begin to focus on securing their OT networks, we often see many different teams working on the project, but each from a different perspective. For example, there might be one team from engineering tasked with obtaining asset information from OT networks. A network security team is tasked with monitoring these networks. And a third team is tasked with vulnerability management. Due to the urgency, everyone is running fast and not well orchestrated. They are each looking for tools to help them with their specific use cases and because they are not coordinating amongst themselves, they are not realizing that often the same technology can apply to various use cases. When there is no central coordination, decision making, or budget, no one is thinking about the security platform in a holistic way. This dilutes the benefit and value of any investments made to strengthen OT security.
The good news is that most organizations are starting with a blank slate and can design the OT security program without worrying about existing security technology. This means you can prioritize the most important use cases and implement those.
Another piece of good news is that OT networks are designed to communicate and share much more information than is typically available from IT components – the software version they are running, firmware, serial numbers, network card slots, and more. Because OT network traffic provides all the security information you need to monitor for threats and vulnerabilities, you can achieve your top use cases with the same technology – you don’t need separate tools. A single, agentless solution for asset visibility and continuous threat monitoring meets the objectives of various teams and can be implemented without disrupting productivity or causing downtime.
3.) Simplify governance. Many organizations struggle with how to incorporate new OT governance and processes into their existing IT framework. Some organizations begin down the path of recreating a separate governance process and Security Operations Center (SOC) from IT because they assume that they will need different skill sets and tools. This approach isn’t advisable for several reasons, including:
• It is difficult and costly to find and retain OT security specialists.
• Adversaries don’t see IT and OT as separate. Attacks are intertwined so you don’t want to miss that connection because you have two separate SOCs or two separate teams.
• Recreating existing governance processes and doubling coordination efforts wastes time and effort.
The most common best practice is to centralize responsibility and accountability for securing the OT environment with the CISO. By thinking of your OT network as an extension of your IT network and looking at governance and processes holistically, you get a consolidated picture of your technology infrastructure.
The OT security solution you select should take a holistic approach too, meaning it should integrate equally well with your ecosystem of OT and IT systems and workflows. It should also translate the obscurity of OT networks for an IT SOC analyst, so their skill sets transfer and you don’t have to hire an OT SOC analyst.
With the CISO as the focal point, a single SOC, and a solution that both IT and OT teams can use, you optimize your resources – talent, budget, and time. You also gain continuity across your attack surface so you can govern with the same processes and reporting metrics.
Eliminate complexity, align IT and OT teams, and simplify governance are my top three recommendations for how to bridge the IT-OT security gap. Each recommendation is focused on removing barriers so organizations can move fast, which is important because adversaries are evolving their approaches and escalating attacks against OT networks. In that spirit, I urge you to get started soon.