A house divided: Key differences in cybersecurity implementation for IT and OT This blog post was authored by Justin Turner - Director, Security and Privacy on the technology insights blog.Anyone who has spent a significant amount of time in any U.S. state where college football is popular, has likely seen a “house divided” bumper sticker or license plate cover, with contrasting university logos. Many of us (and our friends and families) enjoy spirited rivalries (Roll Tide vs. War Eagle, The Egg Bowl, Bedlam, The Backyard Brawl, “The Game”). But we’re fundamentally not all that different and we have the same goals – we want our team or programme to win and to be successful.Spending time in the field or on the manufacturing shop floor coordinating cybersecurity priorities between Information Technology (IT) and Operational Technology (OT) is often reminiscent of a college rivalry. However, in this instance, it’s important to keep in perspective that in an organisation with OT systems and technology, everyone plays for the same team. It’s also critical to recognise that implementation and ongoing management of cybersecurity measures in IT vs OT often look quite different. The list below is far from comprehensive but, based on our experience, represents some of the more common and impactful differences or challenges that organisations may encounter when attempting to advance the current state of cybersecurity in the OT environment. Topics Cybersecurity and Privacy Patching/outdated systems Applying security patches is much less straightforward in an OT environment. Operating system patches (e.g., for Windows devices) often require a reboot, which may be difficult and disruptive to schedule in a production environment. Additionally, Original Equipment Manufacturers (OEMs) such as Emerson, Honeywell or Wonderware/AVEVA test Windows or Linux patches in their lab or development environments, and then on a periodic (monthly or quarterly) basis will release a list of patches that are approved for installation on their system. Given these two factors alone, it is common to see patch levels on key OT systems that are months or even years behind the current release, potentially impacted by critical or exploitable vulnerabilities. In addition to the operating system layer, it’s important to consider applications and software (e.g., the Industrial Control System, or “ICS”) running in the OT environment. Countless times we’ve witnessed legacy and unsupported operating systems such as Windows XP or Windows Server 2008 that have not been replaced due to application dependencies. For example, there may be a programme developed by a vendor 20+ years ago that isn’t even in business anymore, so the software was never updated to run on modern and supported operating systems. Running systems that have reached end-of-life (EOL) or end-of-support (EOS) isn’t ideal, but have all of the potential impacts of replacing those OT devices been considered? Has a cost-benefit analysis been conducted to determine the cost of updating or replacing EOL devices, which if the OEM is no longer in business might require the replacement of additional hardware, equipment or machinery that could carry a seven-figure price tag? Our recent Global Technology Executive Survey indicates these issues are widespread and not isolated. Network monitoring and visibility Professionals working in or around cybersecurity likely have heard an expression to the effect of, “you can’t protect what you don’t know about.” An incomplete and unreliable asset inventory (of network-connected devices) is a common pain point in OT. Traditional network scanning or discovery tools are minimally informative at best, and in many networks (where aged, legacy infrastructure is present and/or bandwidth is limited), could render systems unavailable and disrupt operations. Organisations that grow and expand through mergers and acquisitions may particularly struggle with maintaining a full picture of network-connected devices in the field, plant or manufacturing site. Enumerating security vulnerabilities and potential security events in OT environments also poses unique challenges. Network vulnerability scanners have the potential to negatively impact system availability and may not be able to identify insecurities on OT devices (such as Programmable Logic Controllers (PLCs)). Security tools such as anti-malware or endpoint protection are not always able to be widely distributed in OT, as OEMs may only support select endpoint detection and response (EDR) tools, which could differ from what the enterprise has selected for IT networks/assets. If a Security Operations Center (SOC) is in place and logs from OT devices/networks are being ingested, do we have confidence that we’re getting data from all critical systems or devices? Have our security analysts been trained on how to recognise indicators of compromise in OT and are clear on who from the operations side of the business (such as a plant manager or shift supervisor) should be engaged to investigate a potential security incident? Identity and access management Many controls that are considered basic cybersecurity hygiene in IT networks may also face roadblocks in OT environments. Related to identity and access management, some systems and applications cannot support lengthy or complex passwords that align with the organisational standard. Certain devices don’t support passwords at all! Knowledge of data such as IP address, open port, and software required to communicate may allow a user to connect to and even manage or make changes on critical automation devices without authentication. The ICS or other management programmes may not have the ability to create accounts that can be assigned to individual users, and the default account (e.g., “admin”) must be leveraged by all users of the system. Lastly, it is common to see processes, programmes and applications on OT systems running with local administration privileges, compounding the risks outlined above. Takeaways What can be done to bridge this divide and improve the security of our OT networks? I realise I’m not revealing a state secret here, but it starts with empathy and transparent communication. I’ve lost count of the number of instances I’ve encountered where the IT or security team discovers a device that they didn’t procure or manage and the OT team is told “you can’t have that server.” No solution or alternative is offered, nor is effort dedicated to understanding the business or operational use case for why that server needed to be deployed, the response is just “no.” On the other hand, the OT personnel should be more proactive in engaging IT/security to develop solutions to challenges or problems jointly. The path of least resistance may not be the most secure one and deploying it without evaluation from in-house or external/third-party security experts could introduce risks that not only lead to operational disruption and lost revenue but may also impact the health and safety of employees and the environment. There are alternative paths available to architect a solution that meets the needs of the business that also factors in cybersecurity. Reaching the ideal destination often requires multiple navigators from both IT and OT. To address challenges in patch management, ensure there is a defined cadence with OEMs to receive and apply security updates (prioritising critical updates such as those with exploit code publicly available) on a periodic basis. For EOL systems that cannot be upgraded or replaced, explore options to isolate and restrict traffic to/from those systems (for example, using a firewall or access control lists on a network switch). Consider implementation of an asset discovery and threat detection solution designed for OT networks (device discovery and enumeration is conducted passively). Leverage the results from the discovery solution to identify and document the systems that are critical to site operations and prioritise those devices in your security monitoring strategy. Additionally, organisations may consider standing up a test network reflective of the production environment, to enable safe methods to evaluate patches and identify potential vulnerabilities. For Identity and Access Management, enforce complex passwords and create unique IDs/logons where possible. Limit the provisioning of administrative or privileged access as feasible. Enforce multifactor authentication if supported on all remote access connections to the OT environment. When it’s possible to get IT and OT personnel playing for the same team, the organisation increases its odds of scoring a secure operational environment. Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War. To learn more about our security consulting services, contact us. Digital identity We tackle identity and privileged access management from a risk management perspective, giving you empowered and trusted users who can safely connect to sensitive resources, no matter where they are. Cybersecurity As technology rapidly evolves and digital adoption accelerates, Protiviti's cybersecurity and privacy team turns cyber risk into an advantage–protecting every layer of your organisation to unlock new opportunities, securely. Security program and strategy We help you understand and manage the evolving cybersecurity and privacy risks you face, determine your readiness to address them, tailor your cybersecurity governance, and communicate effectively with stakeholders. Leadership Leslie Howatt Leslie is a managing director, and Protiviti’s technology consulting solution lead. She specialises in digital and technology strategy as well as transformational change with over 25 years’ experience across consulting, industry, and government sectors. She has ... Learn More Krishnan Venkatraman Krishnan is a director with over 14 years’ experience in professional services. He has specific expertise in technology risk consulting and has been advising clients both in the public and private sector in designing and implementing information security controls.Major ... Learn More Tim Speelman Tim is a director with a track record of developing and implementing strategic plans that align with the demands and gaps of global and local enterprises. Before joining Protiviti, Tim was a regional CISO responsible for APAC within a large recruitment company with core ... Learn More Featured insights BLOGS Developing a security function during a CISO’s first 100 days These turbulent times of evolving threats and rising personal responsibility considerations for cybersecurity leaders make the CISO role a challenging but rewarding position. The CISO must contend with an increasing sophistication of attacks,... BLOGS Achieving Diversity’s Benefits in Cybersecurity Could any security organisation benefit from greater innovation? Or from responding more effectively to diverse internal customers? How about benefitting by retaining the talent its leaders have so carefully nurtured, by accessing more diverse... BLOGS Creating a resilient cybersecurity strategy: The governance lifecycle approach Cybersecurity governance should do more than manage cyber risk. Goodcybersecuritygovernance creates efficiencies by clarifying the outcomes expected from its processes and establishing boundaries of responsibility among cybersecurity... BLOGS Why Consolidated Security Will Help Meet Cyber Challenges Companies face multiple threats as the security landscape continues to evolve. But how can they get to grips with the cyber risks they face and a record number of data breaches? Taken together, all areas of risk and security are essential in modern... Button Button