Successfully managing industrial cybersecurity in a converging world
There has been quite a lot of buzz the past few years around Information Technology and Operations Technology (IT/OT) convergence and its impact to the world of both IT and OT. Much of the discussion has centered around the opportunities for improvements in efficiency and availability – or the scary cybersecurity risks associated with the convergence. Some organizations struggle with balancing the mutually exclusive or overlapping projects, requirements, budgets, objectives, people, and technology.
Delivering successful IT projects is quite different than OT projects. Regulations, standards, project management, equipment, manufacturers, partners, technology, the goals, etc. are from two different sides of the knowledge spectrum. Even the work cultures are different. Usually, the engineers don’t want to be in IT, and don’t really want IT in their space. And vice versa – the IT guys don’t really want to be in the plant, their world is the datacenter. Neither wants to cede control to the other – and for good reason. We wouldn’t want the IT guy controlling the safety systems of the chemical plant. You obviously can’t ‘reboot’ a potentially highly explosive industrial chemical process. Nor would you want the plant engineer running your perimeter firewalls.
And yet, despite these clashes in culture, it’s more and more common that we see business objectives that require a holistic IT/OT approach, utilizing both Information and Operations technology. Trying to find common ground between the IT staff and the engineers from the plant floor is a tough endeavor, but it’s the only viable option when aligning IT/OT with enterprise level goals.
Take for example a real story of one of our customers –
A water utility has hundreds of pumping stations distributed across acres of land. The engineers need to monitor the vibrations of these pumps as a means to detect malfunctions. Yet the IT team refused to enable remote connectivity due to cyber-security concerns, unless a VPN connection is utilized. Concerned that it would take a long time to approve and implement, the engineers decided to purchase a cheap, disk-on-key cell modem from ebay, and connect the PLC directly to the internet. This enabled them to login from their home laptops to perform monitoring and maintenance. Voila! Problem solved, and no need to involve, or get approval from IT, or wait until IT implements a solution.
That’s how an engineer is trained to think, to solve problems and work through obstacles. However, such creative solutions introduce other problems, like cyber-security related issues, and implementation of solutions that can’t scale to meet business needs.
Meanwhile, the IT department hundreds of miles away, is unaware of the creative solution implemented by the engineers. They are debating how to enable remote connectivity – by installing Ethernet or wifi in the water plant. Each has advantages and drawbacks. But planning without feedback from the plant engineers would be foolish. The pump’s monitoring sensor requirements must be fully understood: Implementing wifi without including the engineers pump sensor requirements wouldn’t solve any issues for the engineer. Implementing Ethernet connectivity to the pumps might enable the engineer to monitor vibration, but requires Ethernet to be run to every single pump, and can’t accommodate changes to a pumps location if it were moved. Perhaps the business would prefer to re-organize the layout of the plant to increase efficiency and lower the costs, which would pose challenges to the network planning process.
Having experts that can speak both languages – IT and OT, is a key factor in the successful application of technology into the industrial world. Even more so, industrial cybersecurity projects almost always require specialists from both IT and OT. Organizations are more likely to succeed if they have a role built into the organization that can translate strategic objectives from business leaders to IT/OT subject matter experts.
Converging IT/OT Cyber Security
Successful deployment of industrial cybersecurity projects will leverage resources from both IT and OT. Business level oversight and leadership ensures that the different cultures don’t clash, but instead work together, and eventually complement each other to provide even greater value to the organization.
To make this happen, more and more organizations are taking senior, experienced engineers from the various OT Business Units, usually from under the Chief Operations Officer, and moving them under the CIO hierarchy, resulting in people and roles that can straddle across both sides of the IT/OT fence.
In our example, if the customer had an IT/OT leader in place, that person would be responsible for providing a solution that addresses the needs of the engineers as well as the business. This person would provide an IT/OT Integration Strategy, as well as strategies to address cyber-security, maintenance, safety, etc., – resulting in sustainable, industrial-grade, enterprise-wide solutions.
Some organizations have taken this even further, and instead of building IT roles under the CIO, they create a new, C-Level role to facilitate this strategy. For example, it’s not uncommon to find a Chief Digital Officer(CDO) that helps bridge the gap between the CTO and COO.
The higher up the organizational ladder that IT/OT convergence decisions are being made, the higher the chances for success.