• United States




IT, OT and IoT: existential technology lifecycle management

Jun 06, 20185 mins
Application SecurityData and Information SecurityInternet of Things

If you give companies a way to make more money by making it clear that we only buy products that have been tested, approved and include security maintenance plans, those companies will rise to the occasion and work hard to get your business.

Credit: istock

I’ve written previously on the emergence of security as a competitive differentiator, and how that trend is helping both consumers, businesses, and society at large.

To summarize, companies are recognizing the power of promoting the security of their products; consumers are responding favorably when a product comes out of the box free from known security defects.  Concurrently, businesses and the public sector are choosing 3rd party providers that promote secure deployment, as well as maintenance plans to address the future vulnerabilities and security flaws with patches, updates, and revisions. This trend is forcing the market to move the security needle. And when capitalist businesses see a favorable return on security investments, they will do more, not because they are mission-driven, but because they want your money.

Those of us in information security serving both the public and private sector still see this as a win—no matter the reason, it’s the needed shift we need for a safer society.

In a recent engagement for a public-sector organization that will, for the time being, remain un-named, CI Security put this idea to work around the framework of public sector operations. By integrating everything under the umbrella of operations, including information technology, operational technology (OT) in utilities, and internet-of-things (IoT) technologies, we can secure and enable “smart city” efficiencies.

Let’s explore why this is the critical path for all organizations and communities to a more secure future in a hyper-technological world.

OT and IT staff are inherently different

Historically, staff tasked with OT management have come up through the trades. Because these are water, energy, dam, waste-treatment, and other operations mainly associated with public utilities, employees are represented by unions. These employees have matured through a completely different ecosystem than information technology professionals.

Just about anyone who has had to work with these two groups on a project can agree on two things: 1) there is generally poor coordination between IT and OT staff, and 2) there are typically two separate and different policies that address technologies. Some OT teams may even have policies pinned to regulatory requirements, such as energy sector operations.

OT teams are focused on managing technology elements of industrial control and SCADA (supervisory control and data acquisition) systems, such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), “historians”, etc. These operational technologies suffer from the same issues as the IT operating systems and application servers on the IT side of the house. However, the impact of a disruption event due to a “cyber” attack on OT— which is becoming empirically more likely—is significant. These events could disrupt and impact everything from emergency management, restoration costs, and, worst case, loss of life.

Bridging the OT-IT gap

How can we all start speaking the same language, and addressing technology security on both sides of the IT/OT demarcation point?

First, note that policy underpins everything.

Without a set of rules on which to fall back, ambiguities on “who does what” will continue to exist, and the visibility needed into OT operations for the sake of security will continue to be opaque. Policies that apply organization-wide should address technology across the spectrum of operations, to specifically include procurement, contracting, and vulnerability management at a minimum. Policies that are specific to OT operations that are over and above these issues will, again, likely be driven by regulatory requirements; however, these technology security management issues can and should be applied universally.

Second, commit to full integration between OT and IT.

Once policy regarding these key issues has gone through the governance process and approved for promulgation, memoranda of understanding between the IT and OT groups may be used to delineate responsibilities. The components of security operations that address technology procurement, deployment and integration, administration and operational maintenance, security monitoring, and incident response must be covered. Note that these responsibilities extend to technology manufacturers, distributors, and integrators as well as the IT and OT staff in the organization.

Integrating and preparing for IoT

With those preliminary steps mandated, organizations can better prepare items for the various IoT implementations and building plans underway.

The final mile is IoT integration into the overall security program. The reason is that IoT stands to greatly increase the existing attack surface presented to threat actors; whether it’s for automating traffic management, facility energy consumption, or a robotic manufacturing line, the bad guys have more ways to enter critical systems. One case in point is the recent story of the casino that was hacked through an aquarium thermostat.

If we do not adopt more aware practices in the way we create an expectation of security and in the way we buy, contract, deploy, maintain, and retire these technologies, we’re rolling out the red carpet for more records disclosure, theft, extortion, and disruption of operational continuity.

Let’s remember, we’re capitalists – and if you give companies a way to make more money by making it clear that we only buy products that have been tested, approved and include security maintenance plans, those companies will rise to the occasion and work hard to get your business. And that trend will continue to move the security needle to a safer society.


Michael Hamilton, is the founder and CISO of CI Security, formerly known as Critical Informatics, a provider of managed detection and response and information security consulting services.

With 25 years of experience in information security as a practitioner, consultant, executive and entrepreneur, Michael has worked with Fortune 100 companies to small private colleges, and in nearly every sector.

As former Chief Information Security Officer for the City of Seattle, Michael managed information security policy, strategy, and operations for 30 government agencies. Prior, Michael was the Managing Consultant for VeriSign Global Security Consulting, where he provided his information security expertise for hundreds of organizations.

Michael is a subject-matter expert and former Vice-Chair for the DHS State, Local, Tribal and Territorial Government Coordinating Council. His awards include Member of the Year with the Association of City and County Information Systems (ACCIS), and Collaboration Award from the Center for Digital Government.

Michael recently served as a Cyber Security Policy Advisor for the State of Washington Office of the CIO, and continues to spearhead the Public Infrastructure Security Collaboration and Exchange System (PICSES), a regional cyber event monitoring system that is unique in the nation. Michael has been a member of the Sigma Xi research honor society for more than 25 years.

For the latest in cybersecurity news, follow Mike on Twitter at @seattlemkh and CI Security (@critinformatics).

To see more from Mike, check out his articles and videos on the CI Security blog.

The opinions expressed in this blog are those of Michael Hamilton and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.