ICS Operators Shall Refrain from “IT-OT Convergence”
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Over past year we read many posts and papers from a range of experts introducing a new concept called “IT-OT convergence”. It is not difficult to guess what experts or teams within the organization are pushing for this new trend. IT experts were around since early 80’s when personal computers started their penetration to the organization, replacing the mechanical typewriters. Initially operating as a stand-alone PC’s and later connected to the organization and to external data networks. Industrial Control Systems (ICS) and Operation technology (OT) systems managing critical infrastructure were traditionally disconnected from external networks and the main were directed to assurance of operating safety and reliability. Data connection between the IT and OT networks started after the Stuxnet event, when management realized that the “airgap” is not protecting their operation and internally generated cyber-attacks are possible. Consequently, organizations started developing the OT cybersecurity expertise. Although both IT and OT systems utilize similar computer hardware and operating systems, the cyber defense concepts are different. While IT experts focus on assurance of CIA (Confidentiality, Integrity and Availability), OT experts must focus on SRP (Safety, Reliability and Productivity). This article outlines the main reasons why organizations must develop internal OT cybersecurity expertise and keep it as a separate team in the organization. While positive collaboration is appreciated, IT cyber security experts shall not impose their practices for OT Cyber defense.
Why the talks about IT-OT convergence started?
IT architecture experts and IT cyber security experts started their activity in organizations much earlier than OT experts. They earned high reputation by frequent patching the operating system, deploying antivirus, perform quick fixes by remote access, upgrading the memory, formatting the disk, providing internet access, etc., activities that the ordinary employee needed for conducting his daily tasks. Consequently, the IT team in each organization grew, and every department had his own IT guy. Although OT systems are using similar computers, operating systems and firewall defense, the architecture is built differently. Based on my experience with OT architectures, I wonder what is the true definition of the “IT-OT convergence” considering that both worlds use the same hardware, software, firewalls, operating systems. I ask that question because control architectures were built SRP in mind, versus IT systems which were built with CIA in mind. You should not be surprised hearing an OT operation manager saying the IT guy: “I’m responsible and I’ll not allow any changes that might create safety risks”.
Being aware of cybersecurity risks, organizations started realizing this situation and also accepted these differences, as a reason for employing OT Cyber security experts. But then, the team of IT security experts took the CIA Triad, they rotated the letters to a new order (ICA, AIC, etc.) and said: “OT Cybersecurity also use the same 3 letters… so what is the difference?” Then comes the IoT, which expand the activity of the IT experts and justifies more people added to their department. They learned that each IoT device increases the cyber-attack surface and creates new risks that must be treated. Then came the Industrial IoT (IIoT), which is significantly different from the IoT, but also increases the attack surface. So, shall we handle the cyber defense for IIoT devices in the same way we handle the cyber defense for the IoT devices just for the sake of “IT-OT Convergence”?
Can we live without “IT-OT Convergence”?
Of course, the answer is “Yes we Can”. As already stated above, cybersecurity tools for IT are absolutely not suitable for Industrial architectures and as a result cyber defense for OT systems and especially legacy-age OT system requires a different approach. While IT networks are defended by standard cyber defense components, for properly defending OT systems you must be an OT expert. You must understand the control architecture, understand the principles of the industrial process, understand the level of damage that might occur and realize that you deal with legacy components which can not be upgraded nor replaced. Can you imagine an IT expert dealing with these challenges? When something goes wrong in the IT world, you might lose data which can be generally recovered from backup systems. If something goes wrong with the OT system, the mechanical machinery might get damaged (Stuxnet event) and people might lose their lives.
Principal IT-OT Differences
According to ISO 27001-2013 paragraph 5, the C-Level management is responsible of cybersecurity. Are they willing to absorb these risks? For sure not! In light of expected cyber-attacks on OT operations, managers in charge shall deploy cyber protection measures that have been specially adapted for these architectures. Consequently, they must deploy robust and highly resilient solutions based on proven concepts and technologies. The table below outlines the principal cyber-defense-oriented differences among IT and OT systems:
The ICS cybersecurity experts managing the OT operations have the knowledge and experience required to implement effective cyber defense. This topic shall be presented to the C-Level management and granted top priority. If anyone will decide on “IT-OT Convergence” just for the sake of organization efficiency, who will correctly and effectively deal with cyber-attack directed to cause outages and mechanical damages. Correct handling of this critical topic may put you one step ahead of the cyber attackers, help you mitigating cyber-attacks and assuring business continuity in your organization.
Daniel Ehrenreich, BSc. is a Consultant and Lecturer acting at Secure Communications and Control Experts, teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the ICS Cybersec 2018, taking place on 11-10-2018 in Israel. Linkedin
For more information: