Adapting for the Internet of Things Experts share how to embrace the coming merger of IT and OT.
How Does the IoT Change the Dynamics Between IT and OT?
“The coming phenomenon referred to as the ‘ IoT’ is in large part about the ultimate physical merging of many traditional OT and IT components.” Chris Blask @chrisblask Chair of ICS-ISAC
“The ‘OT is different than IT’ fallacy stems from ICS professionals comparing OT to desktop management. OT is mission critical IT.” Dale Peterson @digitalbond Founder of Digital Bond & S4 Conference Leading SCADA security blogger
“Although this [merger] has many benefits for interoperability and efficiency, it also brings security risks.” “Cooperation on a consistent security strategy across both IT and OT is essential for the future.” David Meltzer @davidjmeltzer Chief Research Officer, Tripwire
“The choice to connect plant floor devices and share information for many manufacturers in the past depended on a controls engineer taking initiative. That engineer may or may not know how to connect in a way that made information available and made the network secure.” “Those days are over. The risk is too high.” Doug Brock @doug_brock Factory Automation Expert
“Until recently, there were only two classes of smart devices in the typical industrial facility; the devices ‘owned’ by IT, and the controllers ‘owned’ by OT.” “All of these assets have unique operational and access requirements—all are at different levels of security, and all now need to be considered in any holistic security strategy.” Eric Byres @tofinosecurity ICS and SCADA security expert
“IT desires data directly from production/manufacturing and OT usually implements IoT in production/ manufacturing.” “This is a way that both organizations can collaborate without politics interfering.” Gary Mintchell @garymintchell Founder/CEO, The Manufacturing Connection
“It is abundantly clear the fractured IT/OT relationship will need to become stronger and more connected.” “OT focuses on keeping plants up and running and plugging any weakness around the ICS. Along those same lines, IT faces a fire hose of new attacks with all types new of devices connecting in to the enterprise.” Greg Hale @isssource Editor/Founder of ISSSource.com
“The real issue is the blurring of the line as IT implements ‘things that smell like OT,’ and OT implements ‘things that are traditional IT.’” “When the line is blurred, where does the responsibility for resilience lie?” James Arlen @myrcurial Director, Risk Advisory Services Leviathan Security Group
“As networking extends deeper into devices and systems, businesses will be able to collect finer-grained and timelier information and use this information to optimize processes, minimize downtime, and reduce operating costs.” “Achieving this vision, however, requires closer cooperation between the OT and IT worlds than has historically been required.” Jeff Lund [email protected] IIoT Expert, Product Management, Belden
“Today, IT professionals and engineering professionals have different capabilities, roles and responsibilities, although there is some convergence centered around security.” “The dynamics are starting to become more tightly integrated.” Pat Differ [email protected] Cybersecurity Expert for Real-time Systems Securicon, Inc.
“IT and OT are different, but this is really just a matter of time. At some point in the not too distant future, we will only have technology. No more IT/OT distinction. Just T.” Patrick Miller @PatrickCMiller Critical Infrastructure Security and Regulatory Advisor
“IoT is not changing the dynamics between IT and OT. The systems themselves have been converging for years in terms of technology. The difference between IT and OT is in what they do.” Robert Lee @RobertMLee USAF Cyber Warfare Ops Officer
“The overall implications are relating to what is owned, what is not, and where the border ends, not only at the corporate perimeter but also at the device level.” John Walker @SBLTD Freelance Author in Cyber Security
What practical tips can you provide for IT and OT to work together effectively?
“IT and OT have two different skill sets that can effectively complement each other. Both sides need to remember that it is a two-way street and if they work together they can support each other.” Teamwork Chris Blask @chrisblask Chair of ICS-ISAC
“For IT security pros that want to cooperate on security with OT, learning about how OT works is a great starting place.” Cross-Functional Training David Meltzer @davidjmeltzer Chief Research Officer, Tripwire
“If you don’t know security, you risk bringing down or exposing your network. The bigger risk might be not allowing your workers access to information, while your competitors do. Get educated or get help but don’t wing it.” Improve Skills & Capabilities Doug Brock @doug_brock Factory Automation Expert
“One vulnerable system is a potential pathway to all systems. Yet at the same time, IT can’t own all systems. Senior management can be the first to identify the IoT systems, be clear on who is responsible for each one and then drive consistent behaviors for security through out the company.” Goal Setting Eric Byres @tofinosecurity ICS and SCADA security expert
“Getting IT and OT to work together is not a technology problem. It is a people problem. Organizationally, the best way is cross-functional training and teamwork guided by a leader who creates a collaborative environment and metrics that emphasize teamwork.” Cross-Functional Training Gary Mintchell @garymintchell Founder/CEO, The Manufacturing Connection
“Communicate. If IT and OT get that down, then everything else falls into place. Yes, their missions differ. Working together is so vital, the mandate has to come from the top.” Communication Greg Hale @isssource Editor/Founder of ISSSource.com
“The most practical tip is to execute on having some people skills, cooperating to ensure that there is a bright-line for responsibility, and that where knowledge transfer can be undertaken, it is obvious that the transfer happens.” People Skills James Arlen @myrcurial Director, Risk Advisory Services Leviathan Security Group
“IT must work closely with OT to understand the volume of data, as well as archiving and retention needs. Once we have secure connections to remote devices, data and scalable storage, IT and OT will need to collaborate to make use of that data.” Collaboration Jeff Lund [email protected] IIoT Expert, Product Management, Belden
“Set up a core IoT ownership group that includes both IT and OT to establish roles, responsibilities, common goals, and objectives.” “Establish role-based training and awareness programs for IoT that outlines the corporate objectives, eliminates any potential silos and insures daily cooperation with all stakeholders.” Role-Based Training Pat Differ [email protected] Cybersecurity Expert for Real-time Systems Securicon, Inc.
“Spend some time working side by side with the other [group]. Job shadowing and embedded observation will do wonders for helping both sides see each other’s perspective more clearly.” Observation Patrick Miller @PatrickCMiller Critical Infrastructure Security and Regulatory Advisor
“The most important thing for having IT and OT work together is to ensure that the people are integrating together to voice their concerns and identify what they consider critical assets and processes.” Integration Robert Lee @RobertMLee USAF Cyber Warfare Ops Officer
Image courtesy of ShutterStock.com Read more at: http://tripwire.me/adaptitot and www.belden.com/adaptitot
For the latest security news, trends and insights, visit: www.tripwire.com/blog @TripwireInc For industrial security news and discussions, visit: www.belden.com/blog @BeldenInc