Skill convergence: Finding the right strategy to manage operational technology

Critical infrastructure organisations are increasingly interconnecting their operational technology (OT) and IT networks to optimise production and drive innovation. While this has significant benefits, it also exposes even air-gapped systems to a wider range of cybersecurity threats.

Security teams across both IT and OT now have to assure the proper digital safeguards between these intertwined systems and navigate the ever-changing, and expanding, threat landscape.

Drawing upon different skillsets

IT teams traditionally have different priorities and approaches than operational technology security teams. This is based on their unique objectives and skillsets. IT staff are typically concerned about data, integrity, availability and confidentiality while OT staff are concerned with stability, safety and reliability.

However, these two approaches and skills are beginning to converge under one security department. Combining these skills can be challenging for organisations that previously used separate security tools for each environment. However, the converged IT and OT environment now requires a holistic approach to prevent blind spots. Cybercriminals can attack “from all sides.”  Security leaders must ensure that their teams consider all potential key risks and have the necessary training and skills to securely manage the converged IT and OT environment.

Eliminate internal “team walls” between physical and cybersecurity

There used to be a sharp divide of responsibility between the “guns and guards” - in this case, the physical security team and the cybersecurity team. Operational technology security requires more internal collaboration among teams. Poorly controlled physical security can result in unauthorised individuals gaining access to OT systems. Therefore, OT engineers must maintain and update OT systems diligently.

Similarly, access control updates and system changes need to be communicated to the cybersecurity team. This helps with maintaining visibility of assets connected to the network. Another aspect of breaking down walls is to ensure that physical security leaders are included in cybersecurity cross-functional meetings. This helps to maintain awareness of OT assets and OT security requirements.

Effectively communicate OT risks to senior executives

Cyber threats have the ability to disrupt business and also can tarnish an organisation’s reputation. Cybersecurity, which was once in the periphery of business operations, has now taken a prominent position in the decision making of the board of directors.

To effectively communicate OT risks to drive effective decision-making, senior executives must receive a balanced view of both the benefits and the risks associated with OT security. An effective CISO should measure OT security success by risk reduction, not milestones or tool deployment.

Business leaders want to know what controls are really effective and how secure they are as an organisation. Heat map charts are commonly used to report risk status, but these are poor decision-making tools. A good risk methodology should be able to demonstrate not only the present state of risk but the quantifiable reduction in risk by implementing specific controls.  Showing the reduction in risk achieved by investment in specific controls will support effective decision making by business leaders about OT risk strategy.

Address the new attack surfaces and vectors and calculate risk

As an organisation’s infrastructure grows and becomes more decentralised, it will be even tougher to keep track of every component inside and outside of OT environments, resulting in unknown assets exposing operators to unknown risks. To address the new attack surfaces and vectors associated with IT/OT convergence security teams across both departments need to have a unified view across the entire infrastructure which requires gaining deep situational awareness of each and every asset, vulnerability and security alert. By understanding where an organisation is exposed and to what extent, security teams can get a clearer picture of what’s at risk.

Once the business has a grasp of the area being defended against and where the risk lies, a detailed threat intelligence analysis is needed to prioritise remediation efforts. However, as the endless wave of threats continues, security teams may not have the resources to guess which vulnerabilities need to be remediated first. Therefore calculating risk should be based on a combination of key factors including:-

• Asset Tracking where teams can gain a comprehensive up-to-date inventory of all assets network including dormant devices. The inventory includes detailed information such as firmware, state, and Programmable Logic Controller (PLC) backplane configuration.
• Threat Detection and Mitigation to monitor assets from a policy and anomaly perspective for both cyber threats and operational mistakes.
• Configuration Control to provide a full inventory on all device configuration changes, whether it’s executed by a human user or by malware whether over the network or physically on the device.

The convergence of IT/OT skill sets

The convergence of IT and OT isn’t only about connected environments. It’s also about blending various expertise and skills to secure this ever-expanding and complex attack surface. An effective IT and OT risk strategy should include cross-team communication and effective identification of critical risks across both environments.

To effectively manage threats, IT and OT teams must work closely together to create a coordinated approach.  By following these steps, security leaders can keep their organisation running at peak efficiency and reduce operational technology risk.

By Adam Palmer, Chief Cybersecurity Strategist, Tenable