ICS/SCADA, Critical Infrastructure Security

Three tips for building bridges between IT and OT security

President Joe Biden walks along the New Hampshire 175 bridge in Woodstock, N.H., on November 16, the day after signing the $1.2 trillion infrastructure bill. Today’s columnist, Christina Hoefer of Forescout, writes that while President Biden had to build bridges to bring both political parties together, so too can IT and OT departments build relati...

Now that President Biden has signed the infrastructure bill into law, legislation that promises to build literal bridges across the country, organizations have the opportunity to strengthen their cybersecurity posture by building figurative bridges between IT and OT security teams.

Building bridges requires crossing chasms and right now, most organizations are looking for a way to close the gap between IT and OT security. Historically, these teams have operated in silos. However, protecting IT and OT systems should become an integrated process. If IT and OT security teams do not look beyond their own domains, then they are doomed for failure, so here are three tips to build bridges that will foster a new level of IT and OT collaboration in organizations.

  • Make collaboration a reality.

Many organizations aspire to foster IT and OT collaboration, but fewer put it into practice. Gartner has found that 75% of OT security solutions will be interoperable with IT security solutions by 2025. So, organizations that get started building integrated teams can derive a competitive advantage. IT and OT needs to be on equal ground, build a deeper level of collaboration, and leverage their expertise to build a solid infrastructure and framework that enables holistic, ongoing risk assessments, and mitigation.

Well, that’s not easy. IT departments tend to take control of cybersecurity policies and practices, and they prefer to work with what they already understand. But this approach fails to consider the unique nature of OT sites and systems, which can cause friction with their OT counterparts. For example, IT departments can actually cause OT security or availability issues if they rush and react to “check the box” for OT environments, instead of considering their specific challenges. On the other hand, OT teams should not expect IT teams to take responsibility for OT systems and environments security compliance.

Start by stablishing an IT/OT security council, including stakeholders from each department to express their needs. A plant director and an IT security administrator have different jobs but share a mutual goal – to protect the business and maximize its productivity. That goal must serve as the foundation for this council’s work.

  • Rely on security frameworks for the blueprint.

Security frameworks enable smoother and more effective operations. Once an organization establishes a security council, it should develop a cyber risk mitigation playbook that address their organization’s entire attack surface and accounts for all environments and systems, from IT to OT, and even IoT.

Think of developing a security playbook as an inter-departmental initiative, where IT and OT teams share real-life scenarios that each team can evaluate and synthesize. Understand that older production sites may require alternative risk mitigation strategies, compared to state-of-the-art infrastructure. Finally, account for incident response plans and how to leverage existing systems and workflows, rather than adding additional complexity on top. Use awareness training to overcome reluctance, as it offers a practical mechanism for each team to learn from one another and to better appreciate a broader perspective.

The common language between IT and OT teams begins with the network traffic flows of devices and their interconnections. Every organization needs to have an accurate view of all devices and how they interconnect to assess the risks and to effectively manage and secure them. This common language lays the foundation for these teams to identify new policies, potential entry points, and prioritize mitigation and prevention solutions. Determine security requirements based on the severity of these risks, existing security posture and connectivity.

Creating security frameworks is a continuous process that needs to adapt to dynamic changes in business, infrastructure, technologies, and threats. In building an effective cybersecurity framework, know what the company has so it can make proper plans to protect it. IT and OT teams have an acute understanding of the devices and systems they manage every day, but the fact that more organizations are accelerating their IT/OT convergence means that knowledge sharing is critical to protect these systems and devices and to not view them in isolation.

  • Contribute requirements and divide the tasks.

In the spirit of knowledge sharing, each team must appreciate and respect the knowledge the other brings to the table. Toward this end, forcing the other team to “comply” or follow a certain framework won’t work. While IT teams are often focused on cybersecurity, OT teams are more preoccupied with keeping infrastructure operational. Consider this dichotomy when implementing security across the enterprise. Security councils should discuss how security can enable more efficient operations and support common tasks.

IT and OT teams should communicate their unique requirements to the security council and validate the policies of the security framework. Embrace specialization, by letting each team contribute their expertise and sharing responsibilities. Offer services to support implementation across OT sites, such as identify which processes to automate (e.g. asset discovery and managing the inventory).

Don’t burden the team with responsibilities they aren’t equipped to handle. For example, don’t escalate OT incidents to an IT SOC without appropriate training and processes in place. Likewise, an automation engineer will need support installing and managing endpoint protection tools, firewalls, and ensuring device compliance of third-party equipment. After bringing everyone together, it’s OK to divide the tasks – just keep communication channels open and provide services to support each other.

In moving forward to build bridges between departments, remember that divided approaches to IT and OT security are an existential threat to the future of an organization. The sooner these departments realize the benefits of working together, and the greater the effort made to learn from one another, the better off the organization long-term. Change is hard, but really important given today’s threat landscape. Start by focusing on greater collaboration and designing processes and policies that are mutually beneficial. The rest will follow.

Christina Hoefer, vice president, global industrial enterprise, Forescout

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.