It’s hard to believe the summer is almost over and we are less than two weeks away from the 11th annual Dayton Security Summit. As I finalise the presentations, demos and exclusive draft white paper to be shared with our very special delegates, it dawns on me that one of the biggest challenges we face in unifying the cyber-physical system security space, is the human dynamic. As we say, humans matter.
One area in which the human element is particularly obvious, is the IT/OT divide. The human teams in each of these areas have always been at odds. This is partly because IT lives in the enterprise, as opposed to OT, which lives in the manufacturing environment; and the needs of the enterprise are not the same as the needs of a manufacturing environment.
The IT team (living in the enterprise environment) is concerned with cyber security. While the OT team (living in the manufacturing environment) is more concerned with safety and quality. The current approach of isolating these very different domains, however, is no longer fit for purpose. OT environments are not ‘air gapped’ anymore, they’re intertwined with IT, and are being challenged to embrace disruption, and digitise just like the enterprise computing environment.
On the surface, it’s hard to understand why these two factions aren’t more aligned. In theory they both work towards the organisation’s mission. And they’re mutually dependant on each other for their success.
But if we look at the reality, each of these stakeholder communities approach the problem of working together from fundamentally different perspectives and priorities. It’s this that ultimately skews their view and conspires against their successful alignment.
Cyber-security stakeholders in IT are concerned with the security of an organisation’s assets. Engineers in OT are concerned with the quality and safety of the physical systems they build and maintain. Privacy protection is usually an afterthought at best, and one of the most likely ways human beneficiaries can be harmed. After all, ‘Winter (aka GDPR) is coming’.
The best way to understand the divide is to look at a very simple (conceptually) control such as ‘white listing’ — the practice of identifying all allowed or trusted systems on record. In the cyber domain, ‘white listing’ as a control breaks the Internet. In most IT organisations, it’s operationally impossible to ‘white list’, because a list of business-valid and acceptable websites is too dynamic to maintain.
However, in an OT environment, ‘white listing’ — if properly managed — would be a very simple way to provide access control due to the relatively small list of trusted, or authorised, system elements. Conversely, active signature-based intrusion prevention systems do not fare well in an OT environment, because of the multiple proprietary protocols and lack of widely accepted/valid signatures. But this same approach in an IT environment can provide valuable preventive and hygiene control, even though targeted attacks can easily bypass signature-based controls.
Once either IT or OT understand the perspective of their counterpart, they can start to develop a common nomenclature and align priorities. However, this cannot happen without a forum, common language and organisational mandate. The business mandates have presented themselves in the form of cost cutting, virtualisations and digitisation. The need for “total visibility” across ALL operations and necessitating tighter integration. It’s the humans that must move faster and with purpose to create a common language, effective communication forums and build the trust required to win. The stars are aligning and there is no better time to drive the step changes needed to facilitate the healing process for the benefit of all stakeholders.
It won’t be easy. It’ll require radical thinking and someone to act as an agent of positive change.
Humans are either an organisation’s biggest asset or their biggest liability — which are you?