There is a lot of rhetoric spinning around the cyber security industry about integrating information technology (IT) and operational technology (OT) into a centralised Security Operations Centre (SOC) environment. Big IT technology vendors are largely responsible for this rhetoric and of course, they have product to push into the lucrative OT security market.
However, while integrating such operations may seem like a sensible approach, the reality is it’s counter-intuitive to what the industry has learnt about securing OT assets and critical infrastructure. Given SIS has made OT security the focus of our business (and we’re not peddling product but functioning as independent consultants), we feel we’ve got a stronger case to put forward. Here’s why you shouldn’t believe the hype about an integrated IT/OT SOC.
In recent years, we’ve seen industry making slow but steady progress from an old way of thinking to a far more effective, targeted approach to OT security. But it’s taken some time.
Only with the Internet of Things (Iot) and connectivity has cyber security become a concern for operational technology because, previously, these assets were protected by an air gap – their isolation from online networks. As OT became more connected, IT specialists assumed responsibility of broader cyber security, including SOC monitoring of operational technology. After all, given connectivity is an IT issue, shouldn’t the IT department look after all connectivity concerns?
You can see how it seemed to make sense at the time.
Eventually, the failings of this approach revealed themselves, and these failings have only escalated with the emergence of more sophisticated hacking techniques. IT departments have struggled to understand the very complex and specific requirements of OT. More often than not, IT and engineering have been at loggerheads through miscommunication and misunderstandings. A lack of synergy across departments and specialties has contributed to OT vulnerabilities, which cyber criminals quickly identified and used to their advantage. Big OT hacks have equated to big costs spiralling into the millions of dollars.
As the saying goes, there had to be a better way.
Out of this situation emerged a new specialty: the OT cyber security specialist Where an OT cyber security specialist differs from an IT cyber security specialist is in their intimate knowledge of critical infrastructure systems. An OT cyber security specialist is the perfect melding of engineering and IT to create the sharp focus required to protect OT assets in the way they need to be protected.
As legislated processes for OT security in industry arise in response to increased cyber attacks, organisations have come to understand the value of OT security specialists, which has led IT companies to sit up, take notice and think, ‘Why can’t we get a slice of the OT security pie?’. To muscle into this market, they’re effectively turning back the narrative to bring IT and OT under the IT umbrella i.e. their area of expertise. It may be couched in different language to make it more appealing, but this is essentially a case of history repeating itself. We’d moved passed the model of IT controlling OT security and now big players in the IT industry are taking us back.
But it doesn’t have to be like that.
That’s why we’ve written this article. Not all the messaging that IT vendors are peddling is incorrect. Sure, having IT and OT working together – rather than siloed – is the right approach, but their means for doing this is to create an OT security add-on that fits within the IT space. Once again, OT becomes the poor sibling to an IT industry that just wants a piece of the action. On the other hand, OT security specialists are the integration between IT and OT, and a human integration that can function as interpreter between IT and engineering to create the relationships and processes that keep both parties happy – and OT assets far better secured.
So, when you see an IT company saying they can handle your OT-SOC requirements, don’t believe the hype. Remind yourself, these big vendors have big dollars to throw at advertising and reach, so a ubiquitous message is not necessarily a correct one. Consider the evolution of OT cyber security and how and why we’ve got to the point where specialist consultants are now performing an important role for industry. Let’s learn from past mistakes.
SIS is a company of OT security specialists. OT is our business, so it doesn’t have to be yours. Speak to us today.