This post originally appeared on LinkedIn.
CIOs and CISOs are used to calling the shots when it comes to IT security. But to secure Operational Technology (OT) for the new cloud- and mobile-first enterprise, they must put aside "I-know-best" biases to prioritize what supports the entire organization’s goals.
Manufacturing limitations, stoppages, or shutdowns can mean the loss of millions (if not hundreds of millions) of dollars to an enterprise. Risk minimization is paramount to operational continuity, making cybersecurity particularly crucial for OT systems. But, as any OT leader will diplomatically explain to a CIO or CISO, cybersecurity mandates must not compromise productivity, safety, or uptime.
Contrasting priorities between IT (“We must preserve cybersecurity at any cost”) and OT management (“We must preserve productivity, safety, and uptime at any cost”) can complicate communication. But this friction can be constructive rather than antagonistic. From the IT leaders’ perspective, it’s not that “OT doesn’t care about security.” It’s that IT’s priorities must align with OT’s objectives, as well as the broader business goals of the company. OT security must be a priority, even though IT’s past “incursions” into OT may have impacted production (and the bottom line). So how does a CIO or CISO prioritize OT security without alienating OT leaders?
Progressive IT organizations align cybersecurity mandates with OT priorities of productivity, safety, and uptime. To accomplish this, they assume, accept, and embrace five fundamental operating OT security principles:
- Technology must enable OT without compromise.
- Standard security practices won’t necessarily apply to OT.
- In OT, geography matters.
- OT is always running.
- OT is more complex than IT.
1. Technology must enable OT without compromise.
For manufacturing and supply chain companies, downtime is corporate death. Every minute of process downtime represents lost revenue. OT managers, well aware of their goals and metrics, will fight tooth and nail against anything that impacts uptime or productivity. IT technology—security or otherwise—must enable OT teams to achieve their objectives.
CIOs and CISOs evangelizing for IT changes must do so within the context of improving operational efficiency, uptime, and productivity. For example, implementing Zero Trust in an OT environment will likely be embraced more enthusiastically by OT if IT highlights key benefits: accelerated third-party maintenance access onboarding, limiting OT environment risk via compromised devices with policy-based access, elimination of east-west risk, and more.
OT managers will support IT-sponsored cybersecurity initiatives as long as they don’t hurt productivity, safety, or uptime. IT leaders seeking to move operations to a Zero Trust Architecture (ZTA) should communicate the extent to which such a cloud-based approach reduces downtime, and minimizes potential for malware damage.
“Had Hydro not already moved communications to a managed cloud service like O365, the situation would have been more grave.” Norsk Hydro after the ransomware attack in March 2019.
2. Standard security practices won’t necessarily apply to OT.
Due to OT system lifecycles, OT environments often use equipment, devices, and software that were developed years or even decades ago. Because of that practical reality, many common IT security practices won’t apply. For example, IT must apply Microsoft Windows patches to OT-network workstations cautiously: Patches can lead to production downtime if supervisory control and data acquisition (SCADA) software is incompatible with the patch.
OT equipment vendors (and not corporate OT leaders) often dictate what software can coexist with SCADA management software. For instance, an endpoint security solution approved for the rest of the enterprise might not work for the OT environment because of OT hardware incompatibility. IT must evaluate the risk, and work around such limitations. Blanket mandates for endpoint security solution consistency will be met with stiff resistance by OT managers if hardware-vendor-imposed restrictions limit compatibility.
In many enterprises, OT resides off the corporate network, usually for good reasons. Once breached, flat, legacy networks with outdated perimeter-based security allow for easy ransomware propagation. In such legacy environments, keeping OT systems on a separate network with a different domain may be required.
Global losses from the NotPetya ransomware exceeded $10B through unchecked propagation of the malware via escalated privileges and easily-exploited flat networks.
3. In OT, geography matters.
Large manufacturing enterprises are typically global concerns, with factories in different countries with different regulations and different infrastructure levels. IT planning must take geography into account and consider the operational needs of specific locations. There is rarely a “one-size-fits-all” OT cybersecurity solution that can be applied across all regions. IT must evaluate plant criticality, accessibility, and standards.
- Plant criticality: Not all manufacturing plants provide the same services—some services (and therefore, plants) are more critical than others. Some locations may have reliable hard-wired internet connectivity, and others might only have high-latency, low-bandwidth satellite access. IT must prioritize OT security plans for critical sites over security exceptions for less-important secondary locations.
- Manufacturing site accessibility: Some are easy to physically access. Others are “in the sticks.” Enhance remote access protocols for hard to reach sites.
- Regional standards: Industrial process standards may differ for different countries, and technology that is usable in one country may run into legal issues in another. Know what must be monitored at each plant, and prioritize easy reportability for essential metrics that could impact plant operations.
“Countries want localization for reasons that go beyond the immediate benefits of paying local workers. They want more complex aspects of production executed on their soil because it improves their population’s skills base.”
4. OT is always running.
To meet business goals, OT typically runs continuously, 24x7x365. For critical parts of the manufacturing infrastructure and production lines, operators measure downtime in minutes (if not seconds) per year. The OT managers—with the tacit support of company leaders and board—can’t and won’t shut down operations to install new technology. Nor will they greet new technology with open arms without a thorough assessment of consequences and impact.
CIOs and CISOs must secure OT in this zero-downtime world. Zero Trust implementation should start with a non-critical part of the OT infrastructure. IT leaders can thoroughly test, deploy, and measure results in that area, then use those results to demonstrate value and gain acceptance OT leaders. And then roll out Zero Trust security strategies to other, more critical areas. This phased rollout allows demonstrable benefits, such as third-party maintenance access to systems via remote connections rather than having to be on-premises—which can speed up mean time to resolution (MTTR).
5. OT is more complex than IT.
OT systems management differs from IT systems management in administrative complexity, life-cycle management, regulatory oversight, vendor influence.
- Administrative complexity: OT managers don’t have time to perform hands-on management of IT and security products. Configuring and managing onsite security appliances or hosted software is a challenge given the critical nature of OT systems, and the associated bandwidth limitations of those who manage those OT systems.
- Life-cycle management: IT systems typically have life spans of between four to six years, OT technology system life cycles can span decades.
- Regulatory oversight: OT systems controls are often highly regulated. For example, FDA regulations require the manufacturer’s support of diagnostic machines for twenty years from the date of deployment.
- Vendor influence: OT leaders often don’t have a great deal of choice regarding SCADA systems or engineering workstations systems. OT equipment manufacturers such as Siemens, Rockwell Automation, Schneider Electric, Emerson Automation often push (and ultimately decide) the technology.
All this added complexity means planning for change is a different process for OT systems than it is for IT systems. IT leaders must develop a cybersecurity playbook specific to their unique OT.
OT security requires IT collaboration, empathy
IT should focus OT attack prevention on preserving uptime. Ransomware and other security attacks targeting OT networks seldom aim for IP theft. Instead, attacks aim to disrupt, and impact a company’s bottom line with unplanned downtime.
OT security, while different, is crucial. As the recent SolarWinds hack illustrates, OT cybersecurity teams should expect sophisticated attacks on industrial control systems and supply chains as a new norm.
Operation technology managers face their own unique set of challenges, and IT must recognize that to ensure OT security. Any changes to OT systems or architectures require CIOs and CISOs to reassess how they bridge security concerns with OT teams.
Before IT leaders talk about cyberthreats with OT counterparts, IT must get their perspective and align with their goals of productivity, safety, and uptime to ensure a collaborative, fruitful partnership. Building that relationship with OT stakeholders who may subscribe to an “if-it-ain’t-broke-don’t-fix-it” philosophy is a prerequisite for improving the organization’s overall security posture. Once IT leaders have gained that trust, they can broach the topic of changing OT systems to a zero-trust architecture.