This document discusses the merging of IT and OT systems due to increased connectivity from IoT devices and the need for cooperation between IT and OT on security strategies. Experts provide perspectives on how IoT is changing the relationship and highlight that while IT and OT have different skills and responsibilities, cooperation and cross-training are essential for security. They recommend practical tips like communication, collaboration, integration, observation and role-based training to help IT and OT work together effectively.
3. “The coming phenomenon
referred to as the ‘ IoT’ is in large
part about the ultimate physical
merging of many traditional OT
and IT components.”
Chris Blask
@chrisblask
Chair of ICS-ISAC
4. “The ‘OT is different than IT’
fallacy stems from ICS
professionals comparing OT
to desktop management.
OT is mission critical IT.”
Dale Peterson
@digitalbond
Founder of Digital Bond & S4 Conference
Leading SCADA security blogger
5. “Although this [merger] has many
benefits for interoperability and
efficiency, it also brings security
risks.”
“Cooperation on a consistent
security strategy across both IT
and OT is essential for the future.”
David Meltzer
@davidjmeltzer
Chief Research Officer, Tripwire
6. “The choice to connect plant floor devices
and share information for many
manufacturers in the past depended on a
controls engineer taking initiative. That
engineer may or may not know how to connect
in a way that made information available and
made the network secure.”
“Those days are over. The risk is too high.”
Doug Brock
@doug_brock
Factory Automation Expert
7. “Until recently, there were only two
classes of smart devices in the typical
industrial facility; the devices ‘owned’ by IT,
and the controllers ‘owned’ by OT.”
“All of these assets have unique operational
and access requirements—all are at different
levels of security, and all now need to be
considered in any holistic security strategy.”
Eric Byres
@tofinosecurity
ICS and SCADA security expert
8. “IT desires data directly from
production/manufacturing and OT
usually implements IoT in production/
manufacturing.”
“This is a way that both organizations
can collaborate without politics
interfering.”
Gary Mintchell
@garymintchell
Founder/CEO, The Manufacturing Connection
9. “It is abundantly clear the fractured IT/OT
relationship will need to become stronger
and more connected.”
“OT focuses on keeping plants up and running
and plugging any weakness around the ICS.
Along those same lines, IT faces a fire hose of
new attacks with all types new of devices
connecting in to the enterprise.”
Greg Hale
@isssource
Editor/Founder of ISSSource.com
10. “The real issue is the blurring of the
line as IT implements ‘things that smell
like OT,’ and OT implements ‘things that
are traditional IT.’”
“When the line is blurred, where does the
responsibility for resilience lie?”
James Arlen
@myrcurial
Director, Risk Advisory Services
Leviathan Security Group
11. “As networking extends deeper into devices
and systems, businesses will be able to
collect finer-grained and timelier information
and use this information to optimize
processes, minimize downtime, and reduce
operating costs.”
“Achieving this vision, however, requires
closer cooperation between the OT and IT
worlds than has historically been required.”
Jeff Lund
jeff.lund@belden.com
IIoT Expert, Product Management, Belden
12. Pat Differ
pat.differ@securicon.com
Cybersecurity Expert for Real-time Systems
Securicon, Inc.
“Today, IT professionals and engineering
professionals have different capabilities,
roles and responsibilities, although there
is some convergence centered around
security.”
“The dynamics are starting to become
more tightly integrated.”
13. “IT and OT are different, but this is
really just a matter of time.
At some point in the not too distant
future, we will only have technology.
No more IT/OT distinction. Just T.”
Patrick Miller
@PatrickCMiller
Critical Infrastructure Security and Regulatory Advisor
14. “IoT is not changing the dynamics
between IT and OT. The systems
themselves have been converging
for years in terms of technology.
The difference between IT and OT
is in what they do.”
Robert Lee
@RobertMLee
USAF Cyber Warfare Ops Officer
15. “The overall implications are relating
to what is owned, what is not, and
where the border ends, not only at
the corporate perimeter but also at
the device level.”
John Walker
@SBLTD
Freelance Author in Cyber Security
16. IT and OT
What practical tips can you provide for
to work together effectively?
17. Chris Blask
@chrisblask
Chair of ICS-ISAC
“IT and OT have two different skill sets that
can effectively complement each other.
Both sides need to remember that it is a
two-way street and if they work together
they can support each other.”
Teamwork
18. Cross-Functional
Training
“For IT security pros that want to
cooperate on security with OT, learning
about how OT works is a great starting
place.”
David Meltzer
@davidjmeltzer
Chief Research Officer, Tripwire
19. “If you don’t know security, you risk bringing
down or exposing your network. The bigger risk
might be not allowing your workers access to
information, while your competitors do. Get
educated or get help but don’t wing it.”
Improve Skills
& Capabilities Doug Brock
@doug_brock
Factory Automation Expert
20. “One vulnerable system is a potential pathway to
all systems. Yet at the same time, IT can’t own all
systems. Senior management can be the first to
identify the IoT systems, be clear on who is
responsible for each one and then drive
consistent behaviors for security through out
the company.”
Goal Setting
Eric Byres
@tofinosecurity
ICS and SCADA security expert
21. “Getting IT and OT to work together is not a
technology problem. It is a people problem.
Organizationally, the best way is cross-functional
training and teamwork guided by a leader who
creates a collaborative environment and metrics
that emphasize teamwork.”
Cross-Functional
Training Gary Mintchell
@garymintchell
Founder/CEO, The Manufacturing Connection
22. “Communicate.
If IT and OT get that down, then everything
else falls into place. Yes, their missions
differ. Working together is so vital, the
mandate has to come from the top.”
Communication Greg Hale
@isssource
Editor/Founder of ISSSource.com
23. “The most practical tip is to execute on having
some people skills, cooperating to ensure that
there is a bright-line for responsibility, and that
where knowledge transfer can be undertaken, it
is obvious that the transfer happens.”
People Skills James Arlen
@myrcurial
Director, Risk Advisory Services
Leviathan Security Group
24. “IT must work closely with OT to understand
the volume of data, as well as archiving and
retention needs. Once we have secure
connections to remote devices, data and
scalable storage, IT and OT will need to
collaborate to make use of that data.”
Collaboration Jeff Lund
jeff.lund@belden.com
IIoT Expert, Product Management, Belden
25. “Set up a core IoT ownership group that includes
both IT and OT to establish roles, responsibilities,
common goals, and objectives.”
“Establish role-based training and awareness
programs for IoT that outlines the corporate
objectives, eliminates any potential silos and insures
daily cooperation with all stakeholders.”
Role-Based
Training Pat Differ
pat.differ@securicon.com
Cybersecurity Expert for Real-time Systems
Securicon, Inc.
26. “Spend some time working side by side
with the other [group]. Job shadowing
and embedded observation will do
wonders for helping both sides see each
other’s perspective more clearly.”
Observation
Patrick Miller
@PatrickCMiller
Critical Infrastructure Security and Regulatory Advisor
27. “The most important thing for having IT
and OT work together is to ensure that the
people are integrating together to voice
their concerns and identify what they
consider critical assets and processes.”
Integration Robert Lee
@RobertMLee
USAF Cyber Warfare Ops Officer
29. www.tripwire.com/blog
For the latest security news, trends and insights, visit:
@TripwireInc
For industrial security news and discussions, visit:
www.belden.com/blog
@BeldenInc