IT and OT need to find a way to work together better. It is a fundamental requirement in this age of risk and a lack of skilled resources to combat it. This topic produces a significant amount of debate, with some feeling that IT/OT is not understood and likely to fail, so instead, we should focus on risk and remediation. I have heard both extreme positions on the topic – either IT owns all IT systems or OT needs their own security team in duplication and in parallel to corporate IT.
Regardless of which approach you support, OT particulars mean we need to adapt off-the-shelf IT practices and tool sets for unique and demanding environments.
Perhaps the biggest problem is that IT technology is in OT environments and neither a pure OT person or pure IT person can handle all security requirements on their own. The depth and breadth of risk coupled with the weird and wonderful ways OT is often put together (legacy situations, greenfield are coming along well) means a combination of skills and knowledge are required to collaborate on useful, safe ways of providing security tools and functions in an operational environment.
There are no shortages of specific topics or practices required of a robust security program to examine, but perhaps the most complex or involved practice that requires precise and delicate negotiation between IT and OT skills and tools sets is in the area of vulnerability management (VM).
OT Vulnerability Management Program Components
This diagram is an illustration of how one of the big four consulting firms frames vulnerability management. It is re-used here with permission from one of its authors and is a great way to section out the various tasks (leading, active and trailing) that make up a robust VM program.
There are five distinct phases of the OT vulnerability management program framework:
- Asset Inventory
- Threat Intelligence
- Take Action
- Monitor & Report
- Remediation Tracking
Each and every one of these stages requires a clear expectation of behavior, criteria for success and a precise understanding of ownership over the various functions, tools and actions. Over the next few blog posts in this series, I will examine each of these major categories, explore how OT is particularly challenged, and offer some insights into how major manufacturing and industrial clients around the world are tackling this head-on and with astounding results.
My hope for this effort is two-fold. First, we want to share new ideas and success stories with a wider audience where real-world operational environments are making steps to change their cyber security efforts and generally create greater awareness of improvements in this space. Second, we hope to help change the narrative. Much of what we will be sharing is common and well understood. But some of what we will bring is otherwise considered taboo or is going against the grain.
Our recommendations will not be adopted or accepted by all, but by generating awareness and putting more wins on the board in support of doing things differently, we hope to change the shape and nature of resistance to significantly improve cyber security practice in OT environments.