Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Ensuring enterprise IT and OT are managed effectively and securely is no simple feat. This piece explains the primary IT and OT technology and staffing challenges and recommends some best practices for overcoming them.
With ransomware, every company is a target, but those managing both IT and OT devices represent a larger risk profile. When OT is added to the mix, more than just data is at risk: The company’s operations can come to a standstill. Even a partial
loss of visibility can cause a shutdown of a manufacturing line due to quality or safety issues.
The most common way hackers compromise OT networks is to start with the IT network and move laterally to the OT side. Their first target on the OT side—what we call the “beachhead”—usually
consists of higher-level OT systems, such as the human-machine interface, surveillance and information sharing, distributed control systems, etc. They typically run older-generation (unsupported) Windows and Linux and have access and control built
in for entire segments of OT devices.
The starting point for combining IT and OT security management is to take a hard look at culture: The divide between IT and OT is more than just the proverbial airgap. The two teams differ in terms of:
The technical foundation of security is asset visibility: What do I have, where do I have it and what is its current state? Consequently, many organizations charged with managing both IT and OT have implemented asset visibility tools with hybrid discovery
methods (primarily passive and some level of active scanning). They then work to extend that visibility to network traffic in an actionable manner.
The Purdue Enterprise Reference Architecture (the Purdue Model) is the most commonly used framework for designing OT networks, and it is based primarily on segmentation
and zoning. The beachhead, described earlier, represents Levels 2–3 of the Purdue Model. Proper segmentation supports operations, while ensuring risk reduction of impact and access. This segmentation needs to be done carefully because it can
often increase license and maintenance costs and, if done improperly, can negatively affect core operations.
However, Purdue doesn’t provide much insight into combining IT and OT security practices. The NIST Cyber Security Framework is the recommended framework.
READ: Industrial Control System (ICS) Risk Mitigation Checklist
Other frameworks to consider include:
One option for structuring the IT/OT organization is setting up separate, dedicated teams for IT and OT infrastructure, because the requirements and skill sets are different. However, you should
colocate both team’s personnel and data (OT equipment should still be segmented/isolated) as much as possible for team building and shared analysis. Because the IT environment is the most common initial access vector, the opportunities for detection
begin there and can more easily be correlated with anomalous OT activity.
It's also important to conduct joint exercises as a team for training and education, including:
Once OT environments started increasing the number of IT technologies they used, many utilities started trying to identify ways to merge IT teams for both enterprise and OT environments. However, the downsides to this approach quickly became clear:
Some organizations that started down this merged path eventually changed directions and are now identifying ways to dedicate IT resources for OT environments.
From a reporting structure, it doesn’t usually matter if that dedicated IT team reports through IT management or OT management. The most effective aspect seems to be putting the dedicated resources in place.
Managing both IT and OT securely is challenging. To ensure you create an environment for success:
From an architectural perspective, organizations should be trying to protect their OT environments from the enterprise in much the same way they protect the enterprise network from trusted business partners. Organizations don’t share VLANs and AD
domains with their business partners, but instead, find secure ways to pass required data safely between the two organizations, while maintaining some level of mutual distrust. That is a good mindset to have when designing defenses in industrial control
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.