5 Things the Hoodie & the Hard Hat Need to Know About Each Other
By Eddie Habibi, Founder & CEO of PAS and Jason Howard-Grau, Managing Director at KPMG US
April 21, 2020
Traditionally, the worlds of IT (the hoodie) and OT (the hard hat) have been separate. That must change.
For nearly 30 years, operational technology (OT) in industrial facilities was considered relatively safe from outside hacking risk. The so-called air gap between IT and OT, paired with the heavy use of proprietary industrial control systems, created a mindset of "security via obscurity."
In recent years, there have been multiple, well-publicized cyberattacks on industrial facilities, which are now occurring with greater frequency and sophistication. As a result, industrial operations leaders, IT executives, and the CEOs they report to are taking significant interest in improving OT cybersecurity. One challenge to that effort is the different worlds IT (the hoodie) and OT (the hard hat) practitioners come from. Historically, these two groups have stayed out of each other's areas because of the deep and different complexity of the two domains and the rightful separation of responsibilities. To improve awareness, we've outlined the top five things IT and OT should learn from one another.
1. Operational facilities no longer are — and frankly never were — an island. The air gap between IT and OT systems and networks is no longer valid, if it ever was. IT professionals have understood that a persistent, smart hacker can eventually find a way into your network. It's not a question of if but when you will be breached, and IT leaders design their security strategy based on this premise. It's time for OT to do the same.
The assumptions OT has made regarding security via obscurity are also no longer valid. With the large revenue generated by industrial facilities and hazardous processes/chemicals used, hackers have been taking more interest in distributed control systems (DCSs), programmable logic controllers, safety instrumented systems, and process control networks. These systems appear as complex black boxes to most IT people.
2. IT people don't fully appreciate the meaning of OT reliability. When discussing reliability, IT people use terms like MTTR (mean time to repair) and MTBF (mean time between failure) and, in a cloud-based world, it's common to remove a bad or compromised server and just spin up a new one. That approach doesn't fly in an industrial plant. You can't just shoot a DCS that is managing hundreds of different control valves and monitoring thousands of measurements. That can have a catastrophic impact on the personnel, the environment, and the surrounding community, not just a disruption to production and lost revenue.
Today, most IT people think of servers like cattle, not pets. This has been one of the huge benefits of shared or cloud infrastructure. But this approach cannot apply when you are talking about machines that move molecules and where things can go boom — literally.
3. The concept of defense-in-depth applies to both IT and OT. Enterprise CISOs know reliance on a single solution or silver bullet puts them at risk. This is why we implement multiple firewalls, intrusion-detection tools, antivirus software as well as identity, data, and endpoint security technologies. They create multiple layers of defense, often using multiple vendors within each layer. It's like a moat around your moat backed up by a castle wall with another wall beyond that, and so on. Embracing defense-in-depth from web apps to Level 0 components (e.g., valves, sensors, actuators, robots) that move molecules in a plant is key.
The concept of defense in depth isn't foreign to the OT world, which uses a similar approach called independent protection layers (IPLs). These safety layers protect, monitor, and respond when critical measurements (such as pressure and temperature) exceed predefined boundary limits. These IPLs are also a high-consequence hacking risk. One of the most prominent industrial hacking attacks recently was the inadvertent tripping of a safety instrumented system in a major refinery. This caused the entire industrial sector to take notice.
4. There's no such thing as Patch Tuesday in OT. In an industrial plant, changes must be well planned and coordinated with operations and maintenance groups. In the OT world, you might not be able to introduce changes more often than once a year or longer. Furthermore, many of the control systems have been in place for more than 15 years. We don't replace OT every three to five years like IT does. When managing security vulnerabilities, it's critical to take this into account. You also can't just put a network packet sniffer on a plant control network and build a comprehensive inventory and identify all vulnerabilities. You need much more granularity to see if a vulnerability exists on a specific I/O card or a controller within a DCS, and that requires capturing data from configuration backups.
5. OT needs to understand digital transformation will have a profound effect and it's going to be driven primarily from people who come from outside of OT. Chief digital officers and chief data officers are being appointed every day. The hiring profile rarely includes an understanding of OT. This poses a challenge because these new leaders don't know what they don't know. However, it also presents an opportunity to help them understand how a "digital plant" can drive revenue growth through improved efficiency, expanded operations, and production visibility. It also means ensuring the integrity of industrial operations from both a cybersecurity and a process safety perspective is paramount, and that requires IT and OT to work together.
This article originally appeared in Dark Reading. Reprinted here with the authors’ permission.