GUEST ESSAY: The case for acknowledging — and bridging — the security gap between IT vs OT

By Christopher Britton

My many years working with companies dealing with significant disruptions in the cybersecurity space has taught me a lot. The more I learn, the more I understand the inherent vulnerabilities facing organizations across the world.

Related: Biden cybersecurity order makes an impact

The convergence of information technology (IT) and operational technology (OT) is a double-edged sword for critical infrastructure sectors – despite all its benefits, IT/OT convergence is not without its risks. These risks have become even more pronounced as ransomware attacks reach record-breaking highs.

Critical infrastructure sectors, such as energy and water, have never seemed more in the crosshairs – so much so that they have become the focus of recent Biden administration cybersecurity initiatives. In case of crisis, organizations need a plan, which begins with alignment between teams.

 Crossing the Chasm

It has been more than a decade since Gartner first highlighted the challenges and benefits of IT/OT convergence. The promises of IT/OT convergence include lower costs, enhanced performance and the orchestration of systems through integration and automation, but the challenges include increased complexity, limits with scalability, and new cybersecurity risks. For example, OT environments include devices installed with legacy operating systems, which can be difficult to integrate and secure.

Fundamentally, IT and OT functions are managed by different teams with different priorities. An OT manager is more concerned with reliable solutions to monitor processes in industrial environments, while an IT security admin is more interested in implemented controls to reduce the risk of an attack.

Britton

Historically, the Purdue model (PERA) popularized the approach of physically isolating IT and OT networks from one another and protecting this gap with a demilitarized zone (DMZ). However, the widespread adoption of big data analytics and the recent rise of industrial IoT devices are two examples of technology trends that require greater communication between these networks – and within organizations, their respective departments.

The Mirai botnet is a good example of why organizations should be taking industrial IoT security seriously. In 2016, Mirai compromised as many as 2.5 million IoT devices (predominately IP security cameras with default settings) to launch some of the largest and most disruptive distributed denial of service (DDoS) attacks of all time.

 A New Wave of Attacks

The risk of botnet infection seems bland compared to the recent surge in ransomware attacks, which are far more disruptive and costly. According to the Identity Theft Resource Center, ransomware attacks doubled in 2020 and again in 2021.

In 2021, the Colonial Pipeline ransomware attack became the poster child for ransomware. In addition to paying a $5 million ransom, Colonial Pipeline proactively shut down its OT environment to prevent the attack from spreading. The shutdown resulted in a week-long gas crisis through most of the Southeastern United States, demonstrating how devastating an attack on critical infrastructure could be. The FBI has warned that the next generation of ransomware attacks could emerge as even more destructive killware.

Build Communication Channels, Not Silos

It is important to realize that IT/OT convergence is just as much about the human element as it is about technology. Imagine how these functions need to be aligned during a crisis: there are two teams managing the response to two environments. An organization cannot afford to lose time because teams are not communicating in real time. An organization cannot afford to lose time because there is no clear operational picture. An organization cannot afford to lose time because these is no playbook guiding these teams.

Over time, there has been a marked increase in crises, especially in the energy sector. And it seems like the waves keep building – it can be overwhelming. With a crisis management platform like In Case of Crisis 365, teams have up to the minute intelligence about what is happening relevant to a crisis. Teams are assembled quickly, and they have immediate access to the most up-to-date and approved language, plans, and other mission critical information amid a crisis.

Regardless of how you do it, it is critical that you develop a structure that drives YOUR organizations to create issue specific crisis plans with prompts and playbooks to bring order to the chaos of crisis. The first step is tearing down silos to bring teams together.

About the essayist: Christopher Britton (Chris) is the General Manager and a founding executive with RockDove Solutions, the developer of the award-winning crisis management platform, In Case of Crisis 365.  Chris has been a frequent presenter, podcast and media interview guest, and publisher of hundreds of articles and blogs. 

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone