Saying that the world of OT management is complex is a massive understatement. Engineers must handle the stress of maintaining consistent uptime and upholding safety while dealing with emerging threats targeting their vital equipment. Additionally, they're stuck working in plants built before the internet with pressure to modernize for the sake of a business bottom line with minimal resources.
As the stakes are high, here are the key takeaways you can apply to better understand and manage your OT network despite these adversities:
Before diving into OT management best practices, it's essential first to understand how OT and IT differ in terms of purpose, scope, and risk implications.
IT focuses on optimizing the business side of things. IT is the software applications and data systems that enable a company to develop, sell, and distribute its product or service. It also oversees administrative activities like human resources management, accounting, customer service, etc.
Alternatively, OT systems are the technology that controls operational and physical processes. For example, the machinery used to manufacture the product being sold. It could also be a power generator or other equipment producing resources for a city, such as electricity, gas, or clean water.
IT is all about getting the information needed to optimize profits. That said, an IT manager's focus is ensuring their systems follow the CIA triad of information security. Information systems must only be accessible to those authorized (confidentiality), the information used needs to be complete, accurate, and untampered with (integrity), and users must have their systems ready at all times (availability).
For OT systems, uptime is the top priority. OT and their industrial control systems (ICS) are significant critical infrastructure components. So if there's any downtime or slowdown caused by an environmental disaster, malfunction, or security breach, it doesn't just impact the business but the entire population it supports.
Cyber threats that can cause data loss or network shutdowns are the main risks to IT systems. Data centers must also consider temperature control to ensure the servers hosting the data and applications don't overheat.
The risks and consequences of OT are far more severe in a worst-case scenario. If an IT system goes down, people might get mad. If OT assets go down, people could die. There are many more safety considerations for OT because the equipment used can harm the individuals operating or maintaining it.
Since the scope of work around IT and OT management are so distinct, each will require a unique set of skills and, by default, a different set of job titles. IT sees roles like director and IT, network, or data center engineer.
OT personnel are more blue-collar by nature. They are electrical, chemical, and industrial engineers and frontline operators who must wear steel-toed boots and handle the on-site environmental rigors.
What makes OT management tricky, at least compared to IT, is ownership. In IT management, it's much easier to track all the assets attached to a network and decipher who is responsible should anything go wrong. Aside from the network router, which the internet provider oversees, most of the system maintenance and security responsibility is on the organization, so they always have the right people and procedures ready to go.
OT management is far less convenient. A business could own specific machinery and outsource others despite the burden of maintaining security and uptime still falling on that company. It's also common for personnel to be unaware of who has responsibility for which OT equipment. Then, when something goes wrong, you're stuck in the routine of "that's not my responsibility" or "we aren't the vendors for that machine."
Similarly, there's the issue of visibility. Many engineers couldn't tell you where some of their OT systems and devices are located. Even scarier, they couldn't define where the IT systems stop and OT starts. For all they know, the two environments are intertwined, connected to the internet, and ready to be compromised by a threat actor.
A thorough assessment is the best place to start for OT asset owners looking to transform their environment. You must identify and document all critical processes, OT assets, and their dependencies within the operation. From there, you can assign ownership to the proper personnel. Robust OT management is a complete program of people, processes, and technology.
Buying a fancy new device and throwing it in the production line doesn't do you any good. Train your engineers accordingly on the technology and ensure standardized procedures are set for maintaining, operating, and securing your OT assets. For security purposes and to preserve uptime, your ultimate goal is segmenting the OT assets from the IT systems and evolving it into a "turtle-like" state that can lock up when there's a threat and quickly open up when the danger has passed.
As previously mentioned, a breach in an OT network has catastrophic, life-threatening potential. OT is unlike IT, where financially motivated hackers deploy a smash-and-grab operation, such as ransomware, to make a quick buck. OT threats, often adversarial nation-states, are trying to cause significant issues to our critical infrastructure. A successful attack affects large populations by shutting down the electric grid or poisoning the water supply.
"The truth is always in the packet." - Lawrence Nunn, CEO and Co-Founder of Cyberspatial
Security is not something to take lightly in your OT network, and it starts at the physical layer. As our CEO Lawrence Nunn always says, "The truth is always in the packet." In other words, OT visibility is vital for monitoring purposes. You need sensors on your network, ideally starting with your most critical assets and processes, that can pull and transfer packet data to your security devices for analysis.
Leverage security frameworks like the SANS Five ICS Cybersecurity Critical Controls, Zero Trust, and the NIST Security Framework to construct a blueprint for your OT security program. Always remember that one solution will not make you secure. Maintaining a strong posture takes many layered controls of people, standardized processes, and technology.
While you should never mix the two types of assets in the same environment, you should make friends with your colleagues in IT to create harmony between the two sides. Make time to understand their unique objectives and pain points so you can prepare for the worst. Cross-functional activities like incident response planning will involve both the business and operational stakeholders.
Key Definitions
