Cracking the IT and OT Alignment Challenges in Manufacturing – Get the Insider Insights
- June 28, 2023
Manufacturers are facing disruptions from external forces such as pandemics, geopolitical instability, supply chain uncertainty and chronic labor shortages. But the potential for internal disruption is growing rapidly because IT and operational technology (OT) departments in manufacturing businesses are often poorly aligned. In some cases, they’re actively in conflict. In either case, the result is that cybersecurity vulnerabilities increase.
If we take a step back, misalignment is an unintended byproduct of industry evolution. Manufacturers are increasingly integrating automation into their plants. For example, this could entail moving functions to the cloud and adopting Industry 4.0 principles to improve productivity and efficiency. Given the pervasive digitalization of plant operations, OT is becoming more reliant on IT functions to support its productivity. Yes, modernization needs the convergence of OT and IT, and that discussion must include security alignment.
With data at its core, manufacturing success depends on secure and properly functioning systems. But manufacturing operations might not fully understand the extent of the cybersecurity vulnerabilities their technologies present. And IT organizations might lack visibility into operational technologies that require securing.
Achieving alignment between IT and OT is therefore crucial to a more secure and efficient future for manufacturers. Here we’ll look at some of the tactical, philosophical and people-related challenges to bridging the gap between IT and OT — and then some potential solutions.
The fundamental reasons that IT and OT are at variance arise from their differing philosophies. For example, industry experts often discuss the CIA triad of security: confidentiality, integrity and availability. IT and OT professionals may have differing priorities within that triad. For example, IT often prioritizes data confidentiality. Conversely, OT, typically associated with production floor operations, focuses more on data availability.
These differing philosophies have practical implications. One way these differing views manifest is in the reluctance of OT professionals to perform typical IT functions, such as patching systems. Activities such as patching and applying updates can cause system downtime and impact productivity. While IT is also concerned about productivity, it isn't their priority concern in the way productivity is for OT professionals.
From a tactical perspective, conflict emerges because IT and OT use different protocols. OT protocols are often specialized and niche, tailored to specific industries and customers. For example, OT uses PLCs and HMIs, which are governed by hardware-specific protocols from companies like Siemens or Rockwell. By contrast, IT typically deals with Windows operating systems. Traditional IT tools simply don’t cover industrial control protocols.
That is where security vulnerabilities arise. For an IT analyst to effectively detect threats in the OT environment, they must first recognize an OT device. Such device identification can be challenging because IT personnel often don't have experience with OT devices, and they may not know what to look for. For example, an IT analyst may mistake an OT computer running machinery for an IT computer, and not realize that the OT device shouldn't perform certain tasks.
Another significant tactical issue is that OT machines are often outdated. Some, built in the 80s and 90s, lack important updates. Because of this, they run legacy software or operating systems with unpatched vulnerabilities. Even if IT could detect the vulnerabilities, fixing them isn't always possible due to the legacy nature of the machines.
Beyond philosophical differences and tactical issues, there remains the challenge that people in the different organizations have different basic skill sets. Often, this results from differences due to the variations in protocols mentioned earlier. But the difference in skill sets presents a significant cybersecurity challenge.
To illustrate, IT professionals might simply not know what to look for when trying to detect threats in the OT environment. For IT personnel to work effectively with OT systems, they need to understand the architecture and ecosystem of the business. They must also gain an understanding of the flow of the business and how it impacts the rest of the organization. Similarly, OT professionals must be able to recognize when their specialized technologies cause potential vulnerabilities.
In a nutshell, the philosophy, tactics and skills gap from a people perspective poses a potent challenge to organizations keeping a resilient cybersecurity posture. A weak link or vulnerability in the OT environment can permeate a bad actor through the entire ecosystem including the IT space and vice versa.
Potential solutions to harmonize IT and OT
The convergence of IT and OT greatly impacts the rise of digital transformation as it applies to smart manufacturing. This confluence should serve as a catalyst for convergence.
From an organizational perspective, it’s important to erase the boundaries and avoid the organizational silos that exist to overcome blind spots and any inherent risks. Think about a refreshed and well- segmented architecture to establish a well-documented communication mechanism between system and data owners accordingly. This can help communicate, continuously manage and mitigate risks in both environments.
Remember, OT systems are procured to operate for a long time and, in general, built with a cohort of legacy systems. It’s extremely important to have information security and strategy for many of these systems that may not be supported or have patching solutions in place. Structuring the IT and OT functions that are cross-functional in nature (or, at the least, collaborative in nature) that is practical goes a long way in navigating these challenges.
All the solutions proposed address one or more of the cybersecurity challenges posed by IT and OT misalignment. But there's likely no one solution that can resolve all the challenges. For example, one potential approach is to rotate IT personnel into OT analysis roles. This rotation could help the IT organization gain the skills and knowledge necessary to identify and address threats in the OT environment. And while it may not be as beneficial for OT personnel to shadow IT personnel, it can be useful for them to understand the myriad ways bad actors can potentially penetrate the network.
However, cross-training requires investment from leadership to make it happen. It leads to another avenue for bridging the IT/OT gap, which is to educate leadership on the distinctions between IT and OT. It's important to emphasize that the departments are separate entities requiring different investments. It may even be useful to restructure financial allocations and organizational layouts to better accommodate these differences.
The best place to start this convergence journey is to have a comprehensive assessment from the outside, that is more than an assessment and is diagnostic and prescriptive in nature. This assessment starts in two ways:
- A technical tool-based asset discovery coupled with evaluating information.
- Interview-based risk assessment hinging on a standard that can paint a holistic picture.
These assessments help the organization identify the associated assets. After all, you can’t protect what you don’t know about. It must include a tie into communication protocols and all other associated critical vulnerabilities from hardware, software or both. By focusing on with a well-defined and structured approach can help define a workable IT/OT strategy to help align the processes, people, standards, benchmarks and technology.
Breaking barriers, forging success — learning from other industry pioneers
Moving beyond solutions for individual manufacturers, there are ways to address the disconnect between IT and OT more broadly. For example, it’d be helpful to establish a body of IT and OT practitioners who meet regularly to discuss issues and share best practices. Such a consortium could serve as a central repository for information about threats and vulnerabilities, enabling members to learn from each other and develop better strategies for protecting critical systems.
An example of such a consortium already exists in the auto industry, where Auto ISAC serves as a voluntary organization that shares information about vulnerabilities and threats among EMS and tier-one suppliers. Similarly, a consortium for IT and OT practitioners could provide a platform for sharing information and insights. Ultimately, this could help to improve the security and availability of critical systems.
While there are already various bodies and organizations focused on security, the specific IT and OT focus is still largely overlooked in the industry. With a consortium, IT and OT practitioners can come together to learn from each other, share knowledge and improve the security of critical systems.
IT /OT convergence through integration and homogenization enables the true modernization and transformation of a digital and smart ecosystem.