Discrete manufacturing: OT and IT security teams must collaborate
OT and IT teams are used to talking about “interoperability” when it comes to devices.
They know that it’s important for different pieces of technology to work seamlessly together, so that their whole system can work as efficiently as possible.
But it’s time for them to expand their horizons.
Because any discrete manufacturing company looking to improve its OT cybersecurity also needs to nurture another kind of interoperability: collaboration between OT and IT security teams.
The future of cybersecurity is complete “interoperability” between OT and IT security teams. And companies who don’t embrace that future will continue to struggle with keeping their security in check.
The good news is, there are ways to move away from the legacy way of siloed OT and IT cybersecurity. And toward greater interoperability – and collaboration.
Why Is OT and IT Collaboration So Important Now?
Depending on the age of your organization, these two teams might have been working separately for years. A decade even.
So why is it so important to get them collaborating now?
The biggest driver is OT/IT convergence.
More and more manufacturing companies – including discrete manufacturers – are finding that their “digital transformation” projects never progressed beyond a pilot.
And many have realized that siloed IT and OT is the culprit: If the machines on the factory floor don’t work together with the software behind the scenes, it’s impossible for either team to make decisions as fast or effectively as they need to. Or actually use the data from their IIoT in a timely manner to shape operations.
To solve this problem, discrete manufacturers are searching for ways to link their OT devices to their IT devices. This means that many OT devices that were once thought to be safely air-gapped are now being connected to a wider network. Leaving the door wide open for cybercriminals.
And the cybercriminals have reacted fast. A Fortinet study found that 32% of respondents “indicated that both IT and OT systems were impacted by a cyberattack, up from only 21% last year.”
It’s clear that OT can easily be a backdoor to a previously secure IT system – and vice versa.
The problem is that linking up the technology isn’t the same as linking up the teams. Even as the OT/IT security risk grows every day, many teams are still working in silos.
And who can blame them? That’s how they’ve always done it.
But – with OT cyberattacks on the rise worldwide – it’s time for that to change.
Four ways to encourage effective collaboration between OT and IT teams
Here are four ways your discrete manufacturing company can make the most of the expertise of both OT and IT – and make sure both of them are working effectively together to reduce your risk.
Create a Culture of Accountability Across the Business
Part of the challenge with OT and IT collaboration is that no one is really sure who should be in charge of many key processes. If an OT device is integrated with some IT software, whose responsibility is it to make sure that connection is secure? Where should the budget come from for any security measures that affect both OT and IT assets?
That’s why it’s so important to start by setting clear boundaries across both teams. Deciding who is responsible for what – and making sure they have the power and support they need to get the job done.
You can start implementing this by appointing a steering committee made up of both IT security professionals and OT engineers and operators. This group should set out the roles and responsibilities for each team.
To help get decision-makers on the same page and working together, the NIST Guide to Operational Technology recommends “establishing one or more senior official positions that are responsible and accountable for the organization’s governance and risk management for IT and OT cybersecurity programs.”
Most discrete manufacturing companies are starting from scratch in this way. But, if you’re a more mature enterprise, you can use existing risk management structures to help assign responsibilities across both teams. You might have stakeholder committees already in place for cross-departmental communication and collaboration – if so, put them to work.
Once you’ve started to assign responsibilities, you can start thinking about how and when each team should be involved in every step of the risk reduction process:
-
Framing risk:
Who decides the priorities and trade-offs when it comes to reducing the financial impact of OT or IT downtime?
-
Assessing risk:
Who is in charge of identifying vulnerable OT/IT devices and systems? -
Responding to risk :
How do both teams help decide when to accept OT/IT risks, and when to avoid, transfer, or mitigate them? -
Monitoring risk:
How do you make sure both teams are involved in addressing your risk posture and the risk of any third-party relationships? How do you make sure both teams are protected on an ongoing basis?
Develop a Joint Cybersecurity Framework
Cybercriminals are moving fast nowadays: Ransomware attacks on industrial environments nearly doubled from 2021–22.
Which means both your OT security team and your IT security team need to move even faster to stay ahead of nefarious actors.
The problem is that if it’s not done carefully, collaboration can easily slow down processes.
Luckily, there is a shortcut that discrete manufacturers can take to accelerate their response to threats: Encourage both the IT and the OT team to adopt the NIST Cybersecurity Framework, rather than starting a framework from scratch.
In the framework, you’ll find five core components covering systems and assets:
-
Identify:
This category includes asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management. -
Protect:
This category includes awareness and training, data security, identity management and access control, information protection, maintenance, and protective technology. -
Detect:
This category includes anomalies and events, security continuous monitoring, and detection processes. -
Respond:
This category includes analysis, communications, improvements, mitigation, and response planning. -
Recover:
This category includes communications, improvements, and recovery planning.
As you can see, the categories focus on both the cyber and the physical – making the framework an ideal foundation for closer OT/IT collaboration.
And, with a clear, shared cybersecurity framework in place, you’ll be able to minimize misunderstandings and delays. Each team can anticipate what the other team will need from them, and it’s easy to keep both teams moving at the same pace.
Get IT Involved in OT Vendor Evaluation
Let’s say you’re thinking about investing in an ICS solution that will control a key device on your factory floor.
If you’re in the OT team, you have two priorities: availability (so the machine can continually produce the same end product without interruption) and stability (so the machine can continue producing without breaking down and bringing the rest of your production line grinding to a halt).
At this stage, most OT teams aren’t thinking much about cybersecurity. They might not even have considered the fact that this new ICS could pose a security risk.
That’s why you should encourage IT teams to be involved in the vendor selection process.
Closer collaboration with IT means organizations can ask vendors crucial cybersecurity questions. These could include:
- Does the ICS support monitoring and ensure real-time traffic visibility?
- Has the solution been secured against known exploitable OT and IT cybersecurity vulnerabilities?
- Can the solution scale if the organization grows in terms of sites, networks, and devices?
By getting IT involved early, OT teams can help maximize their investment by minimizing the need to retrofit security solutions onto new OT devices. And help reduce the risk that every new device could create a new security threat.
Use IT Expertise to Make “Zero Trust” work for OT
In a Zero Trust (ZT) environment, there’s no such thing as a trusted access request.
In other words, nothing gets into your OT or IT system without explicit permission.
That can be tricky when it comes to OT. Many discrete manufacturers find that they don’t have a clear idea of how many devices are in their OT network – let alone how those devices are being used.
Without a clear asset inventory, it can be hard for OT teams to make sure all their devices are secured, and that vendors haven’t left any weaknesses or potential backdoors.
What’s more, older OT devices may not support malware protection. As a result, OT is often the entry point for attacks on IT systems. Mirai and Gafgyt are notorious examples of malware that use OT as an entry point to launch waves of DDoS attacks.
Here’s where IT expertise enters the chat. With IT’s support, OT teams can also start adopting some security measures that have been common in IT for some time now, like Multi-Factor Authentication and Principle of Least Privilege.
Not all IT security processes will work for OT. But for those that do, OT teams should absolutely take advantage of IT’s expertise so that they can implement them as effectively as possible.
Kick-start Collaboration for IT/OT Cybersecurity
The boundaries between virtual and physical are blurring in discrete manufacturing.
In the quest to maximize the value of both OT and IT, leaders from both teams are on a mission to achieve true IT/OT convergence.
But that isn’t possible without true “interoperability” between both teams.
The good news is that even though OT systems have historically been isolated from IT networks, OT teams don’t have to be isolated from IT teams.
The most crucial part of this process? Finding a partner that understands the differences – and the similarities – between OT and IT.
SCADAfence is highly experienced in helping discrete manufacturers to catalog, protect, and monitor even the largest and most complex OT networks. That includes helping you understand how IT and OT teams must collaborate to secure your devices.
With a platform backed by deep expertise in both OT and IoT, OT and IT both have the insights they need to keep your organization safe – and work better together.