We’ve all heard the old adage that ‘a computer is only as good as the person operating it’, so to say that people could be the secret ingredient in protecting your Operational Technology (OT) is anything but a revolutionary concept. Yet, despite the acceptance of this wisdom in our modern parlance, many of us frequently forget to apply it in our daily business operations.
When it comes to looking after OT, many organisations are just as guilty of this folly, if not more so.
The very nature of OT security – especially given ‘technology’ is one of two words in this acronym – is the application of technology to mitigate risk and secure your industrial assets. Despite technology being the lynchpin in the equation, in our experience, we’ve found that the biggest obstacle in getting OT security to work properly tends not to fall with the technology itself, but with a schism between expectation, expertise and the people in any given organisation.
How does this manifest?
There’s an assumption that anything OT security-related should be lumped under the umbrella responsibilities of the corporate IT department, which is really a case of throwing apples in with oranges. The IT personnel may be pressured into handling the cyber security of an organisation but, in reality, the objectives and requirements of OT and IT are completely different.
Let’s explain some more…
IT and OT are different disciplines, which means anyone in your IT department possesses a unique skillset when compared to those in your OT team. OT personnel typically comprise engineers, whereas IT specialists rarely crossover into the world of process control engineering. Consequently, it is challenging for IT personnel to understand how control systems operate, as they typically have no place out in the field or at your plant sites. To expect IT to manage the security of your OT assets is like asking a Chinese speaker to write in English – they are, quite simply, speaking an entirely different language.
This language discrepancy between IT and OT can prove a massive problem if not addressed. For example, an OT team will typically want to assume full ownership of any assets at their plant, while an IT team will try to leverage their security services into this environment without consideration of the OT team’s requirements. OT personnel often see security controls introduced by IT as a hindrance or roadblock to their duties, and that getting their job done is of greater significance to the business (i.e. if the plant stops working, so does the business – so the availability of OT assets is crucial, which is generally not the case with IT).
Additionally, such discrepancies can result in a lack of trust between IT and OT departments; not because they’re positioned as enemies but due to differing, and sometimes clashing, objectives and even physical distancing between the two teams. IT may be located in a separate office/facility, and, as a result, this distance offers very little opportunity for collaboration and developing rapport. Such a situation can make it difficult for IT and OT to fully appreciate they are both part of the same organisation with the same mission.
In securing your OT assets, there’s a degree of translation that needs to take place between your IT and OT departments. However, just as not everyone speaks Chinese and English, not everyone speaks fluent IT and OT. More importantly, even those who can speak both languages are not necessarily skilled enough at the translation to ensure both parties understand each other properly.
So, what do you need to do to get everyone speaking the same language and ensure your mission-critical assets are not compromised?
You need to introduce an appropriate mediator – a translator – for your company who has the expertise and know-how to be the glue between your IT and OT teams. The right mediator should essentially ‘play Switzerland’ (i.e. take a neutral position and understand where the breakdown between parties occurs) and then work to develop trust between both groups, before acting as ‘marriage counsellor’ through collaborative workshops to focus on synergy of both departments and harmonise the objectives of both. A positive by-product from such a process will also be education and awareness, which ultimately permeates across the wider workplace.
From a security perspective, OT engineers need to fully understand the risk from cyber threats. IT specialists need to understand the reliability, availability, maintainability and safety (RAMS) requirements of OT assets for engineers to keep plants operational.
People will always be the weakest link in any security chain but they should not be the dealbreaker that leaves your organisation vulnerable to attack. By bringing in the professional ‘translators’ who can get both IT and OT divisions of your business working in tandem, you will sleep easy knowing a security nightmare at your plant is far less likely, and your organisation will stay out of the headlines.
Need a ‘counsellor’ to get your OT and IT working from the same page? Speak to SIS about bridging the divide between your departments.