Security teams that support information and operational technology often find themselves at odds in terms of priorities and incident response tactics, heightening the risk that emerges as these two environments converge.
The cyberattacks against Colonial Pipeline and the Oldsmar, Florida water supply demonstrated a need to not only ensure security is properly managed amid integration of IT and OT systems, but also that incident response standards are clearly defined for all.
“We need to understand that [IT and OT security teams] have different perspectives,” said Matthew Dobbs, chief integration architect at IBM Security, during a Monday session at the RSA Conference. “IT wants to keep data confidential; OT wants to keep everything running above all else, or keep everyone alive and safe. This can drive a wedge between teams.”
Other differences Dobbs noted: OT teams can sometimes view IT as a job killer. And while OT needs mature technology, which can last 10 or 20 years, IT teams have leeway to implement emerging products, even looking for open-source offerings.
“These differences can be exacerbated in a cyber crisis,” said Dobbs.
While Colonial Pipeline remained relatively mum about the specific timeline of events that resulted in a shutdown of systems and ultimately a ransomware payment, the incident demonstrated the potential impact when malware reaches remote facilities whose IT and operational technology systems may not be adequately fortified to defend against an attack.
And when an attack occurs, distinctions in how systems are managed by IT versus OT teams can be magnified.
“If there is incident forensics data needed on an IT system, it’s relatively easy to get a snapshot of the hard drive and reimage the system,” said Dobbs. “But in the OT world, there may not be an ability to gather that data for forensic analysis, or there’s pressure to get the factory floor back up and running – to ‘reload the firmware and get going.’ You lose that important bit of information.”
Beyond the more standard security training that often takes place among teams at organizations – tabletop exercises, capture the flag, and so forth – gamification can offer environments that mix IT and OT an opportunity to address areas of conflict between teams.
That said, IBM Gamification and Cyber Security Engineer John Clarke drew a distinction between game-based learning, where a game is specifically created to teach a distinct skill or have a specific learning outcome, and gamification, which uses game design elements and principles in a non-game context: scoreboards, points, badges, leaderboards, performance graphs, storylines, avatars and teammates, to name some examples.
“Psychology plays a big part,” Clarke said during the session. “It will trigger emotions in us that are linked to a positive user experience. It gives us a sense of control. It reinforces good behavior, a sense of achievement. It’s competitive by nature. It allows us to apply critical thinking.”
For IT and OT specifically, gamification provides an opportunity to practice communications between the two teams, as well as with the business side of the organization; it helps define unified messaging; and it allows all participants to exercise muscle memory ahead of an actual incident.
“The goal is not always to find the threat actor; it should be bigger than that,” Clarke said. “Can we find gaps in our people, our process, our technology?
“The path is not always a straight line,” he continued. “We need to utilize critical thinking to change the path or move obstacles.”