In another life I spent just shy of nine years in the ICS space. I worked on the IT security side of the house and helped to shore up defenses. One of the troublesome aspects of this role was the disconnect between IT and OT, or operational technology, who were responsible for the care and feeding of the SCADA systems.
There was some interaction between the two sides of the house but, it often felt like cats and dogs learning to rhumba. It wasn’t pretty.
Yesterday, I was on a panel at the (ISC)2 Security Congress in Anaheim, CA with Howard Schmidt, Galina Antova and our moderator Brandon Dunlap. We discussed how to better integrate these two sides. I often liken IT and OT to two separate tribes that spoke different languages with a shared goal. However, that shared goal was often not recognized as being such when I was in that space. It has been seven years since I last worked in that field but, based on our interaction with the attendees it appears that not much has changed in the intervening years.
This begs the question, how do information technology and operational technology work better together? One attendee shared his experiences. At his organization they had taken the step of embedding an IT security person (him) with the control system engineers. I was happy to hear this as this affords him the ability to both influence the engineers as well as to learn from them in return. Too often IT security folks are not able to demonstrate what the business they’re supporting actually does to provide them a paycheck. Of course this is not universal but, I’ve seen it manifest more times than I care to admit.
Howard imparted that for real change to happen there needs to be a concerted top down push. Without this there is a lack of buy-in on the part of the rank and file to get to end of job.
Galina made the point that there will be at least 10 years before we arrive at an integration between both IT and OT across the board. I have to say, I agree with her on that point. When NERC first introduced 1200 and later the CIP (Critical Infrastructure Protection) standards there was no crossover between the two. As a result of these standards there was a need for the two sides to begin working together. The real downside to 1200 was that companies could self certify and, well, I’d wager my lunch money that not everyone was being entirely honest.
As NERC CIP goes through an iterative process it is slowly improving (with the occasional jab from FERC). I’m hopeful that it will serve as a vehicle to improve communications between groups.
Another attendee made the point that point IT and OT in his organization now report through him on security issues. My first reaction was that I had just witnessed a unicorn in the wild. I was pleased to hear that this was taking root at least in one organization.
There needs to be a greater push by senior management in the ICS field to drive better integration and communication between IT and OT. I’m hopeful that this will happen as a natural improvement and not as a reaction to a defining event.