Culture clash – the convergence of OT and IT

It’s often observed that the lines dividing operational technology infrastructure and the more transactional realm of IT are becoming increasingly blurred. But this trend raises challenges says James Clark, not least in terms of culture clash.

The utilities sector, like many others, is a world split in two. Operational technology (OT) drives, manages and controls the mechanical, manufacturing and engineering plant we depend on. On the other side, information technology (IT) powers business processes, the internet and our ability to share data.

While the opportunity represented by combining data from the two is significant, there are hurdles, concerns and barriers to progress. Many can – and should – be overcome. But the most significant can be cultural: who is responsible for what, where is the accountability, and who drives the change?

Until recently the operational technology of a corporation that owns and manages industrial operations has been kept locked up safely in the industrial plants that are core to the business, with little to no connectivity between them and the world of IT.

This was done for good reason: operational technology is generally designed to do very specific things very well, and remain functional in extreme conditions. It tends to be designed with safety and reliability in mind. Information technology, on the other hand, is generally characterised by rapid evolution, flexibility and adaptability.

Despite these different approaches, both IT and OT benefit from being able to share data.

Key points:

• There is a cross-sector trend for the convergence of OT and IT.
• This creates a data-sharing challenge for systems designed with very different purposes in mind and creates risk as well as opportunity.
• It also creates conflict over who drives change and confusion about the boundaries for accountability.
• These areas of culture clash need to be addressed if the inevitable convergence of OT and IT is to be negotiated successfuly and securely.

Connecting and combining IT and OT data can drive huge savings when it comes to operational efficiency. An integrated view of data across the entire business can further unlock efficiencies on an even grander scale. These rewards are most commonly manifested through safety and process improvement, the increased productivity and efficiency of mobile and remote working, and or real-time insight and cost savings from condition based maintenance and the ‘industrial internet’.

Introducing data from IT into an OT system to enhance the information flow between management and supervisory control systems, supervisory networks or management systems would provide far greater control which would assist more effective decision making.

For example, having access to both the IT data (such as asset maintenance schedules) and OT data (such as vibration monitoring data) from a company’s five similar but geographically dispersed assets, which can be shared and monitored from one location, enables the analysis of how efficiently different assets are operating. This will allow specific operational or engineering changes to be shared, ensuring all assets perform as safely and efficiently as possible.

It must be noted however, that convergence also provides a fantastic opportunity for cyber attackers. Recent reports from the US Department for Homeland Security and ICS-ISAC (Industrial Control System Information Sharing and Analysis Centre) reflect a shift we have seen by attack groups into the energy sector in the last year.

Ensuring security in the face of this increased threat is one of the biggest concerns organisations have when they consider converging IT and OT. Newer distributed technologies such as smart meters and grids make the risk and reward judgement even harder; we will soon see intelligent devices embedded throughout the energy supply chain, for example.

Risk understanding and mitigation that drives wider business security resilience is crucial. Measures such as threat intelligence, awareness campaigns which reduce phishing and social engineering, physical security, and better control of network access from vulnerable endpoints – such as mobile devices and Industrial Control Systems – are all important.

Security experts in the world of IT operations should have long since accepted that malware now has the ability to touch and connect to any network-connected element in the world. It is important that OT managers now understand this reality because with convergence it applies to them too.

To see the full benefits of integration, it is important to see IT and OT convergence as a two-way street. Information and data must flow both ways. Using network segmentation gateways to both secure and enable this free flow of the right information to the right points both allows effective convergence and limits the potential for mishap or damage as a result of criminal activity, accident or negligence.

Given the security risks converging IT and OT pose to the differing stakeholders in an organisation, the decision to converge will come from someone who sees the business benefits as a whole: most likely, the CEO.

As security managers start to raise awareness internally, they may encounter resistance to the convergence. Education about the threat is critical to overcome this. But once the decision has been made, the teams managed by the CIO (usually the IT ‘owner’ in an organisation) and head of operations (usually the equivalent for OT) will be responsible for executing the convergence and making sure that resource and budget exists for securing both IT and OT.

In order to successfully and securely introduce IT to OT, responsibility needs to be established between the IT and OT owning departments; who is responsible for what? Where does the accountability lie for the security of each element? Remembering the differing security objectives, how do we protect one side of a business from the other side, and still get the benefits?

Convergence is inevitable, and will bring great benefits and competitive advantage to businesses that are proactive in embracing it and who understand the key issues and take steps to resolve them. Understanding the accountabilities and responsibilities between the stakeholders is the first step to converging in a secure way.